mafiaware666 | 70e8721a332c633435e6cdc9bcf3cd7d2b5e2c5f763b2dc61b358ca74f3b5762

Analysis

max time kernel
76s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 19:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

RNSM00437.7z
Size

24.1MB
MD5

0de3692412ae76fef12b9ffd91cdab90
SHA1

6e493efc5f60e131c5e38ac232a1b69befff50b9
SHA256

70e8721a332c633435e6cdc9bcf3cd7d2b5e2c5f763b2dc61b358ca74f3b5762
SHA512

6a98e28c959a046f19ee79322be0f6a7cc70a0a0b57d577a9bb7c311442a36160c3ebaa3b5388c80cc2776c3a42286e1baf9a68275d7857aca324f5df311ff97
SSDEEP

786432:uAi/yqNNzDefs0eThJoFQ5TIrVpUFpMas:/iBrzCfFeTbCQFIrVpUFpHs

Score

10^/10

mafiaware666 vashsorena bootkit defense_evasion discovery persistence privilege_escalation ransomware spyware stealer upx

Malware Config

Signatures

Detect MafiaWare666 ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000023b72-93.dat	family_mafiaware666
behavioral1/memory/4944-108-0x0000000000EB0000-0x0000000000ED6000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Mafiaware666 family
mafiaware666

VashSorena Golang binary 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd6-177.dat	family_vashsorena

VashSorena Ransomware
Ransomware family with multiple versions/spinoffs. Decryption of files is generally possible without paying the ransom.
ransomware vashsorena
Vashsorena family
vashsorena
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe

Executes dropped EXE 23 IoCs

pid	Process
3056	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe
4944	HEUR-Trojan-Ransom.MSIL.Cryptor.gen-9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c.exe
2216	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
3672	HEUR-Trojan-Ransom.Win32.Generic-9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298.exe
1692	HEUR-Trojan-Ransom.Win32.SageCrypt.gen-d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb.exe
1616	Trojan-Ransom.Win32.Blocker.fpnf-4325cb2803f192d56cc6f9d8229f6f11048f53018d9410eb4e9ebb6ffcd863f2.exe
5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
1936	Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe
2668	guide.exe
3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
948	Trojan-Ransom.Win32.GandCrypt.ja-4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59.exe
2028	Trojan-Ransom.Win32.Spora.flx-3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742.exe
4168	VHO-Trojan-Ransom.Win32.Foreign.gen-09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab.exe
5004	Win.Ransomware.Convagent-9865532-0-fc42bfcc0c5ac70050f635c1c61c81220d00bb651f5911a9e846877ddc154d3f.exe
4676	Win.Ransomware.GandCrab-9855152-0-0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b.exe
2184	Win.Ransomware.Generickdz-9756864-0-baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b.exe
2216	Win.Ransomware.N3tw0rm-9876348-0-8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1.exe
676	Win.Ransomware.Nemty-9871356-0-fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
1800	Win.Ransomware.Protected-9838686-0-fdd8669b1e039c734b0cbe556301c254b978816b8cca200ac50698481a315b0d.exe
4672	Win.Ransomware.Sodinokibi-9887839-0-0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696.exe
3980	Win.Ransomware.Sorena-9862227-0-39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
940	Win.Ransomware.Stop-9860066-0-b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96.exe
4352	Win.Ransomware.WannaCry-9864704-0-174381135a941ae067841607474880a6e837fbcd51d46bc142e4cedc1dd47f23.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a = "C:\\Users\\Admin\\AppData\\Roaming\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{FE3B9F6C-2487-E2B2-99EA-33B0141A6952} = "C:\\Users\\Admin\\AppData\\Roaming\\guide.exe"	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Program Files\\System.dll"	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\3D Objects\desktop.ini	Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
47	iplogger.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4168-154-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/files/0x0007000000023cce-151.dat	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\360.dll	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4396	3476	WerFault.exe	121
4292	3476	WerFault.exe	121
4428	3476	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Cryptor.gen-9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.SageCrypt.gen-d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.ja-4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win.Ransomware.GandCrab-9855152-0-0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win.Ransomware.Stop-9860066-0-b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Foreign.gen-09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.flx-3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win.Ransomware.Generickdz-9756864-0-baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win.Ransomware.Sodinokibi-9887839-0-0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2584	7zFM.exe
4660	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2584	7zFM.exe
Token: 35	2584	7zFM.exe
Token: SeSecurityPrivilege	2584	7zFM.exe
Token: SeDebugPrivilege	2824	taskmgr.exe
Token: SeSystemProfilePrivilege	2824	taskmgr.exe
Token: SeCreateGlobalPrivilege	2824	taskmgr.exe
Token: SeDebugPrivilege	4660	taskmgr.exe
Token: SeSystemProfilePrivilege	4660	taskmgr.exe
Token: SeCreateGlobalPrivilege	4660	taskmgr.exe
Token: 33	2824	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2824	taskmgr.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2584	7zFM.exe
2584	7zFM.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
2824	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
4532	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4660	2824	taskmgr.exe	100
PID 2824 wrote to memory of 4660	2824	taskmgr.exe	100
PID 3100 wrote to memory of 4084	3100	powershell.exe	107
PID 3100 wrote to memory of 4084	3100	powershell.exe	107
PID 4084 wrote to memory of 3056	4084	cmd.exe	108
PID 4084 wrote to memory of 3056	4084	cmd.exe	108
PID 4084 wrote to memory of 4944	4084	cmd.exe	109
PID 4084 wrote to memory of 4944	4084	cmd.exe	109
PID 4084 wrote to memory of 4944	4084	cmd.exe	109
PID 4084 wrote to memory of 2216	4084	cmd.exe	110
PID 4084 wrote to memory of 2216	4084	cmd.exe	110
PID 4084 wrote to memory of 2216	4084	cmd.exe	110
PID 4084 wrote to memory of 3672	4084	cmd.exe	111
PID 4084 wrote to memory of 3672	4084	cmd.exe	111
PID 4084 wrote to memory of 3672	4084	cmd.exe	111
PID 4084 wrote to memory of 1692	4084	cmd.exe	112
PID 4084 wrote to memory of 1692	4084	cmd.exe	112
PID 4084 wrote to memory of 1692	4084	cmd.exe	112
PID 4084 wrote to memory of 1616	4084	cmd.exe	113
PID 4084 wrote to memory of 1616	4084	cmd.exe	113
PID 2216 wrote to memory of 5072	2216	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	114
PID 2216 wrote to memory of 5072	2216	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	114
PID 2216 wrote to memory of 5072	2216	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	114
PID 4084 wrote to memory of 1936	4084	cmd.exe	115
PID 4084 wrote to memory of 1936	4084	cmd.exe	115
PID 4084 wrote to memory of 1936	4084	cmd.exe	115
PID 5072 wrote to memory of 2668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	116
PID 5072 wrote to memory of 2668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	116
PID 5072 wrote to memory of 2668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	116
PID 5072 wrote to memory of 4668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	118
PID 5072 wrote to memory of 4668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	118
PID 5072 wrote to memory of 4668	5072	HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe	118
PID 4084 wrote to memory of 3476	4084	cmd.exe	121
PID 4084 wrote to memory of 3476	4084	cmd.exe	121
PID 4084 wrote to memory of 3476	4084	cmd.exe	121
PID 3476 wrote to memory of 8	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	123
PID 3476 wrote to memory of 8	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	123
PID 3476 wrote to memory of 8	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	123
PID 3476 wrote to memory of 4152	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	124
PID 3476 wrote to memory of 4152	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	124
PID 3476 wrote to memory of 4152	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	124
PID 3476 wrote to memory of 5096	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	125
PID 3476 wrote to memory of 5096	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	125
PID 3476 wrote to memory of 5096	3476	Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe	125
PID 2668 wrote to memory of 2484	2668	guide.exe	130
PID 2668 wrote to memory of 2484	2668	guide.exe	130
PID 2668 wrote to memory of 2484	2668	guide.exe	130
PID 2668 wrote to memory of 1908	2668	guide.exe	133
PID 2668 wrote to memory of 1908	2668	guide.exe	133
PID 2668 wrote to memory of 1908	2668	guide.exe	133
PID 2668 wrote to memory of 3360	2668	guide.exe	134
PID 2668 wrote to memory of 3360	2668	guide.exe	134
PID 2668 wrote to memory of 3360	2668	guide.exe	134
PID 4084 wrote to memory of 948	4084	cmd.exe	140
PID 4084 wrote to memory of 948	4084	cmd.exe	140
PID 4084 wrote to memory of 948	4084	cmd.exe	140
PID 4084 wrote to memory of 2028	4084	cmd.exe	141
PID 4084 wrote to memory of 2028	4084	cmd.exe	141
PID 4084 wrote to memory of 2028	4084	cmd.exe	141
PID 4084 wrote to memory of 4168	4084	cmd.exe	142
PID 4084 wrote to memory of 4168	4084	cmd.exe	142
PID 4084 wrote to memory of 4168	4084	cmd.exe	142
PID 4084 wrote to memory of 5004	4084	cmd.exe	143
PID 4084 wrote to memory of 5004	4084	cmd.exe	143

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00437.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3056
- - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c.exe
    HEUR-Trojan-Ransom.MSIL.Cryptor.gen-9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
    HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe
      "C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe" runas
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Access Token Manipulation: Create Process with Token
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Roaming\guide.exe
        
        "C:\Users\Admin\AppData\Roaming\guide.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
        6⤵
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        
        PID:3360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{854560BB-668B-1368-0C76-32065137E017}.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
- - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298.exe
    HEUR-Trojan-Ransom.Win32.Generic-9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3672
- - C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.SageCrypt.gen-d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb.exe
    HEUR-Trojan-Ransom.Win32.SageCrypt.gen-d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Blocker.fpnf-4325cb2803f192d56cc6f9d8229f6f11048f53018d9410eb4e9ebb6ffcd863f2.exe
    Trojan-Ransom.Win32.Blocker.fpnf-4325cb2803f192d56cc6f9d8229f6f11048f53018d9410eb4e9ebb6ffcd863f2.exe
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe
    Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
    Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\net.exe
      net user Administrator shunge
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Administrator shunge
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
  - - C:\Windows\SysWOW64\net.exe
      net user canfeng shuenAAA /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4152
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user canfeng shuenAAA /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators canfeng /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators canfeng /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 720
      4⤵
      Program crash
      PID:4396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 760
      4⤵
      Program crash
      PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 768
      4⤵
      Program crash
      PID:4428
- - C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.GandCrypt.ja-4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59.exe
    Trojan-Ransom.Win32.GandCrypt.ja-4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Spora.flx-3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742.exe
    Trojan-Ransom.Win32.Spora.flx-3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Users\Admin\Desktop\00437\VHO-Trojan-Ransom.Win32.Foreign.gen-09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab.exe
    VHO-Trojan-Ransom.Win32.Foreign.gen-09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4168
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Convagent-9865532-0-fc42bfcc0c5ac70050f635c1c61c81220d00bb651f5911a9e846877ddc154d3f.exe
    Win.Ransomware.Convagent-9865532-0-fc42bfcc0c5ac70050f635c1c61c81220d00bb651f5911a9e846877ddc154d3f.exe
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.GandCrab-9855152-0-0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b.exe
    Win.Ransomware.GandCrab-9855152-0-0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4676
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Generickdz-9756864-0-baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b.exe
    Win.Ransomware.Generickdz-9756864-0-baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.N3tw0rm-9876348-0-8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1.exe
    Win.Ransomware.N3tw0rm-9876348-0-8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Nemty-9871356-0-fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
    Win.Ransomware.Nemty-9871356-0-fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Protected-9838686-0-fdd8669b1e039c734b0cbe556301c254b978816b8cca200ac50698481a315b0d.exe
    Win.Ransomware.Protected-9838686-0-fdd8669b1e039c734b0cbe556301c254b978816b8cca200ac50698481a315b0d.exe
    3⤵
    - Executes dropped EXE
    PID:1800
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Sodinokibi-9887839-0-0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696.exe
    Win.Ransomware.Sodinokibi-9887839-0-0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4672
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Sorena-9862227-0-39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
    Win.Ransomware.Sorena-9862227-0-39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.Stop-9860066-0-b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96.exe
    Win.Ransomware.Stop-9860066-0-b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Users\Admin\Desktop\00437\Win.Ransomware.WannaCry-9864704-0-174381135a941ae067841607474880a6e837fbcd51d46bc142e4cedc1dd47f23.exe
    Win.Ransomware.WannaCry-9864704-0-174381135a941ae067841607474880a6e837fbcd51d46bc142e4cedc1dd47f23.exe
    3⤵
    - Executes dropped EXE
    PID:4352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ac855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3476 -ip 3476
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3476 -ip 3476
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3476 -ip 3476
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ruibombv.hyp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{854560BB-668B-1368-0C76-32065137E017}.bat

Filesize
122B

MD5
037697405dd16da906a78c6392ef2dfa

SHA1
a4d5b0239683789a62ae4b35d41381ce2960968d

SHA256
3f5d37cf4b76ac808643229662699ae066e2c8f901b1307c7a767512b7c9f840

SHA512
6a9ff8257eadfbcadaf600b1aac054b4cadf692ae928bcca312404dbd3f9d231af15dc405940126e0b91a3811acb4efaf8a44e7fd0678ee9d5f99a305577ed50

Download Submit
C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a.exe

Filesize
920KB

MD5
0769921330357988d7e1befdd74e63fd

SHA1
17da9bbacf9c5c34f2d6c4dc1a7f1b1550814129

SHA256
9b917dca5e62e79b3eb1baa2deb433351f23b6be5940e6bbd0415faed2e9274a

SHA512
625eb23ad083483150952fde326285db76ba7c6dfd765b0c9564e49d4c8a4e9fb0abde286b609ce8c317a7edb9134a2d0b7ce1a47d0711e44ea323068a5a5c98

Download Submit
C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c.exe

Filesize
130KB

MD5
27057855fff801bc62059a3911deb351

SHA1
2ffe42294bcdadda4709d6c8245dbc6de28e0b71

SHA256
9c21b5863be436c4795bb71835f52d5a2c79b73a1032028816cec41748d46c8c

SHA512
9e6a32166a51807801eceb16c527be832e022ce74f4dbe4787c78f7a1f53d9e82fefb0c4d9537fc124ad74050851b64c2ab64ad9467fc4e1a42ad9fe80bc45d0

Download Submit
C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3.exe

Filesize
174KB

MD5
1ce033ec33fb0696b0810454243e363c

SHA1
dd33cf9bdb9e8cb584d50e49a3661435b9b5b95d

SHA256
09f23457c269114f9fa193afac3349bed9105a8f45f4d86c291d0611577454b3

SHA512
04db852fd848aee2f84655d31d1ed4ad29ecf4837647318fbbf9e3346a2886eeb37d931ba6e4a5828eb2e9722d7a0fcee30d5190e4c639a722ae5d207c48fa0f

Download Submit
C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.Generic-9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298.exe

Filesize
278KB

MD5
41bfc45829ceb5870676feda222e05cb

SHA1
e75278119a6903402b965b16b36f84dc9e4d73ab

SHA256
9ed876b926254483909a7c5cbfc862c1a085ebfb95093bceb966077bf7a17298

SHA512
cbf3b2d86ee8062784f8139903ed960c8e620bf10b6c871726ec80c179e08271ab954bcae1ec00e416660ba96ce64484dfede44b6b7455ef45b89bb5620a7db0

Download Submit
C:\Users\Admin\Desktop\00437\HEUR-Trojan-Ransom.Win32.SageCrypt.gen-d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb.exe

Filesize
480KB

MD5
24f7aab6e03521f21e5b7236fb783772

SHA1
2bf954da37cd8c929476331b17409766c98ff4c7

SHA256
d1a6a239d3c6175d3df515e37e2cd61015f92d9436d72cf8718a161a8124b1eb

SHA512
15a7664565b6b3c064aaea23cdb619dca012bbf3506321de75500b2e67e9996d9a80a5e15f3e3229917cf5782aaab5bb18f966e6f265d52a36adae0d7a71e65b

Download Submit
C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Blocker.fpnf-4325cb2803f192d56cc6f9d8229f6f11048f53018d9410eb4e9ebb6ffcd863f2.exe

Filesize
6.5MB

MD5
3bd804fcf6231940c797c3fef45125ad

SHA1
1a17017b9409512edae67aede5c659c7413f1d26

SHA256
4325cb2803f192d56cc6f9d8229f6f11048f53018d9410eb4e9ebb6ffcd863f2

SHA512
b4ceac24f2320d9bac023af1a721eb86783c9f720201d5676543018fef30a2cef0dea3efc746d21f555d264a933069f868657ebaa87dd99ab0e77c47edd618f4

Download Submit
C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Encoder.mjk-472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631.exe

Filesize
5.1MB

MD5
40d12e45ac08e843897946c85659063f

SHA1
3a4065aa2b479e0b32bdefec55a0dc59563662d6

SHA256
472ec6532cddbbbc69b524ef0949b37148dadbbc2a931aa4b920c4fcfe762631

SHA512
01c972e6475e1e57f8ff3da06649dde81957a292b68a4f79245c18f98eff4c72875da1ac03bd61a2cbcf8b8a31f497d284430ee9bd009d7f98f2ccdc638a95ae

Download Submit
C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Foreign.naew-db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768.exe

Filesize
1.1MB

MD5
04e451578c386c47452ed4e9e7d904cf

SHA1
827be07ebeb8eaaf232952eec465dcea96e3f2ea

SHA256
db4433256b06f57bd94c1dccd42a7dd8378c815516c2c6d5d170e14aafd5f768

SHA512
2b90be4e313ea5774dbe003efbb8dc487704c84a768ba83e451e56d152cbcfd49d2387b5c9c8885a5bd91d0406a8b8b8b06d3d428f5cdca50fdac288e608d40f

Download Submit
C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.GandCrypt.ja-4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59.exe

Filesize
278KB

MD5
22983d85cce66be5253c10872f185388

SHA1
fe83a73fd559e1ae4ea76c0d6d6d7d35c09cb0b5

SHA256
4caac85fde5cb02156b72cdc6e91f2467a25f351eb0d55b23653abc98e589c59

SHA512
ad804e762188e7fa18fc18aae811294571e15cbb460b7aa9da2275901620d7a47baef0ece2fe0bf45aaf4e3eb749afd252a3a6bdb3a308598a01a271f71ab5cf

Download Submit
C:\Users\Admin\Desktop\00437\Trojan-Ransom.Win32.Spora.flx-3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742.exe

Filesize
293KB

MD5
20a980b9db50122125988af12128555b

SHA1
b097bea8f94c7501465e2fec990002f1d5674cbd

SHA256
3e8fb9318ca21f85fced913202c62737cca305407bd0c87ece0b580cebaf0742

SHA512
3913dafbc41611d4cfc56377acde81ab635a11910b396ed5a1d12b570249138f047d78580f45b2f8d6d88b53cdc21e5d82be0dfbac31aec7d7232a24eb1b4309

Download Submit
C:\Users\Admin\Desktop\00437\VHO-Trojan-Ransom.Win32.Foreign.gen-09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab.exe

Filesize
332KB

MD5
2c5cd5cc3ea0ef93a1052682d842af84

SHA1
e46e982f8c77e770e576eb3dfd17722ed86b062c

SHA256
09e07fee7daa490dfd9351df1a02c1c45103cbc7a3515d5e9dc46eead7d54dab

SHA512
5a9ec7fb62e32ec90ec1f567399776edc860d3a9dad8e79dcc3a221e24b663a5c2461d0d61546d0b34bd16c30cfb6a5b9ba8529d43801ab74cac4db51286bd42

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Convagent-9865532-0-fc42bfcc0c5ac70050f635c1c61c81220d00bb651f5911a9e846877ddc154d3f.exe

Filesize
5.1MB

MD5
b57a63576a94459741d382da1c53d49a

SHA1
f8084bddf40e3d62c82c4c72413f85abf6006f36

SHA256
fc42bfcc0c5ac70050f635c1c61c81220d00bb651f5911a9e846877ddc154d3f

SHA512
29d52b07fcda835ca425a5ca46f8669add9cd3b9ec7e86cc5c1c1ef2e8bb7497ce017e9470d820f4d3e3aefc8dc652ecb5dbbb2f8010a285831555953241ba56

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.GandCrab-9855152-0-0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b.exe

Filesize
1.7MB

MD5
7c24b86030d675e3a5ed7e9aa0bd9c57

SHA1
c35fa5db0bc65650afbedf65929df9c1816c3c4d

SHA256
0a19a91cd52cf29fd0f215ea1a225a3cba3e05b504d8ee56b117698e0d505f0b

SHA512
55a9bb431d88b20279698b6ec90021b60f3a64d018d2240c72e875ba36cf7808daf00595efc458a386c6c970650aa1db05dd52de0d45a71332369c703d608013

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Generickdz-9756864-0-baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b.exe

Filesize
332KB

MD5
1195fdf4da8798d3da6f34a622e75494

SHA1
0f579816729db3bde196066e4e1b44dbe24648f1

SHA256
baeee2cfe5149b1a2cd6471f2851710f13a0b755c86c3cf8e1c522b485e3ab6b

SHA512
01c4734afb94927920adecad9089c57618fcaee4dfd8c2833da47319cfe04bfdaf868530f38b4eeff75e89675f39c5ba4576898c959feac57ebbc5447470418e

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.N3tw0rm-9876348-0-8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1.exe

Filesize
967KB

MD5
4ac7b7a9992cfd83912dc912105d615c

SHA1
a5a6c2c780b2879a75eee64107129057caddbdbc

SHA256
8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1

SHA512
2c62c982ae3e96ead28c31ee33215cced7ea2e5b9a6722130f1f5c4a9297e629e6f8ccde80d2b2e6b890992073a0ba04f051ff33b96ec635a8b8e3e8316025f8

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Nemty-9871356-0-fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

Filesize
3.3MB

MD5
68bb371accb1bc914675c0ab626a9019

SHA1
802a5fc4f1fdfae4a8cf99a4544c191641f9bceb

SHA256
fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7

SHA512
d72af358decda2f2caf1a7f1f6d83d457e0c6156753362a9ae1d3118dbb7706acff019be160028045ca2d22281fae4abf0ffdb6f27680cade0ade634e42bf84f

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Protected-9838686-0-fdd8669b1e039c734b0cbe556301c254b978816b8cca200ac50698481a315b0d.exe

Filesize
5.1MB

MD5
98f217c60754d244622b081baaeaf32f

SHA1
2ee30eb416602229669a01cd1e0889c39c492291

SHA256
fdd8669b1e039c734b0cbe556301c254b978816b8cca200ac50698481a315b0d

SHA512
c359de9c20adf9a9d546906751540bd12c0ee218db4277cf6fd3c37f5c18444833e9384f8316186f78c63d18dc6c98a6d111308e6d86b58599eb01702919f9e0

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Sodinokibi-9887839-0-0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696.exe

Filesize
1.2MB

MD5
8bbc0223837f78183758a356673a504c

SHA1
a5a9383bc750c35ea452f44baa2aaceb8794ab63

SHA256
0b022c9f8d4bb90020847c9a54eae9ac8424864541d9fe4530653ee0a197d696

SHA512
e192c4bdb9581ce438ae2eb47b1cbea473127f55feef112a1b3e00843be6893da431c3530bbbf1ee579d688e4529b0ae13c879d15862f36e8452128779e29890

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Sorena-9862227-0-39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe

Filesize
2.7MB

MD5
631101614bb5dac04fed6a14470b045e

SHA1
8a5b126a8d49865551a993166c070aed739bcddb

SHA256
39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6

SHA512
e60c799a16b27425ef038723d81fb03c0bd39dc8b5b217201a26ccf9bc1e8d9cd1f7e232c5a29bd7808e5eacf67b07e0c873b2af9ef8e41e3b04d5875aca81ee

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.Stop-9860066-0-b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96.exe

Filesize
13.5MB

MD5
517862df76fe2002b67688ddc3fbbe5c

SHA1
610a645928b0b4e44ad79fbd99bb62934830a960

SHA256
b31f06b0a0461f61a3181a055484b3d7dd2155e10a36fbaf10728c8657ff8e96

SHA512
d80a07545eb24a92ca01c9b14e4012b41552101b4c56aa915c1c2945ae8ac6284fd0005a6e5d354efff010a6e2c21083ef77a4ebc99afa1dfd76d71eb48acf27

Download Submit
C:\Users\Admin\Desktop\00437\Win.Ransomware.WannaCry-9864704-0-174381135a941ae067841607474880a6e837fbcd51d46bc142e4cedc1dd47f23.exe

Filesize
5.2MB

MD5
b5144047cd8a763ee6b88861aec48f4b

SHA1
9d5970e0a9daa1188fdcc493e0b6fca51d0b9e09

SHA256
174381135a941ae067841607474880a6e837fbcd51d46bc142e4cedc1dd47f23

SHA512
c5f174a509a7fceef894fba84a070e6d0e4d33ee50d7ae30fd9d501f3bf2f512434caae1e7da64d3224c6ab004d23d814b028cb7f5e7165500aa892abb2da774

Download Submit
memory/1692-144-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1692-107-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1800-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2184-165-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2216-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-48-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-49-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-50-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-51-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-52-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-53-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-54-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-43-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/2824-44-0x000002890A940000-0x000002890A941000-memory.dmp

Filesize
4KB

Download
memory/3056-113-0x000000001C000000-0x000000001C4CE000-memory.dmp

Filesize
4.8MB

Download
memory/3056-105-0x000000001B410000-0x000000001B472000-memory.dmp

Filesize
392KB

Download
memory/3056-106-0x000000001B550000-0x000000001B5F6000-memory.dmp

Filesize
664KB

Download
memory/3100-76-0x0000015B75B90000-0x0000015B75BB2000-memory.dmp

Filesize
136KB

Download
memory/3100-84-0x0000015B76D90000-0x0000015B76DAE000-memory.dmp

Filesize
120KB

Download
memory/3100-81-0x0000015B76D00000-0x0000015B76D44000-memory.dmp

Filesize
272KB

Download
memory/3100-82-0x0000015B76DD0000-0x0000015B76E46000-memory.dmp

Filesize
472KB

Download
memory/3476-202-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3672-143-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4168-154-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/4352-185-0x0000000000400000-0x00000000011E1000-memory.dmp

Filesize
13.9MB

Download
memory/4944-120-0x0000000006F00000-0x0000000006F66000-memory.dmp

Filesize
408KB

Download
memory/4944-108-0x0000000000EB0000-0x0000000000ED6000-memory.dmp

Filesize
152KB

Download
memory/4944-110-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4944-109-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4944-111-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/5072-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads