Overview

overview

10

Static

static

1

RNSM00418.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00418.7z

  • Size

    72.4MB

  • MD5

    e76f67ce8f37735cab7ec703c66a7f1a

  • SHA1

    b46226f376c2db14733fad3ee9da0123813dd883

  • SHA256

    a557030cc9f043d4da36db198e6306372a9cac06e4372c7cac548f2150647cc4

  • SHA512

    079e6e27f67b9233e6634522600cffb53c2167f6957bece42f60a38f66383c6c0413aa38e98bce141f4501b77aa15fad696cf7c2e87923a74ded8c89e3ba5e62

  • SSDEEP

    1572864:HYiWrkjLRoyPWyf9CcWR1OVrLy7FTMcLoMNvSQ9AjQQHrP:cg+yNf0c1Vr8gccBhQQT

Score
10/10
ryukcredential_accessdiscoveryevasionexploitpersistenceransomwarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Ryuk family
    ryuk
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Possible privilege escalation attempt 6 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 17 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00418.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4256
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4300
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Agentb.gen-a52c85d01029c32f34d7212084fec0d52e1659a74e93781848aa7f93d7ef7222.exe
          HEUR-Trojan-Ransom.MSIL.Agentb.gen-a52c85d01029c32f34d7212084fec0d52e1659a74e93781848aa7f93d7ef7222.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:900
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3100
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Encoder.gen-c668afcabf420fb7a2bd1c8545748762444f9a03ca53da1eb800c4dbfc9d7194.exe
          HEUR-Trojan-Ransom.MSIL.Encoder.gen-c668afcabf420fb7a2bd1c8545748762444f9a03ca53da1eb800c4dbfc9d7194.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Users\Admin\AppData\Local\Temp\NAfkpCRChMSbiBGLROsEJOuAodIntR.exe
            "C:\Users\Admin\AppData\Local\Temp\NAfkpCRChMSbiBGLROsEJOuAodIntR.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Disables RegEdit via registry modification
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -h -r C:\bootmgr && del C:\bootmgr && taskkill /f /im explorer.exe && exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\Taskmgr.exe
                6⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:1620
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\System32\Taskmgr.exe /grant Admin:F
                6⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:4104
              • C:\Windows\system32\takeown.exe
                takeown /f C:\bootmgr
                6⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:3460
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im Niros.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4104
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Gen.gen-e10f7e019bfbe9059f61c56fce0368a800d57b6cb0f7ee4c7aba067f68ea30f2.exe
          HEUR-Trojan-Ransom.MSIL.Gen.gen-e10f7e019bfbe9059f61c56fce0368a800d57b6cb0f7ee4c7aba067f68ea30f2.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1392
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Makop.gen-7bd25c50eebc6f91a77977f299f7080a7ba1825fe1953c76801546cc96342b39.exe
          HEUR-Trojan-Ransom.MSIL.Makop.gen-7bd25c50eebc6f91a77977f299f7080a7ba1825fe1953c76801546cc96342b39.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Makop.gen-7bd25c50eebc6f91a77977f299f7080a7ba1825fe1953c76801546cc96342b39.exe
            "{path}"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5408
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Agent.gen-88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
          HEUR-Trojan-Ransom.Win32.Agent.gen-88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\SysWOW64\icacls.exe
            icacls "C:\*" /grant Everyone:F /T /C /Q
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:6052
          • C:\Windows\SysWOW64\icacls.exe
            icacls "D:\*" /grant Everyone:F /T /C /Q
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:6060
          • C:\Windows\SysWOW64\icacls.exe
            icacls "F:\*" /grant Everyone:F /T /C /Q
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:6068
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 636
            4⤵
            • Program crash
            PID:5280
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Blocker.gen-83e17fbb40b47233994092a2972ca14a50b5f0b771db3b827f9ed7552d989416.exe
          HEUR-Trojan-Ransom.Win32.Blocker.gen-83e17fbb40b47233994092a2972ca14a50b5f0b771db3b827f9ed7552d989416.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          PID:4312
        • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Crypmod.vho-dbb517ba5725fe9e6afca755543835b1e519b4e0feec7471e8752ae0543dadb8.exe
          HEUR-Trojan-Ransom.Win32.Crypmod.vho-dbb517ba5725fe9e6afca755543835b1e519b4e0feec7471e8752ae0543dadb8.exe
          3⤵
          • Executes dropped EXE
          PID:1524
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5764
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5980
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3968 -ip 3968
      1⤵
        PID:5216
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5240
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DOOMED.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:5348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
        Filesize

        64KB

        MD5

        d2fb266b97caff2086bf0fa74eddb6b2

        SHA1

        2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

        SHA256

        b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

        SHA512

        c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        4B

        MD5

        f49655f856acb8884cc0ace29216f511

        SHA1

        cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

        SHA256

        7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

        SHA512

        599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
        Filesize

        944B

        MD5

        6bd369f7c74a28194c991ed1404da30f

        SHA1

        0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

        SHA256

        878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

        SHA512

        8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NAfkpCRChMSbiBGLROsEJOuAodIntR.exe
        Filesize

        237KB

        MD5

        3cf2d54465e51809534bd9f8a3ad1c28

        SHA1

        100f251584ee7f235915e62605fddae1f3eb029f

        SHA256

        983823fb0a5c8099eef1c8cabc6f715d8dfb62ee6b8baaa1aaf41bf61bfc502e

        SHA512

        b142c3ec5829c9d585f065614c926ebe6c30ff5c0894966ea2b7e9ac49eb21c572db51c310849e26c948c11ef62c85a51f086017b7a2795791d41cfb090f4fee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.deps.json
        Filesize

        32KB

        MD5

        5151351b017a03771fb7e8f0cccd1d10

        SHA1

        60d319b8e010c0ff4565a886138bf79751e52f76

        SHA256

        fa3d040778abd63156e643e8354595059197ee14ef7c532405c65aaef1cb70ab

        SHA512

        3b6ae8d182ea43c4bb4ee31157016f91b1ba3900454d2e40e83ff7aa2554cc522f784aa9985d8af7b9b611416dfa7e9b85672e56e8ac838d8b0ece82199ddbbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.dll
        Filesize

        6KB

        MD5

        4a4733b75be58da0ca071f70cb7a3ab2

        SHA1

        a7c3dc480c5a50d53cf894afb079453f0fa34231

        SHA256

        f0559577696a12cf01450089a4fa8cbf2190b72fa9af35bf0a5b5d352edb852b

        SHA512

        3a5a759119f348e826cfe16910cb100a064e13a06f0b995c2e32b4288ec761f5475e3f1945f3139a567ff5828f582bcd9e1b1ee50dcc265f1e2372212f1b05a4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.exe
        Filesize

        110KB

        MD5

        beec74d724086ec414baf72f3579092c

        SHA1

        27bb20e21dc8dbdc039bba002b0ac836382af945

        SHA256

        6281a322b6d68a89073732f5c283c49affada6ff474583fb99cfafeed0b0545b

        SHA512

        da683c8cba611c51ca47ee64f2b4134fd37ae6597df31cd62f77b398f85f54c5908f75b78071373e06c978cc770ad8c55c4dca924f2ff435d27d79ccab8e4cd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DoomedCrypt.runtimeconfig.json
        Filesize

        178B

        MD5

        31f2d3ac717a0d618a8c974d8d3671df

        SHA1

        99f9369a385f6ff4abd35004c8554bf74c339eb0

        SHA256

        de0a8b27d9733ae0061d405e754deb59899f7679a1866ec8453fd20b952a438e

        SHA512

        b93f656e64580dd3dee757f2aaa731bcf6fd9254c9522b3edd7c533e2e867491054ef4bbcfa8c9f36a859c49e0d7c643fc7bf7bc413e112308660ed7b67d7a84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Collections.dll
        Filesize

        248KB

        MD5

        09a8951bb19c2d2f619e4ab437a21d4b

        SHA1

        bae50d6939ae6b5a0eed89a740772541c2f63189

        SHA256

        f2844c2a0f666d6be296d1cd6068a3d42b58d7a9ced7fbd96d0d71df093f4e95

        SHA512

        6cfe1f838ef60c1812a7a3af3ebd3dc4382f853ef11189dfdbd10a7c200a341684547a9e6327ec6ecf0cf2e1a355e8038de065086b525be686291c70d169afa1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.IO.FileSystem.dll
        Filesize

        190KB

        MD5

        4acf35721f22cc85791cb99e288aeb68

        SHA1

        50181c51c6d9d72d0541832b9ed1b94e90985ef3

        SHA256

        d8b76d3d9bcf12172fa5cb457d8c37e64768877030a43ce4744e629009c0210c

        SHA512

        d248e031669bef9d971df5eb8213087b351bc0c4aa22e0cdf4360c41bd60528f743ffe4810a37dadc787534469cc786aae8e904d6e4aec0556a552e3c2d56831

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Linq.dll
        Filesize

        362KB

        MD5

        9baca768a76cb12623e10b16d48944f6

        SHA1

        0cc51fd1189f085c2ee2f9ba2af63d8cc1e98755

        SHA256

        578ece3ca6c212c66658a212fd9c0dfe05521a1a28b63b089be46266800332af

        SHA512

        6ed7a254383692639bfb520cde74ff6b17e1e3576cbab12b054711c5cfbd37633ac585ab6978ff8f0197193683d6fb014f18a9350f09c78ad198bdc2aaa3d520

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Memory.dll
        Filesize

        191KB

        MD5

        0626df61d6463eaf26c576c2ceadfd27

        SHA1

        e83f6aef7983c3c7e13b23f0b22d1afe35d0536d

        SHA256

        5d89c0b657e1999a53e23a46c94a9f8ea63f51d70cd981d650fe5409d9885b2d

        SHA512

        7edeb909bfa1407725cbfbab1f2db61f140981376cc22bc91233e6dfe5492363f8810c89d22d96b68774ab1977b2fd01cb2da9c75a47a5267c894420503c8661

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Private.CoreLib.dll
        Filesize

        8.2MB

        MD5

        5f6e1e2bc9507d84d05012d425c02c90

        SHA1

        e64c0424850d66db8033179573cb039c2e430ae3

        SHA256

        85b71337714f56b8d070fdc4cef826f79b900f9471878c334d391a4c4bf29d25

        SHA512

        421c4167b05b27e21e4651aa8a773499b9c6d82d2d176d6c938d4977a7d95069336ca3a35e9dee57e5612bd7ee0858dd0c01085d70d617c4679405dff9c8abac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Runtime.InteropServices.dll
        Filesize

        44KB

        MD5

        63a842c4860f2931459f39d33b998566

        SHA1

        ef86e471e6bf183b89f560446a4f049c6e16c915

        SHA256

        eda18dae40aba282e8b656aafdc119578d95adc6356cbb38bb584ea4c0ec71c4

        SHA512

        14ff4bd7c91d6224e06ec8157c92c26291b78dad68bfbee4fc38f7d93192c695b7e395098ce0491802a48591c3f628e3961e11dfc6b0be19121f26b745b7f110

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Runtime.dll
        Filesize

        41KB

        MD5

        9a28b11a20750e1208097d9cd313def0

        SHA1

        3482580341a93be6af923d3629abbe2f17f68537

        SHA256

        6ea863f93100341ac024873de63ab0e28c3aabb1dbe151733bf661fc55358675

        SHA512

        a0663d2ceb5652dcc7f716069073a5b2d0b7066546d25933c7d29d40e69028a47268f4d567d8bcff19d1e016907c096677c2abc3cf0628c010018ebac4af41a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Security.Cryptography.Algorithms.dll
        Filesize

        601KB

        MD5

        dbfa4b1cfbffddade50969b411ee0e76

        SHA1

        275451379e66cab3ddd73095acf9dd107dead912

        SHA256

        c2ddc701a5d92ebc6af0410a8852d91ce87b193eab5a05b17137532e6d5a5d96

        SHA512

        59392e09d07d1fca907aa5e8b89b27c2a60ddcc45e950f4eff8ad53316a713366b1e18bb2dca277fc8f31174d07b287c14610750c1f343f7afe5a5a93107222c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Security.Cryptography.Csp.dll
        Filesize

        159KB

        MD5

        c6b4fffd301138e30d0c70012c89bd45

        SHA1

        3d48dafff5450806a24b83e4d183fa6258eb6dbb

        SHA256

        79f053fa2c983a9f4b7b70f2a5554584690752de41010ebf9a1ca2617c520289

        SHA512

        aad9389d03bd44ef949fb842eaae2d6e887cce08e85fee330b01d3b60ecefc4d8a75b20947520c94d5609dffb01863989e6bab566ad19aefc46936e761b17797

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Security.Cryptography.Primitives.dll
        Filesize

        98KB

        MD5

        8764833b6643e80e415aebcab1cd4247

        SHA1

        148c5508cbb92141c05df0013df519695d3d8416

        SHA256

        c30f1160721eb99d35447b70669c81b23a5cd55d4453603861bfdc4d879e9e75

        SHA512

        bfc80094085496f2596ab7fb802ac103cbaee9a412494739089302041b22c711be97377d45261612a6c404b65b76e82d88d244c47b9f651df4f57359663a4960

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.Threading.dll
        Filesize

        71KB

        MD5

        36ff7ebeabf38bdf3308a05c74d60331

        SHA1

        4365b1597e512e0581343a1b35cecc29aff884be

        SHA256

        7717662afabb8c291bbd133c888767028abd129aba42858501e3742b94e0891a

        SHA512

        76fb2c9b7431f29bd93047515696919b45223a9cea051b8cadfd40900711ca497f5854953edde617719dcb6ec838ae9275365525c2181b40de80411e513035cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\clrjit.dll
        Filesize

        1.1MB

        MD5

        958fb92d73059604c6a1358e579dfe4e

        SHA1

        65ef4e3dabb22f453596e568f0dc7ac7015c882c

        SHA256

        f4e4b7d418aa8f5e5f499ab8729f2c124ca2ad1852bbd98b285e50d8e65e44df

        SHA512

        5172e77536290675a7a1c4a3e900f22f3fcd56b73cfb922ffffa743d85f300ab8c00d7f0f329ec3b531cb5f1b480ac43bdb4ce9f050714bcacfecb8d21ea30fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\coreclr.dll
        Filesize

        4.0MB

        MD5

        7082f690d8e6bdd737ef1330830fdbf6

        SHA1

        cbda0f0952fe355f237573982f655db064b741df

        SHA256

        3411a5fe6b15521312dac587f68163b1d806f459cd7fdd1d5fc66684baea8961

        SHA512

        404669444465b5afe8b9b947a58d5757235670f49bddeec4ff136f85fa6ca7d172c6c65bc5a5370511b838687d236bfc576f18462f4a58d99be072221a96ccb2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hostfxr.dll
        Filesize

        379KB

        MD5

        1e0a0ee82d63358b5de97e140de1c7a9

        SHA1

        d894c5dfc8419c435276a9742b3cb631b8f2fd6a

        SHA256

        bf8d723e018805607e7a37fd5e7adc3a8d95028c3437f9e394d138d61effddc7

        SHA512

        7afc8b4a1d3cc7f0124095c0864d445766c0bfcb93360419e913e3f75719b89e22ae64803479647a4a64d4fe6ba0cbe1af2684f1b682724799e7ba6a5e8ab62d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hostpolicy.dll
        Filesize

        380KB

        MD5

        3ac4d458b084c0f118794d1bce4caedf

        SHA1

        71cb1cff1b8d99e0bbbb74488c70f89589ccf72a

        SHA256

        d4acfeb0241812cecd58237c59ac8860bdb219abbad2821c2a287d66aef914c3

        SHA512

        8a91a33c67a4411407240be169fecfcdfd5ac0056a3e0406a03a82a8aec323c881bc3a2dc191005a86be217bc261d6bd44cc6a4566e79113eef1a4eae3fa99b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qf3o5mxi.lga.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Agentb.gen-a52c85d01029c32f34d7212084fec0d52e1659a74e93781848aa7f93d7ef7222.exe
        Filesize

        22.2MB

        MD5

        bbde3c9de239f5a5d7888cafc640e909

        SHA1

        aa13a192d5e51fbd964caa2a82555967fb4ddb32

        SHA256

        a52c85d01029c32f34d7212084fec0d52e1659a74e93781848aa7f93d7ef7222

        SHA512

        51920f439e05a6dafe043f25fae28d4d341a37044ca60bc2f1546791a89b21f57d853cd8af9c72c0a4db235dc2c7d2fd1e0020a6580efd3702d7b0754b54e032

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Encoder.gen-c668afcabf420fb7a2bd1c8545748762444f9a03ca53da1eb800c4dbfc9d7194.exe
        Filesize

        3.9MB

        MD5

        9400bb050416fe178aba3f0d5722335d

        SHA1

        465464c5fd2edb9226c1a5c08e752a1fbd872978

        SHA256

        c668afcabf420fb7a2bd1c8545748762444f9a03ca53da1eb800c4dbfc9d7194

        SHA512

        5a7c19ef4b1f66566a91e8f80d42d8117ed564b238dbd297190f7653c53f8cf9dc39b35ad816acf6735370d6def373f84391133be4790242c55da2a7182a9eba

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Gen.gen-e10f7e019bfbe9059f61c56fce0368a800d57b6cb0f7ee4c7aba067f68ea30f2.exe
        Filesize

        10.7MB

        MD5

        1800f29875fc00d346f7b4f04442482d

        SHA1

        1d26939fe553a1b8b3961d219fa65cf5a1451c96

        SHA256

        e10f7e019bfbe9059f61c56fce0368a800d57b6cb0f7ee4c7aba067f68ea30f2

        SHA512

        4e4a0c9b72120bf23bfd1c703ae6dd8ad0b532eed26ab12931bd6d2eb1999d87c107f45ea77b0f110b5fbede8d3158ffb3b62d58ceb1acdeb2b6792f40b41287

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.MSIL.Makop.gen-7bd25c50eebc6f91a77977f299f7080a7ba1825fe1953c76801546cc96342b39.exe
        Filesize

        1.7MB

        MD5

        938493fb2b3e6c7948109806079814b5

        SHA1

        93be3e2462781f44d2bf0c5a60bec6b6010cfbd3

        SHA256

        7bd25c50eebc6f91a77977f299f7080a7ba1825fe1953c76801546cc96342b39

        SHA512

        6c0f43533345a6dfbd84c11fe6049c01a766f437fdc2e40c0099e3c7145257dbe4375c690695ff30bc59439e2f4ae68ddd91b080c8e350ecbd6ea40024d8a3d4

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Agent.gen-88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
        Filesize

        575KB

        MD5

        6cad2f7dc809b9353a31753a438aef4e

        SHA1

        459d816bb020f5da8257076a36d0ffd1f1f02d76

        SHA256

        88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335

        SHA512

        a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Blocker.gen-83e17fbb40b47233994092a2972ca14a50b5f0b771db3b827f9ed7552d989416.exe
        Filesize

        2.7MB

        MD5

        2d21d4d6bd7d079ca7b9032b7afab309

        SHA1

        9fd7cd7c64ffc51dba6f344b2eacc51046b2114a

        SHA256

        83e17fbb40b47233994092a2972ca14a50b5f0b771db3b827f9ed7552d989416

        SHA512

        2f1b37cb619e9f01403b02990c9f493045a938dc3b49f93fd96ab809caa78407fbaa0e1ed9c44e917b6c7fbeae8399380c045ac966df198f4f36e67d8127b667

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Crypmod.vho-dbb517ba5725fe9e6afca755543835b1e519b4e0feec7471e8752ae0543dadb8.exe
        Filesize

        1.1MB

        MD5

        f9177834afed127dd32232c223966b20

        SHA1

        746ca96975abf097e318bbc4ef02ed534ebdb0ab

        SHA256

        dbb517ba5725fe9e6afca755543835b1e519b4e0feec7471e8752ae0543dadb8

        SHA512

        784b5045b15be8f43e3df458c6122ba795605845bd0a2c247441c1a7235b31b06b0ea9f70a77251c985f2d40774020ba173ac38b02a3cf6e999fdb8109620290

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-2c3395f24e3fb552f0be0031ad86f1bf4c78840aaa77b150e7b4c582c2e937fe.exe
        Filesize

        145KB

        MD5

        713a3b3dd5ff4d4458d6bcbd37b516ae

        SHA1

        4858c51441679308935495c3aca9441a79ecfdc4

        SHA256

        2c3395f24e3fb552f0be0031ad86f1bf4c78840aaa77b150e7b4c582c2e937fe

        SHA512

        5d0b0c0c7b597a4279182674682c0f34056f008a72642389b06c2350748e45cde7f013782d1a08eda0ff2efcf35b120ca6ff6774d49bb3ad273cbcefc8d473de

        Download Submit

      • C:\Users\Admin\Desktop\00418\HEUR-Trojan-Ransom.Win32.Cryptor.gen-ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
        Filesize

        118KB

        MD5

        a31089dc3cafe77c39268273d689193b

        SHA1

        032e0b9a0bf012401507be974ee6bdb3e6726fd7

        SHA256

        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

        SHA512

        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

        Download Submit

      • C:\Users\Admin\Desktop\BlockUnblock.asp.doomed
        Filesize

        359KB

        MD5

        9aa3a37800c818832809c7dbae13bf03

        SHA1

        c494ff910e1ef1f5349b084833432dc761b73594

        SHA256

        6dc4a255c998164e1fb291996d09dc3bd6f50966080f544f71ab5b7f891c6c81

        SHA512

        f0bb60f052079522669b03cf1dbe9c50fe5b7171e429e5661ef881d2aed8257bc3341325a8e4d3a55aab4b3ad3884207a9a2f70e4ce264c3f2c6aec84b4438e5

        Download Submit

      • C:\Users\Admin\Desktop\CheckpointMeasure.exe.doomed
        Filesize

        91KB

        MD5

        c030ce74b5cce1bc88fb5ab1b4c7fe71

        SHA1

        95b872be54299ca3cf054f8d11cc5a9471ab31bd

        SHA256

        e28e88c9c9c868dcc3101a561170c591dc00821afce2609ef645205fa724030c

        SHA512

        ccb011690209e6a2fc69ff11fe8a813ae261e6ed6e114064195e171a0bd54891656b33aec4d6f505dc68c9b7085119cc097b4fffd72bf05a255b0dff37050ea9

        Download Submit

      • C:\Users\Admin\Desktop\CloseUnpublish.xps.doomed
        Filesize

        189KB

        MD5

        b50ba2fc79e0ae57c852c392bbda0e8b

        SHA1

        d453e7d8869f4d9b14bbae922f20a6b1eaac37d9

        SHA256

        e5a459fabc91891868f0a2f8e175e60a986d0d0b0c48d061f018224cb582c6ce

        SHA512

        d193ca607dedb1e3aaaaf67f4cee942739d8c3f91fa19f81ca4f74a78a2cc25a51c0fbe5b3ec046f2bbae82d060d31af2e0bdcb277a24d821ba2205fe050453b

        Download Submit

      • C:\Users\Admin\Desktop\CompressEdit.wps.doomed
        Filesize

        104KB

        MD5

        3a431c1d6860c3dda570cdd84eaced5e

        SHA1

        909082c742f1966732eb627bdf8f74303c940a1e

        SHA256

        f1e58d6544c09035bf82f31ba7ccbe31f633db94453e9784d255df0b9b532436

        SHA512

        25ae599229f03baaa273515e9e1a599b8bdc8c77fbc3a511f4166bfbd24383fd15fdaa1215f78b748794c9ce646e38ceefac15a592004c9f099bbb1a39bd31ad

        Download Submit

      • C:\Users\Admin\Desktop\ConfirmUnregister.wps.doomed
        Filesize

        209KB

        MD5

        92f15b7d775b2f33f40015dfd05ceff6

        SHA1

        e0a2a1a960d2a7a512d4e2d301596d98be4015d8

        SHA256

        ec862e28dd7b7a805a2dc7ca6d0a56a65c8e1d8fd3e60d8a356ffe8ef9617df0

        SHA512

        86ef2ed5437b3cda554ceee950cbf7bf87a6b124894d7d32928a1bb568dd864fa84db6da81e20bb1182971dd2e2bdd65836579989396fec29547466504d4f878

        Download Submit

      • C:\Users\Admin\Desktop\DOOMED.txt
        Filesize

        21B

        MD5

        41d525cce93dcb50de040df6e1aa85bf

        SHA1

        4da182609cf0d851ff276c37fd7ca3e688cc8543

        SHA256

        a712af3290b4acc4e09a5ba108eabcd0909874833faf31887f2fb7c263d3cb7a

        SHA512

        169cd848196c07845388809591b4bf25201a56ecda4e2813d894c1e0d54e03a4c44f95713f36ef0a8882fa74d7418316ded7351edbb9731af6210b7e2155ac1b

        Download Submit

      • C:\Users\Admin\Desktop\DenyOpen.au3.doomed
        Filesize

        215KB

        MD5

        64bc95161ee4d1287e85d5efe2043f78

        SHA1

        48dcfe279a4aea42ed5559149ac73c65bf4b1e4e

        SHA256

        9679218310c7884e191a64225910c1db69b93da3fb2fe3dcb9ec6d3e45b243e3

        SHA512

        d2ec386da091d8b7fda164a8c92c901908d9c28a260b2ab2a26bbbc28488b6dde02f9cbd9bb49b362fc74e4d56b22673dc2e2136f6b3db4df4995663b3a7478c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\RyukReadMe.html
        Filesize

        477B

        MD5

        ff8331d271aeab6046ea1ae5eec0be35

        SHA1

        4b212771c593a2535a12040f931f704ad59e9a49

        SHA256

        8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

        SHA512

        d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

        Download Submit

      • memory/1252-298-0x00000000004D0000-0x0000000000512000-memory.dmp

        Filesize

        264KB

        Download

      • memory/1392-1140-0x0000014B2E160000-0x0000014B2E1E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1392-1139-0x0000014B14BD0000-0x0000014B14BE8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1392-1138-0x0000014B309E0000-0x0000014B30EE4000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1392-1142-0x0000014B30EE0000-0x0000014B30F9C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/1392-1141-0x0000014B2D350000-0x0000014B2D39A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1392-126-0x0000014B12440000-0x0000014B12EEE000-memory.dmp

        Filesize

        10.7MB

        Download

      • memory/4200-106-0x000002725E040000-0x000002725E062000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4200-107-0x000002725E400000-0x000002725E444000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4200-110-0x000002725E490000-0x000002725E4AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4200-108-0x000002725E4D0000-0x000002725E546000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4312-611-0x0000000000190000-0x000000000043E000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4312-1137-0x0000000000190000-0x000000000043E000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4312-1135-0x0000000000190000-0x000000000043E000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4808-68-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-77-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-75-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-79-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-78-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-76-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-74-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-70-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-80-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-69-0x00000232BB580000-0x00000232BB581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4852-119-0x0000000000FE0000-0x00000000013C2000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/4980-607-0x0000000007990000-0x00000000079A4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4980-498-0x0000000004A30000-0x0000000004A3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4980-426-0x00000000074D0000-0x0000000007562000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4980-407-0x00000000079A0000-0x0000000007F44000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4980-328-0x00000000005A0000-0x000000000075E000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4980-1151-0x00000000090A0000-0x00000000091D4000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4980-1152-0x00000000091D0000-0x000000000926C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5408-1153-0x0000000000400000-0x00000000004E2000-memory.dmp

        Filesize

        904KB

        Download

      • memory/5408-1155-0x0000000005A70000-0x0000000005A84000-memory.dmp

        Filesize

        80KB

        Download