azorult | 6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2

Analysis

max time kernel
100s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00419.7z
Size

33.1MB
MD5

9bf438de70013d4804f61a9b9dd6ad8f
SHA1

2ce54f24cae92678bd99a158ceb6430a316de443
SHA256

6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2
SHA512

86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8
SSDEEP

786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI

Malware Config

Extracted

Family

azorult

http://mrpeash.zzz.com.ua/1208ve671098xeu281nt2vg129xy12hv0e812/index.php

Extracted

Path

C:\PerfLogs\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6bed0caaee9109ca e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6bed0caaee9109ca b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- JthXCYXD4iYlwtxNIt1zWmTjKieYmnZXpx1qw/2P4qZO9EQqh0DPcxDXvfr8b51MYomcJfwLHAJO/XlJ7AbIlk6DHdvQlBBdrR0hUJ2Tp0s20c5mbMafMagD/jNZVxKIByGDeGWPfPPU/ou49HpxaQarHBon0f4K72s3/10+bOTRI0LDi21s9dfSxRTk4xdxVSRBKe+NI9B222KtemhRqEYXTrxOYenGx1A0Jv2PKWSH0Y+wihYKnkO7yqnxK2mjTzq7Hzi0BN6jfcCdG5YtmawClDYvR9roy7OZoDOUZ7EYQ2I3lOBC2cVjYGv+QYFbRW2/WW1o3NQ/roeUMt58PIvU5O/1Id1Xlf4BFcQzaLSFUJ9rEwDKuDipH4KU+JOmfoEqpnYvxtlCBDMmCVQPsNra9jb9l3O5pSRo0HQl3dWPyIe316NmwvoJXkHZStcfxkPuOLRHMa8aE9YVjqxD4nRVuiDANxrR49Dq6p4erBxFzaWlzLpAIDgWHXE193jwVEA3xYsiIrvFZbS55obeNyiOdgszdiO5MQmy95iEd++j9XIlopHri45zibLdjo8By/nuZnqCRlGvF2gZxUTah0l0EiPLIX2v0G1sQoUqrAp7tAZe1Uo1FPsOsmSxpuJdVemWCI6HgVhAojn5uzfv95xuJgy7fb70MDCPcm0fAMjDO5ctONyP/94DDLVHDqexYUCIvODJVb8qaA7Y+z9avyG3WGW0bx/lNxJWKcjHvrcrJjrWghTIDO9QWSwVQUzbqjBGPdhd+9DEfzihjQIzJajJIoxWqKakpiAsnQ0heNvhG/AhZZMz3FbU7FReCGwWRgwXidCPRStxg89BKpZyfBB/GxaVwnq+77YjF2EugPDe5FUaOABjybL+HfIAciPa7AKH4TilSwJ431dqJN+GRyRy3cKLdA2Cmrg2htzSE7RNa8I1qs5LvvXHzGzHLI461sIehyKIITAwHIkmUtlAZFl+8dpo3F8iXBzswXdNnFbTrD+JtiL95OTLQnrGHZ9Tr45TY56HzMX/e4aU2XYacp5MEd1jaxTR/veTuCHegokpgLIXvOvYEy2sJ+T+QL6KVTNg62XFhd2aerSVX3Za7gIweMDaYk8/Ot4GrGLm1geK9N6JMNVUzhpkopTztyOtcyez7frVt7Ur9UaENbFCfyFcyrji2rd19qqNnlDliIgPmDgn+4r3NyDzsT1tyQw5k+Sfks5O97yAVSBu5xtXZxm3Il3spuZGG2fCj2cbVNewdtGBpO2TVyWzJdvVy2g0v3PhKbbBPlUmbIuB/MPmAzsNcdWDcSVX1TnqIgNmxwxazkQmOM3a+MSIhkNrX40nbz5ES2LsLdBD0tYdvz7b+q4Vn4GzYAzokurQ4QWf0IzVAVm7G9B8m0uCkDXeEPM6w3V6PpA7Ij4ZguGN8HasybJ3fSvtpca/fR78RKSlmExQLbo2AN51v4EWBddkMP7hWn2lzvdrvP26wtoPobpgWTpKPNQLr1T1r2vQTCVe7++Yzk1G0cz60+U7G8blqrBbv87N61ybh1XyvqVFS7mZ9fSoASkWmUFsuyqpSiQrHwVVZvTIAm/icuxp9HKT75wz9CpERxI6ugn5qVc3X05X13Nox9klwFPmir8TSrYHcBkCrQuECLbYoGy0K//B5N44tuQES/2K2xqOMssNkA91Pzhn34nU24f9E3szLCFtVP4Jm4p1Rc+kfkd31RiUcr/5OJ/fWK+oniLByPAilMuAdSQmFMj+bmP/X9qCW56L/TbK1pryS6GdCylj/5k9ZH3SKoArJgosttjb7ugaoVENlsgVkRZurADw9k2WRWBEVpK0QvGYxv9TcVJ3BCGfgxg8dJDJlC5ktHh26jKSVXv8Vi3NmXt4cM+Q+TtyCpuEGSdCozYjFpU1r6xanMpSdp6OcLe2qG4pfHoTLsZBVxoQ2K9y9yr7mMuJOY5HKZfVTQDxDdN0CzwoFL39BbqaaCcN/QjtYadb1sLdsdVY9+h8q9kPvwse3fMCcUGWtOkLxOVVQoGlt0bLkZ5xOYeCYm7OKLfeYsPmvQI5gE7nLJ1Qt7338JabERu51Ah2Ey0YT3QkUsKvAG0r0nKu3MtSguEadZtuz9UhkDOAv+3K96DeaC61UHyCjh+XTsm/04GFYJDWwhLpMPFI20GbOrlCAsbrix6Hv8egwkFZXjWfhIOczT82XPfk/NV+nxm2ktDEb+luCmm6MZ+HuW0u7K834NoflCnWYAoiNgBiAGUAZAAwAGMAYQBhAGUAZQA5ADEAMAA5AGMAYQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEcAVQBNAEwATgBMAEYARQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAzADEAMgAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcPa04nJ4CoABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6bed0caaee9109ca

https://mazedecrypt.top/6bed0caaee9109ca

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Maze family
maze
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\00419\\Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Modiloader family
modiloader
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
Vanillarat family
vanillarat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe	modiloader_stage2
behavioral1/memory/4000-1191-0x0000000000400000-0x0000000000495000-memory.dmp	modiloader_stage2
behavioral1/memory/4000-1368-0x0000000000400000-0x0000000000495000-memory.dmp	modiloader_stage2

Renames multiple (270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Vanilla Rat payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe	vanillarat
behavioral1/memory/1456-79-0x00000000007A0000-0x00000000007C2000-memory.dmp	vanillarat

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

Processes:

Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6bed0caaee9109ca.tmp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bed0caaee9109ca.tmp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

Executes dropped EXE 16 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exeHEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exeTrojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exeTrojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exeTrojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exeTrojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exepl6i38MZ1NuxkYom.exepl6i38MZ1NuxkYom.tmpHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exePointofix.exesmallscrn.exesmallscrn.exe

pid	process
1456	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
4768	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
4464	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
2272	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe
4000	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
4248	Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
4360	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
4508	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
4020	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
852	pl6i38MZ1NuxkYom.exe
4536	pl6i38MZ1NuxkYom.tmp
2884	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
3112	Pointofix.exe
3208	smallscrn.exe
3868	smallscrn.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe

Loads dropped DLL 3 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe

pid	process
4464	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
4464	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
4464	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exeTrojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe = "C:\\Users\\Admin\\Desktop\\00419\\Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe"	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\Desktop\\00419\\Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0 = "C:\\Users\\Admin\\AppData\\Roaming\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Asynchronous = "1"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Impersonate = "0"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\DllName = "windows.dll"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logon = "Executeapi"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Drops file in System32 directory 7 IoCs

Processes:

smallscrn.exeTrojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	smallscrn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	smallscrn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	smallscrn.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	smallscrn.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4508-109-0x0000000000400000-0x000000000058E000-memory.dmp	upx
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe	upx
behavioral1/memory/4508-1194-0x0000000000400000-0x000000000058E000-memory.dmp	upx

Drops file in Program Files directory 39 IoCs

Processes:

Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

description	ioc	process
File created	C:\Program Files\DECRYPT-FILES.txt	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\SyncInvoke.m1v	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UninstallNew.ocx	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\InitializeApprove.txt	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\MeasureRemove.vstm	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\SwitchPush.dxf	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ResumeClose.xps	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\RenameSkip.M2T	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ResolveCheckpoint.m3u	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\StopConvert.bmp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\6bed0caaee9109ca.tmp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\DismountConfirm.hta	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\JoinCheckpoint.ram	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\OutCopy.edrwx	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\RemoveShow.htm	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UnprotectOpen.ADTS	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ExportDebug.potx	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ImportSplit.mpeg	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\PublishFind.au3	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UseOptimize.vsx	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ReadConnect.mid	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\SearchShow.ram	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UnprotectEnable.au	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\CompleteStart.ADT	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ConfirmFind.jtx	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\CopyFormat.TTS	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\DismountImport.ogg	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\FormatGroup.ods	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files (x86)\6bed0caaee9109ca.tmp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UnlockRead.dib	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\CheckpointOptimize.svgz	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ClearUpdate.midi	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ConvertFromWatch.mpp	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ExportUnregister.mpg	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\TestEnable.mhtml	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\ConvertFromUninstall.dotm	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\SplitReceive.mp2	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
File opened for modification	C:\Program Files\UndoSearch.midi	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exeTrojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exeTrojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exepl6i38MZ1NuxkYom.tmpsmallscrn.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exepl6i38MZ1NuxkYom.exePointofix.exesmallscrn.exeTrojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exeTrojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pl6i38MZ1NuxkYom.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smallscrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pl6i38MZ1NuxkYom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pointofix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smallscrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

smallscrn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	smallscrn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	smallscrn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	smallscrn.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4076 notepad.exe

pid	process
4076	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exepowershell.exe

pid	process
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

5040 7zFM.exe
1484 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exepowershell.exeexplorer.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exevssvc.exewmic.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	5040	7zFM.exe
Token: 35	5040	7zFM.exe
Token: SeSecurityPrivilege	5040	7zFM.exe
Token: SeDebugPrivilege	4248	taskmgr.exe
Token: SeSystemProfilePrivilege	4248	taskmgr.exe
Token: SeCreateGlobalPrivilege	4248	taskmgr.exe
Token: SeDebugPrivilege	1484	taskmgr.exe
Token: SeSystemProfilePrivilege	1484	taskmgr.exe
Token: SeCreateGlobalPrivilege	1484	taskmgr.exe
Token: 33	4248	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4248	taskmgr.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeDebugPrivilege	1456	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
Token: SeBackupPrivilege	4708	vssvc.exe
Token: SeRestorePrivilege	4708	vssvc.exe
Token: SeAuditPrivilege	4708	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3988	wmic.exe
Token: SeSecurityPrivilege	3988	wmic.exe
Token: SeTakeOwnershipPrivilege	3988	wmic.exe
Token: SeLoadDriverPrivilege	3988	wmic.exe
Token: SeSystemProfilePrivilege	3988	wmic.exe
Token: SeSystemtimePrivilege	3988	wmic.exe
Token: SeProfSingleProcessPrivilege	3988	wmic.exe
Token: SeIncBasePriorityPrivilege	3988	wmic.exe
Token: SeCreatePagefilePrivilege	3988	wmic.exe
Token: SeBackupPrivilege	3988	wmic.exe
Token: SeRestorePrivilege	3988	wmic.exe
Token: SeShutdownPrivilege	3988	wmic.exe
Token: SeDebugPrivilege	3988	wmic.exe
Token: SeSystemEnvironmentPrivilege	3988	wmic.exe
Token: SeRemoteShutdownPrivilege	3988	wmic.exe
Token: SeUndockPrivilege	3988	wmic.exe
Token: SeManageVolumePrivilege	3988	wmic.exe
Token: 33	3988	wmic.exe
Token: 34	3988	wmic.exe
Token: 35	3988	wmic.exe
Token: 36	3988	wmic.exe
Token: SeIncreaseQuotaPrivilege	3988	wmic.exe
Token: SeSecurityPrivilege	3988	wmic.exe
Token: SeTakeOwnershipPrivilege	3988	wmic.exe
Token: SeLoadDriverPrivilege	3988	wmic.exe
Token: SeSystemProfilePrivilege	3988	wmic.exe
Token: SeSystemtimePrivilege	3988	wmic.exe
Token: SeProfSingleProcessPrivilege	3988	wmic.exe
Token: SeIncBasePriorityPrivilege	3988	wmic.exe
Token: SeCreatePagefilePrivilege	3988	wmic.exe
Token: SeBackupPrivilege	3988	wmic.exe
Token: SeRestorePrivilege	3988	wmic.exe
Token: SeShutdownPrivilege	3988	wmic.exe
Token: SeDebugPrivilege	3988	wmic.exe
Token: SeSystemEnvironmentPrivilege	3988	wmic.exe
Token: SeRemoteShutdownPrivilege	3988	wmic.exe
Token: SeUndockPrivilege	3988	wmic.exe
Token: SeManageVolumePrivilege	3988	wmic.exe
Token: 33	3988	wmic.exe
Token: 34	3988	wmic.exe
Token: 35	3988	wmic.exe
Token: 36	3988	wmic.exe
Token: 33	4072	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4072	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
5040	7zFM.exe
5040	7zFM.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
4248	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe
1484	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

pid	process
4508	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
4508	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
4508	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exeHEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exepl6i38MZ1NuxkYom.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exesmallscrn.exeTrojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

description	pid	process	target process
PID 4248 wrote to memory of 1484	4248	taskmgr.exe	taskmgr.exe
PID 4248 wrote to memory of 1484	4248	taskmgr.exe	taskmgr.exe
PID 4496 wrote to memory of 2012	4496	powershell.exe	cmd.exe
PID 4496 wrote to memory of 2012	4496	powershell.exe	cmd.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 2012 wrote to memory of 4768	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 2012 wrote to memory of 4768	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 2012 wrote to memory of 4768	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 2012 wrote to memory of 4464	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
PID 2012 wrote to memory of 4464	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
PID 2012 wrote to memory of 4464	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
PID 2012 wrote to memory of 2272	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
PID 2012 wrote to memory of 2272	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
PID 2012 wrote to memory of 2272	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
PID 2012 wrote to memory of 3912	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe
PID 2012 wrote to memory of 3912	2012	cmd.exe	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe
PID 2012 wrote to memory of 4000	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
PID 2012 wrote to memory of 4000	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
PID 2012 wrote to memory of 4000	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
PID 2012 wrote to memory of 4248	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
PID 2012 wrote to memory of 4248	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
PID 2012 wrote to memory of 4248	2012	cmd.exe	Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
PID 2012 wrote to memory of 4360	2012	cmd.exe	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
PID 2012 wrote to memory of 4360	2012	cmd.exe	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
PID 2012 wrote to memory of 4360	2012	cmd.exe	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
PID 2012 wrote to memory of 4508	2012	cmd.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
PID 2012 wrote to memory of 4508	2012	cmd.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
PID 2012 wrote to memory of 4508	2012	cmd.exe	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
PID 4768 wrote to memory of 4020	4768	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 4768 wrote to memory of 4020	4768	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 4768 wrote to memory of 4020	4768	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
PID 3912 wrote to memory of 852	3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe	pl6i38MZ1NuxkYom.exe
PID 3912 wrote to memory of 852	3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe	pl6i38MZ1NuxkYom.exe
PID 3912 wrote to memory of 852	3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe	pl6i38MZ1NuxkYom.exe
PID 852 wrote to memory of 4536	852	pl6i38MZ1NuxkYom.exe	pl6i38MZ1NuxkYom.tmp
PID 852 wrote to memory of 4536	852	pl6i38MZ1NuxkYom.exe	pl6i38MZ1NuxkYom.tmp
PID 852 wrote to memory of 4536	852	pl6i38MZ1NuxkYom.exe	pl6i38MZ1NuxkYom.tmp
PID 2272 wrote to memory of 3112	2272	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe	Pointofix.exe
PID 2272 wrote to memory of 3112	2272	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe	Pointofix.exe
PID 2272 wrote to memory of 3112	2272	HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe	Pointofix.exe
PID 1456 wrote to memory of 2884	1456	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 1456 wrote to memory of 2884	1456	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 1456 wrote to memory of 2884	1456	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
PID 3208 wrote to memory of 3868	3208	smallscrn.exe	smallscrn.exe
PID 3208 wrote to memory of 3868	3208	smallscrn.exe	smallscrn.exe
PID 3208 wrote to memory of 3868	3208	smallscrn.exe	smallscrn.exe
PID 4360 wrote to memory of 3988	4360	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe	wmic.exe
PID 4360 wrote to memory of 3988	4360	Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe	wmic.exe
PID 3912 wrote to memory of 4076	3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe	notepad.exe
PID 3912 wrote to memory of 4076	3912	HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe	notepad.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "12"	Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00419.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe
      "C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe
      --78cd5b27
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
- - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4464
- - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\ZoomTool\Pointofix\Pointofix.exe
      "C:\ZoomTool\Pointofix\Pointofix.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3112
- - C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe
    HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\pl6i38MZ1NuxkYom.exe
      C:\Users\Admin\AppData\Local\Temp\pl6i38MZ1NuxkYom.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\is-1PMFK.tmp\pl6i38MZ1NuxkYom.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1PMFK.tmp\pl6i38MZ1NuxkYom.tmp" /SL5="$30314,31402076,326656,C:\Users\Admin\AppData\Local\Temp\pl6i38MZ1NuxkYom.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
  - - C:\Windows\SYSTEM32\notepad.exe
      notepad C:\Users\Admin\Desktop\README.VOVALEX.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:4076
- - C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
    Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe
    3⤵
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4000
- - C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
    Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4248
- - C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
    Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\system32\wbem\wmic.exe
      "C:\r\..\Windows\amhlo\..\system32\vlb\..\wbem\pcyxc\..\wmic.exe" shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3988
- - C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
    Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4508

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\smallscrn.exe
"C:\Windows\SysWOW64\smallscrn.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\smallscrn.exe
  --43b5689
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x388 0x344
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\DECRYPT-FILES.txt

Filesize
10KB

MD5
11878fdbf1324e58a2633332a3e299e4

SHA1
252bf4f95a907da05203b0c878111ab29406145b

SHA256
cfa3c193e9b5a27fba064fa988c05f42b70c306d39c6c018d855cd76dfa0006a

SHA512
2b84d55a25f6231964815ac294e3ed48a2017affaea1aa0a3562871c30e38b04124608b9ef2c5922c85fe992872daaf943b22a92b9fae6ccea85d372a564bf54

Download Submit
C:\Recovery\DECRYPT-FILES.txt.vovalex

Filesize
11KB

MD5
67331321c8d745e6ee6233cbc33b5098

SHA1
6cfa7bf092f7ca063abd4543979efe46a31fa6eb

SHA256
da6b8f6afe02e1d7903af9305572fa6e2c3c86b46f7b33cd4ae90a1f97d23706

SHA512
b48507ed3a0064c1d2ea95743a56e09f42c4ba146eee8200bfaba38d65a5e94701245eb98f7a4077a29f33e05abe84106c1da30fa946251b7258cb3b790c6994

Download Submit
C:\Recovery\WindowsRE\boot.sdi.jquK

Filesize
3.0MB

MD5
6911877c06630688c63f78effeaf6c47

SHA1
b8b423b25331b67f60576334fec792f249a97fd8

SHA256
18d5a3db7046b29e6905145795927467ff070087254303d6018c80aa5b69882c

SHA512
90f64b520f5e6b7e98ce9f826526eb615c276c8d74b21453dd514590f44b3fe13276201a308bfea03cfaa694d93a026a20fb978527c329a72a96fd414a9705c2

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhvbktb1.ocy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1PMFK.tmp\pl6i38MZ1NuxkYom.tmp

Filesize
1.3MB

MD5
3a7636d874b391801839c0bee90bed21

SHA1
7a5fedd3653e8240739b4ae4490a9872b813ee6c

SHA256
2f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8

SHA512
ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb946C.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb946C.tmp\System.dll

Filesize
16KB

MD5
c8ffec7d9f2410dcbe25fe6744c06aad

SHA1
1d868cd6f06b4946d3f14b043733624ff413486f

SHA256
50138c04dc8b09908d68abc43e6eb3ab81e25cbf4693d893189e51848424449f

SHA512
4944c84894a26fee2dd926bf33fdf4523462a32c430cf1f76a0ce2567a47f985c79a2b97ceed92a04edab7b5678bfc50b4af89e0f2dded3b53b269f89e6b734b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb946C.tmp\nsDialogs.dll

Filesize
11KB

MD5
da979fedc022c3d99289f2802ef9fe3b

SHA1
2080ceb9ae2c06ab32332b3e236b0a01616e4bba

SHA256
d6d8f216f081f6c34ec3904ef635d1ed5ca9f5e3ec2e786295d84bc6997ddcaa

SHA512
bd586d8a3b07052e84a4d8201945cf5906ee948a34806713543acd02191b559eb5c7910d0aff3ceab5d3b61bdf8741c749aea49743025dbaed5f4c0849c80be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl6i38MZ1NuxkYom.exe

Filesize
30.6MB

MD5
70ed5e8a31519ec2fd1131020fe8421b

SHA1
1fb74d8d39e7c8a36113ab51f14422930c3b9128

SHA256
7f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13

SHA512
59650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6778BAF86B024953A269DB5DAE068678.dat

Filesize
940B

MD5
34f8e0674b2d02b04009c87e8dbe4729

SHA1
97d2d6b3ab359dcb6a18b78b06de142fa41c9152

SHA256
2fa6ad89fb34940cdf55c7ee5e0cb844dc32fde757e38df28b93da84af8f8cd8

SHA512
008bbcb588b87117ac791c08f192e4ed33b0d8fe9a8bf6299abb6828da934826d727b74fca03a557d172a7d51b406451f9fb452eb6d9fa48642045011d1ff7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
294B

MD5
c2662275a381a2f72cab7c4ea57b88a4

SHA1
79728d85972c8670b93853392bca397bedd90388

SHA256
3c0b060c08e23f5b3aad755b38cffa23cef1cb26698a3efc5f3f929bd70cef5f

SHA512
b2265a0dd7eec02101bce164ba494ae396d0f32e1c6c72f264a5f4372fbe0effa040818b76a920bc04a94e8a53fb1ec267702a8cba43664f7d4d23a92d23fcb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
21355d2544d313587e4c33bf0d47f068

SHA1
9fa9d987db56b27954aac6d57caf2b5c8dac7471

SHA256
bacb7b023ceec6bb53d297a083b3f623c286e04008f85585ec93100256796d9d

SHA512
46356c9f74fdd323676a7b08c2b2f7c5fc6ca1dc39be55002de5bad7475a56c4f01439be8da31c973a88647cbc229f294e73188596c2449edd56c40a29962315

Download Submit
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0.exe

Filesize
406KB

MD5
a5e479c790da6284a14a5f3da9c33679

SHA1
316ba857616398cdf54803e59cd5e11da61c77c5

SHA256
3978e4c046c324f9119126707f15080d5e0ead8ea10ea785bfced6b52bf7c6f0

SHA512
55e46b004baa4f9d57176668865e1b7ddffb78fd7e38e3cc719ebab2d2f5eafd3b649c252cc6c7f756c6570eb8366097c1166b79b83f73cd082776cea9f823bd

Download Submit
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c.exe

Filesize
145KB

MD5
3727e917dae82bfdf71161b8196b7d12

SHA1
9766a895b4ab7c5840e40f9e4e278bb5700fade4

SHA256
2d7bd5e831e65831c9fa9e97065af0da0b7f064ade40356f8f2e6777017b522c

SHA512
544afed02b2b627ebd110a11bf288b999761f9d7c35c0ce72f38d72a987417aa6f86f4cad3355ada30554afdeee4ec1eeb5e700286dfd5e9647cdc9307b1e02a

Download Submit
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Encoder.gen-29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1.exe

Filesize
201KB

MD5
934e716189691deaef3a7a79b87e5108

SHA1
c92a2bf393de77153056bff1c160f4c6311b5d61

SHA256
29d98955fee38e69445dcde8b1cb54f29c09db2958c20a79cd633e9debfc1db1

SHA512
f4032de9bd105dfa039a197787ee08da4058477032279865a1de90535a0cc89c318fb329c8caf8482dba50897e0e1b14cd7492b3ca783755ff5043637abeb5f6

Download Submit
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Encoder.gen-5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18.exe

Filesize
1.3MB

MD5
5e14974ec0ae346e0b795e298f55bc0a

SHA1
ecb09754b632d53dd651d3f2dcb9ba20b4badb32

SHA256
5b54b0e3e4956c169330bc46335e69e25f60992920e8a25b55a884237d2b4a18

SHA512
a0518cfa042399b5c57e8e0a1879768370ae7ac285ae61b04735b6241bd662b8ac2f4daea091de057169b07d0dcb8b376e8a775033be16baad4090179d41e41c

Download Submit
C:\Users\Admin\Desktop\00419\HEUR-Trojan-Ransom.Win32.Gen.vho-772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.exe

Filesize
31.3MB

MD5
fa9649ba7f76190701b2f1ffaaf4d0df

SHA1
dac66a285e89ee98cb84488df21f8c43c4acb5d3

SHA256
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae

SHA512
9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11

Download Submit
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Blocker.jzec-b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542.exe

Filesize
571KB

MD5
234c454ef1c532cb03a4d60c89536059

SHA1
09139d590a17ce525d2c5e50e207a42c486edc4b

SHA256
b893c79237186d6b92f1e33da9b4ca2c77ec4a36c2e23ad73859c2372b7a0542

SHA512
322636861f9a6ebfc2cb45daca1f15597dd05a96ed16eca7cf851c66bedf0f7c5a60165824f003db510028e3e885eca6498990dbf2dbdb4158c97559857e56a0

Download Submit
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Blocker.lckf-b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69.exe

Filesize
112KB

MD5
bf39c3498089802f0090fdb5b9e9dd88

SHA1
a35babd5e80d761b109b9aa8b8b6d765b5f800dd

SHA256
b2a97ddc0c5d6cb0f27b5f3b6de422573a34199fae5e7b9f5d48965ceeb4ba69

SHA512
188ef80d232ef23bde73f7ca14524da1df9845d3c93d483d2ad91825127b2dd61e8e32894f19f6fff17cb3e4ecd31b5b0d411a7ba7d528b7313ccd5ad95a7c49

Download Submit
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Gen.vpv-32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b.exe

Filesize
1.1MB

MD5
f457bb5060543db3146291d8c9ad1001

SHA1
c62d0b80847bf15ad0ab9b54b3ddc3180952c324

SHA256
32736237e94a8321b4b03ba56485dff8b438cb232f2ff57c9c045f5cc7b5dc2b

SHA512
70a9a7262d86b0ec85fe728317525ebfae2019a5b2bad4c6435fc5ec1659fe2bd730be79b2ff20e65dedd099bcf420c530023eef06f5c87529d951177c3ff408

Download Submit
C:\Users\Admin\Desktop\00419\Trojan-Ransom.Win32.Gimemo.bcdt-2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c.exe

Filesize
643KB

MD5
a1d461942786a341de0409dd4e84ceb2

SHA1
c06bc5cc328fbeec96c452fefd35859be5f0aed6

SHA256
2b908e6b6cc71a0779161f0d10c8017fc9c2070c9da19ae77596917a1d8dc53c

SHA512
fad7c8ad833dce8bb51a16205256bb72fd034aae393fab90ec46804ff58d1cd3d86cf412dea2a6934ca4fe851c563b0478f0c70f6dc8a2a1897973ded38f51b6

Download Submit
C:\Users\Admin\Desktop\BackupWrite.csv.IFRxfj

Filesize
288KB

MD5
80c742a77a503c8f60234d764c696b00

SHA1
c71960d793e70c5680e74c167f0c23bd10b5b77f

SHA256
be3e099171c7c921c52451031fda71ce9ba8bbbdb7aed9212fe809704a716638

SHA512
3596432c45127b26ffa68047df9e3c3eac7e7727baa0c2cf021fe12a8bdd484f7794d41399cabca109f75ae597683ccd1ccbb56670573ba3ef629d0feef98f06

Download Submit
C:\Users\Admin\Desktop\ConfirmRequest.docx.IFRxfj

Filesize
15KB

MD5
20b2b170a73ad90f128f478913207ef5

SHA1
a152327d5f81c445c848817560f116e1f17a487c

SHA256
96c2012e4dceb71b66d5aad71f77e360ca6ada7ef11d10ff3a2f44821182fe68

SHA512
207551625e512b0c64f75ac16f9cc72661aa698c36974edd8fb4bd15f912a737f42f9cdfd6bcc65c6ab9c2273c81babd4416dfe220a8565a6856b717c57a3490

Download Submit
C:\Users\Admin\Desktop\ConvertPublish.cab.IFRxfj

Filesize
773KB

MD5
b317a57305ebcde63b3d03719ccd66b3

SHA1
9bfb85422e446f36f325ee2ed14f9321c8f9548b

SHA256
7f8dfc3b836618dfa1ffd9b70c91668bcb65284b65e1f3154192ed0f5a61fc72

SHA512
266ae91d7f4e36150d2dac09da98b935d9bd0cb0a46f146d462425e33eaf8771be32895fca75632d69c88b7a9fbf59a8c4257b1fec4f8d5f82fedf2890737d36

Download Submit
C:\Users\Admin\Desktop\CopyFind.fon.IFRxfj

Filesize
530KB

MD5
1c108652bd2011a2ee91f9930b05fb6c

SHA1
5b7bcbd29adfd35c621790a3882e0359bf5a5908

SHA256
f5a3da4720876c8a42b2018e2c973274c095db1f671ed32dc0ed98e5a9ec29bd

SHA512
13d15b25473d566efb99b6d6abbc3ddd3eec3986cb414b83a6d0d6c4327b7462dbc19833c8afac2edf7322bc88aa72f13c4635e04e4e88af91e77e6159fe9262

Download Submit
C:\Users\Admin\Desktop\DisconnectWatch.odt.IFRxfj

Filesize
303KB

MD5
a48921fa43804dfa36bf374b0e0733ab

SHA1
4bfe21f6b9022d4a0c9a4a0890247c312e6b5ff8

SHA256
d74a9482666809d2ba436926eafba273b5800c624f51a0f81b9800ef14a2d972

SHA512
f24a62dcad5e17e3cef92ba1e27685d7fd638da7c322cb6988dd43634c3a04bc54834a804523782e57f05a89cca26f2bb5a0bccb638e5e6f6fbd9932163f9a6d

Download Submit
C:\Users\Admin\Desktop\DismountMeasure.docx.IFRxfj

Filesize
16KB

MD5
aaa83953d970667f65eb838c6f503aca

SHA1
a714f7b14106fc94eb4dd97914d27640f5e91895

SHA256
5462141d28bd87c6e112d13fcc83a834850e0303642151e295921e8daf3340dd

SHA512
bc9f98bbb30f598e0c07ff58819864299fba1eb8e816d9513a69b8bee7363df33e74b2ba4db19f005d458c87173bce2ec999df985ad8cb10c99c8e37d32a7508

Download Submit
C:\Users\Admin\Desktop\EnterRepair.zip.IFRxfj

Filesize
227KB

MD5
57c77ffa8b1fb895180deed9c58c4bf4

SHA1
9b404ad9c77453b68481a4bcf8a8852b5507a9e6

SHA256
aa5325562c08f2c44986c05e8b2862a06206e3c5a93fccf824a550ea4b12818a

SHA512
ac366bf5368a0e7ea19c8aeaf17a44cdaa5bac73762f1d48998ff4af15916a2980aa21fe2292e2c3ceb41c87233718dadcf0287b998a08abe720acfc64aaa612

Download Submit
C:\Users\Admin\Desktop\EnterSelect.rle.IFRxfj

Filesize
197KB

MD5
a4bf5a8f27d1aaa5ad558b557810dae6

SHA1
c8effdcdf80abc61149a1d4fdc26c983ba10e483

SHA256
1e4c5a4b553c82fc8d7955321ff3ffd9055bd6fbd7fde24bc2caa1f239304a35

SHA512
4e06ecd229e6b0bd071757c6e3a7aad0076cacadbe77b14f957df26a7899020121884a50ddaacdeb16f1991c38bffc941e38369769a6862236f5b9cc9b4e560d

Download Submit
C:\Users\Admin\Desktop\ExportStart.vsd.IFRxfj

Filesize
515KB

MD5
1fa234b4fa9889e1c6e65d2aef3ca6e6

SHA1
124966eb7d40aafb39c58f9a80b967b52c16ae84

SHA256
0bc53366abea81fa8e6150a4578de710731767ba8695063beb42ca0c6770c060

SHA512
f85fb071dc99a81457eb2f8adc08cd092d5601f32d228f6527615c6042f2068e9e32e79121efb3b2f7eb67303a75d0b1f07b78aec6f1866dca81494ee76d80f5

Download Submit
C:\Users\Admin\Desktop\FormatExport.html.IFRxfj

Filesize
394KB

MD5
a6d474bc91d9967a5d4f4bd5d5ee1c12

SHA1
ab27dd9c1ef6bd6842173da6c1435dbf0d022831

SHA256
e7fe61440f963be47f96d029950cae22e287b853312120b469afcb219dde45d5

SHA512
c845279c6d63e831526bca3d0eb4231c98f191f1876732ae20335bfe0c6e0dfb0504e89f5b724b42aaecf988798ee6737b071613ede04cf05362b8761b56c380

Download Submit
C:\ZoomTool\Pointofix\Pointofix.exe

Filesize
2.9MB

MD5
70b0c701bad0eaab335840d8cd4fa8a0

SHA1
cf311bc2733b2adbf660244bdd5b94d4af86e5ae

SHA256
88bfd9881954b69fd3bbfe1969d652d3934c037356d9a9a7dd9c501882d9ae40

SHA512
d2569e8b6c49ff6f9b20779109474f05dd11b48cbfb312747b6a24917cefe4027ed5f511cf5552228b700a121eb0f50db2b6caf36a064f12b12c744a1004ce44

Download Submit
C:\ZoomTool\Pointofix\info-pointofix180.txt

Filesize
2KB

MD5
a25c55185068a32f5965018a1450a59d

SHA1
f9315014d96641da257ff774981029129a768451

SHA256
3f10236d1b3acb718c7d0295c512e81aa3997ebd2f7152ad58bce16ff2807a35

SHA512
3867157b3be4346759ba93a3200af58b67dc5c00b5d937f1a7a228836746d63ef3e756a47336c908cd85f5039f8d3b0b81f32bc7963f66a5077a2e2e244ea607

Download Submit
C:\ZoomTool\Pointofix\pointofix_translation.ini

Filesize
4KB

MD5
fa2dc3a73ee2906b17f05a55745ba10e

SHA1
07ad7dbb47dec508454c8ddb44aabb0fb42d6da8

SHA256
12f62bd3aa94779d12ef81096069548ac84d72e17d8eea712a4fdac5299e9cc9

SHA512
5aae8cb2400853a735a7849570808bf48de03815c1274254a960f66b1b282a7e81d0058f16a56dfa6ac99fce285f9cffe28e4a43bf5fc0356867dc60b7e9965c

Download Submit
C:\ZoomTool\Pointofix\readme_pointofix_translation_en.txt

Filesize
2KB

MD5
830358679e06d8d3c50cce3aedcba2c5

SHA1
8223f9d6caa41200059d854489d6ee7c69fe7587

SHA256
b35dd2f256a69ecc8f135fb233930178c62bb1ee60692e802aaefccc8b1700ef

SHA512
45d824ead2541a6fd86cd1352d373442dba53d7d8758cae0d7bd21de06435bd2b0f246e7235b70f491cff0ba02813fb116545ede114851b017bc43a61e479542

Download Submit
memory/852-123-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/852-1193-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1456-81-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/1456-108-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/1456-79-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/1456-82-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/1484-33-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-42-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-32-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-39-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-38-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-31-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-41-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-40-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/1484-43-0x000001CA41F10000-0x000001CA41F11000-memory.dmp

Filesize
4KB

Download
memory/3112-1196-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/3112-1489-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4000-1191-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4000-1368-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4020-583-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4248-24-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-25-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-26-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-27-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-28-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-29-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-30-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-20-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-18-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-19-0x00000111BD780000-0x00000111BD781000-memory.dmp

Filesize
4KB

Download
memory/4248-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4360-110-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/4360-160-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/4360-1514-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/4360-114-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/4360-128-0x0000000001280000-0x00000000012DE000-memory.dmp

Filesize
376KB

Download
memory/4464-1187-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4464-1189-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/4464-1188-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/4496-60-0x000002F1FD040000-0x000002F1FD05E000-memory.dmp

Filesize
120KB

Download
memory/4496-58-0x000002F1FD0A0000-0x000002F1FD116000-memory.dmp

Filesize
472KB

Download
memory/4496-57-0x000002F1FCFD0000-0x000002F1FD014000-memory.dmp

Filesize
272KB

Download
memory/4496-52-0x000002F1FC040000-0x000002F1FC062000-memory.dmp

Filesize
136KB

Download
memory/4508-109-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4508-1194-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4536-1195-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4536-1487-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4768-118-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download