netwire | f128b85f26a5fae2bfa3cba5ea746d561a87d53f7713aee985fc68c8b4905895

Analysis

max time kernel
50s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00401.7z
Size

15.3MB
MD5

82ba3c8e635d5e3e743049d29eb92a72
SHA1

ad4f048b3e0cfd4284362f3d940ecc9008b68fad
SHA256

f128b85f26a5fae2bfa3cba5ea746d561a87d53f7713aee985fc68c8b4905895
SHA512

ad6c87b7e8a9baa6b9c934186424eee6e366aed016651a344cdcc66e36ff28c017cb0ecca1f9bc5d1174cace2eb6a665205a081ad9c90feffd7f758658a8bfe3
SSDEEP

393216:P9DZi2W047ho8UZzx+F8edI0MK+bG8nYwDFXlDGn:PPi2WZNo8W+F8eJMKb8B1DM

Score

10^/10

netwire botnet discovery ransomware rat stealer upx

Malware Config

Extracted

Family

netwire

uploadp3p.publicvm.com:3361

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
NeW-%Rand%
install_path
%AppData%\Install\sisHost.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
kHnMFtjY
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://alcx6zctcmhmn3kx.onion/?FHULIFMO 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://alcx6zctcmhmn3kx.onion/?FHULIFMO

http://helpqvrg3cc5mvb3.onion/

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1816-575-0x0000000000400000-0x00000000004D9000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Executes dropped EXE 6 IoCs

pid	Process
4316	HEUR-Trojan-Ransom.MSIL.Agent.gen-debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467.exe
3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57.exe
980	HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe
1500	HEUR-Trojan-Ransom.Win32.Agent.gen-966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d.exe
4416	HEUR-Trojan-Ransom.Win32.Blocker.gen-73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960.exe
1816	HEUR-Trojan-Ransom.Win32.Convagent.gen-6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
23284	arp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4288-218-0x0000000003000000-0x0000000003042000-memory.dmp	upx
behavioral1/files/0x0007000000023cb3-210.dat	upx

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4776	4316	WerFault.exe	106
1964	1484	WerFault.exe	113
1072	1484	WerFault.exe	113
1464	1484	WerFault.exe	113
6492	980	WerFault.exe	109
7080	4480	WerFault.exe	131
7624	1484	WerFault.exe	113
28700	1816	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Convagent.gen-6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Agent.gen-debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023cae-200.dat	nsis_installer_1
behavioral1/files/0x0007000000023cae-200.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe
3196	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4828	7zFM.exe
3196	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeRestorePrivilege	4828	7zFM.exe
Token: 35	4828	7zFM.exe
Token: SeSecurityPrivilege	4828	7zFM.exe
Token: SeDebugPrivilege	4052	taskmgr.exe
Token: SeSystemProfilePrivilege	4052	taskmgr.exe
Token: SeCreateGlobalPrivilege	4052	taskmgr.exe
Token: SeDebugPrivilege	4484	taskmgr.exe
Token: SeSystemProfilePrivilege	4484	taskmgr.exe
Token: SeCreateGlobalPrivilege	4484	taskmgr.exe
Token: 33	4052	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4052	taskmgr.exe
Token: SeDebugPrivilege	3856	taskmgr.exe
Token: SeSystemProfilePrivilege	3856	taskmgr.exe
Token: SeCreateGlobalPrivilege	3856	taskmgr.exe
Token: 33	4484	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4484	taskmgr.exe
Token: SeDebugPrivilege	3196	taskmgr.exe
Token: SeSystemProfilePrivilege	3196	taskmgr.exe
Token: SeCreateGlobalPrivilege	3196	taskmgr.exe
Token: 33	3856	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3856	taskmgr.exe
Token: SeDebugPrivilege	4004	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4828	7zFM.exe
4828	7zFM.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4052	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe
3856	taskmgr.exe
4484	taskmgr.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4484	4052	taskmgr.exe	97
PID 4052 wrote to memory of 4484	4052	taskmgr.exe	97
PID 4484 wrote to memory of 3856	4484	taskmgr.exe	98
PID 4484 wrote to memory of 3856	4484	taskmgr.exe	98
PID 3856 wrote to memory of 3196	3856	taskmgr.exe	99
PID 3856 wrote to memory of 3196	3856	taskmgr.exe	99
PID 4004 wrote to memory of 1436	4004	powershell.exe	105
PID 4004 wrote to memory of 1436	4004	powershell.exe	105
PID 1436 wrote to memory of 4316	1436	cmd.exe	106
PID 1436 wrote to memory of 4316	1436	cmd.exe	106
PID 1436 wrote to memory of 4316	1436	cmd.exe	106
PID 1436 wrote to memory of 3268	1436	cmd.exe	107
PID 1436 wrote to memory of 3268	1436	cmd.exe	107
PID 1436 wrote to memory of 3268	1436	cmd.exe	107
PID 1436 wrote to memory of 980	1436	cmd.exe	109
PID 1436 wrote to memory of 980	1436	cmd.exe	109
PID 1436 wrote to memory of 980	1436	cmd.exe	109
PID 1436 wrote to memory of 1500	1436	cmd.exe	110
PID 1436 wrote to memory of 1500	1436	cmd.exe	110
PID 1436 wrote to memory of 1500	1436	cmd.exe	110
PID 1436 wrote to memory of 4416	1436	cmd.exe	111
PID 1436 wrote to memory of 4416	1436	cmd.exe	111
PID 1436 wrote to memory of 4416	1436	cmd.exe	111
PID 1436 wrote to memory of 1816	1436	cmd.exe	112
PID 1436 wrote to memory of 1816	1436	cmd.exe	112
PID 1436 wrote to memory of 1816	1436	cmd.exe	112

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00401.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /1
    3⤵
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      4⤵
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Agent.gen-debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 916
      4⤵
      Program crash
      PID:4776
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Blocker.gen-59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3268
  - - C:\Windows\Resources\Updater.exe
      "C:\Windows\Resources\Updater.exe"
      4⤵
      PID:4388
  - - C:\Windows\Resources\dllhost.exe
      "C:\Windows\Resources\dllhost.exe"
      4⤵
      PID:2524
  - - C:\Windows\Resources\dllhost1.exe
      "C:\Windows\Resources\dllhost1.exe"
      4⤵
      PID:4540
    - - C:\ProgramData\build.exe
        
        "C:\ProgramData\build.exe"
        5⤵
        
        PID:32068
  - - C:\Windows\SysWOW64\arp.exe
      "C:\Windows\System32\arp.exe" -a
      4⤵
      Network Service Discovery
      PID:23284
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:980
  - - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe
      "C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1076
      4⤵
      Program crash
      PID:6492
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Agent.gen-966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Blocker.gen-73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4416
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Convagent.gen-6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0.exe
    HEUR-Trojan-Ransom.Win32.Convagent.gen-6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1816
  - - C:\Users\Admin\AppData\Roaming\Install\sisHost.exe
      "C:\Users\Admin\AppData\Roaming\Install\sisHost.exe"
      4⤵
      PID:7512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 912
      4⤵
      Program crash
      PID:28700
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Crypren.gen-7eec857793ef7e26e2b4b1fb29ba43ccfd65554372f604343329d3fb699ac216.exe
    HEUR-Trojan-Ransom.Win32.Crypren.gen-7eec857793ef7e26e2b4b1fb29ba43ccfd65554372f604343329d3fb699ac216.exe
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 576
      4⤵
      Program crash
      PID:1964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 592
      4⤵
      Program crash
      PID:1072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 616
      4⤵
      Program crash
      PID:1464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 728
      4⤵
      Program crash
      PID:7624
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Encoder.gen-133c2fb4374c940815de6e325f3e64bdf99794afc79c3d6aa54457c434becbc2.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-133c2fb4374c940815de6e325f3e64bdf99794afc79c3d6aa54457c434becbc2.exe
    3⤵
    PID:180
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6f438425351ae821feb2f2713e25d269a2316c75450b3ea07e1616407a7f37ee.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6f438425351ae821feb2f2713e25d269a2316c75450b3ea07e1616407a7f37ee.exe
    3⤵
    PID:2892
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Gen.gen-cace1fc6585168677c21abd52448726544b112b2b7296c7878067e7a24014c7a.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-cace1fc6585168677c21abd52448726544b112b2b7296c7878067e7a24014c7a.exe
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\rar.exe
      C:\Users\Admin\AppData\Local\Temp\rar.exe a -hpThisIsMyOwnBitcoinMiner C:\PerfLogs\Read_Me.txt.enc C:\PerfLogs\Read_Me.txt
      4⤵
      PID:17676
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.MyxaH.gen-67f89d3ccaf35c5ed12e0bd7b314eb5bbd244803548cdf6a25a086d9188b6e33.exe
    HEUR-Trojan-Ransom.Win32.MyxaH.gen-67f89d3ccaf35c5ed12e0bd7b314eb5bbd244803548cdf6a25a086d9188b6e33.exe
    3⤵
    PID:1984
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Sodin.gen-8c716101e118ac65d7bdb900e0100d012256abb1d7cdf64830e5943a795ccce2.exe
    HEUR-Trojan-Ransom.Win32.Sodin.gen-8c716101e118ac65d7bdb900e0100d012256abb1d7cdf64830e5943a795ccce2.exe
    3⤵
    PID:4032
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Stop.gen-5bf1d3cc2e187ff1dec1c4291b09869c8ac02712ea26c25d22674c14174d7b81.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-5bf1d3cc2e187ff1dec1c4291b09869c8ac02712ea26c25d22674c14174d7b81.exe
    3⤵
    PID:5056
- - C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Zerber.gen-d98f9c981da1fa1dfba351472d8eec3ab2adf6b2b58b1c4ec42ac8204fbfb45a.exe
    HEUR-Trojan-Ransom.Win32.Zerber.gen-d98f9c981da1fa1dfba351472d8eec3ab2adf6b2b58b1c4ec42ac8204fbfb45a.exe
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 144
      4⤵
      Program crash
      PID:7080
- - C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Blocker.becx-b99f932887045e3bd01759ba67ccbef178af34a1f11db473f0e3367f04ed652d.exe
    Trojan-Ransom.Win32.Blocker.becx-b99f932887045e3bd01759ba67ccbef178af34a1f11db473f0e3367f04ed652d.exe
    3⤵
    PID:3264
- - C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Crusis.aec-f9f6364c948e5afae76f40084571d244d5d337c4c63df3ab59f89cba6cfcc92e.exe
    Trojan-Ransom.Win32.Crusis.aec-f9f6364c948e5afae76f40084571d244d5d337c4c63df3ab59f89cba6cfcc92e.exe
    3⤵
    PID:4288
- - C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Encoder.kqw-02033d7826280e8d872213b52d63d161891f40c90a3a9cf806f111c4d8e05276.exe
    Trojan-Ransom.Win32.Encoder.kqw-02033d7826280e8d872213b52d63d161891f40c90a3a9cf806f111c4d8e05276.exe
    3⤵
    PID:2740
- - C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Foreign.nnsm-0f9ae79ab4f9ab332593751a71f62411c7eccf7d62c79d7fc68e62a6088be32e.exe
    Trojan-Ransom.Win32.Foreign.nnsm-0f9ae79ab4f9ab332593751a71f62411c7eccf7d62c79d7fc68e62a6088be32e.exe
    3⤵
    PID:1388
- - C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Phpw.acp-9ce4d0a980812eea9d68c62f60a62621fd722ef85b55ef78cd7603c50f0f0094.exe
    Trojan-Ransom.Win32.Phpw.acp-9ce4d0a980812eea9d68c62f60a62621fd722ef85b55ef78cd7603c50f0f0094.exe
    3⤵
    PID:7348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4316 -ip 4316
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1484 -ip 1484
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1484 -ip 1484
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1484 -ip 1484
1⤵
PID:3328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 980 -ip 980
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4480 -ip 4480
1⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1484 -ip 1484
1⤵
PID:7380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1816 -ip 1816
1⤵
PID:7688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:21676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\Read_Me.txt

Filesize
940B

MD5
0949547ba664f01e68604410d9a9a9aa

SHA1
b39d85b1ec8188f63e0c2c17c52ac788228003ad

SHA256
6bce718466277622aad3bf88c87f98fc1cd016ce0e3abb5924a0d1e6a62d1b5c

SHA512
8742c75410b452068221c643925bdd1b7bd6e0ea433c4778f62c4bd034ad851cd8f59ea9ff67ec4162d58966c77bb06ed9d605717f055046059b7e21fff08af0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rydyqimv.noy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fav.png

Filesize
1KB

MD5
494ecdf62b8f3894554e73b4f9ed757a

SHA1
e6f7836b821d622d560509fdd22d2ef1aa048d30

SHA256
6749833a70f6a2c988f4fb75fc8f2c7055f2cbed2a79057f9742db16486278e2

SHA512
dfaede5ce6695d987191f260e3c2c0eaacf8b5084ffb9bb7efa31bb2bc86cc2938396fd1fcdb4e35b8abbee1479b2f852375e58d0f6edf81a05fe89254e6e2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jquery-ui-custom.css

Filesize
1KB

MD5
08e3eb362fb240dab0ec0ab2407c33ba

SHA1
ae33998fcf93fad8697525f909d4967d16d7ed4f

SHA256
25b8858d75a4a4118811bc04d9790859d3ca77df72e566c4034aa37304cb5813

SHA512
a370081c53e4ee5063c4525e9442c4721a69eb4c36f292f0d2631e5424998ae51389322504d28dacd151cd1669e39579bcc99b2f1732aaa161a06eb9af7831a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jquery.rwdImageMaps.min.js

Filesize
1KB

MD5
8fd392e2530784641345c55a123e86f1

SHA1
e5147f8fa316ce1de081a80e05c160aff1b0ba79

SHA256
a2d24c88839224a7461ed989f71c97c7af9c2fd205c209d01df52b87b499b99c

SHA512
a32a211b1e1cb1e22f2a19334f745ff78ff1799eeeecfaa996db959039e1752662a252aa4efb5e77d4a5231e5ac74bca171c54b080c0f04a993cd6c51e5b5393

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7422.tmp

Filesize
291KB

MD5
3b028b8bed36d65d1158a5fb71407ae2

SHA1
5f893942e9bfd690da1bc2c92dba726beb23df34

SHA256
70e7e8f3d5e88f00b0511340535ef9c53e3b5833d488f9d2be3aef35e997315a

SHA512
0f345b3737dabde51cc6bb856c8ada9b94bdb698c79451e4492732e794ce71fe50e664f6b8fb47dfe4897b53af99865ded9cdad1bb6db2c213d7c93f803c1581

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6C24.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss725D.tmp

Filesize
32KB

MD5
89b527f8fba43a99c14200d2da3a99cb

SHA1
2f575caca636b1010cb759757090cceacfa32e64

SHA256
41b29d67797ee0cfa20f9afaaf2433a0a90624fca2684b41a35236722018cb21

SHA512
4454bee934e0ec8582e33a3a47836f055170cb4b543340bac6bee7d55ffb45890112b83b0dc7297119d659dd7db02bd9169d59cd73ed2deb0fe9a73ace97af98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz758B.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot.dD

Filesize
180KB

MD5
5a80804ee4544fcea3c8453154297604

SHA1
ce5418e0df3b308ca4a513610c5a9b674aabc41e

SHA256
fc8a600cad71c296144adc303c93fe42930ba29a36ec5389f20fb1c30eff21f2

SHA512
0291f4ad066eefdb9bdc305a239915c40a6ca445acf52b398a41a30b8e7d9a80673c4af36c37755a984a60a149a9588ae8e6c032af7cabf26ac7d53e36e48ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\title_en.gif

Filesize
999B

MD5
cf0cb4cc2d2ef8678957cea947e15f39

SHA1
406c0f29e7ce07ab103022a118eb259544761cd1

SHA256
504b54b45883800d7ff9128cd4357d59371e02851e4a9175bef79db620880ab4

SHA512
ce303e8b7709d1fe1979bd2a976382bd3cb88cd231ba7667b94c43fa394acdea58ea6aad9bebce35fe5cf7412e583440b02d16a993209c3ea23439dc53c79d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\txt_top3.png

Filesize
1KB

MD5
51ea17fb60b4f44344050c16c84c0441

SHA1
67b98da3cf5fb38395c0f8487bd31bfcf9e78237

SHA256
c3baf00fdf94ade19a68ba0dc90591ec687213680d9a25524ab2fe6f6c054dd8

SHA512
13ea5cea55cf7a0995821a563d2b3f92a6a1aecedaf9256079cb55b7bd98bc74b67eade40db077922f50ae048d4d03c6d7a6c24291c2d7a2e59459128467424e

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Agent.gen-debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467.exe

Filesize
218KB

MD5
3c0016c6d91a419cfc13c7f9aff9fa8d

SHA1
ffc0b8862f4998e4ce229558625fbaf0d830bb70

SHA256
debdf7bdf7395795e8d451618ce11eb321c446b64239d54b1837093f07c87467

SHA512
d10ce3a87bd8a5fe3361451cdc497cfd8f42f8bba4ce387eabcc2a58d5cbbdc94f76874d1721485b1b22f0f66158fbfd137440b48ef53512e2deaf93ddbf7459

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Blocker.gen-59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57.exe

Filesize
1.0MB

MD5
fac691ef7063b7ada1eb86548bc0c065

SHA1
fec43d269604c7a9a7db28b26dcc79959015c8a4

SHA256
59e31c8a4505712f5dffe06656252264eb2cd91db8a9c2a82f905c53c7537e57

SHA512
1103c9cbf5a28b97dfa664f77908ac3b7e5421dc13b324ef3c5a3c7922a8fb243a20b02e16697efbaa0ce4e6d003864162b6bf50c5eb4c23941ffbf172f49e07

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.MSIL.Encoder.gen-db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9.exe

Filesize
3.5MB

MD5
a34a82378370d76caa0c218f7717415a

SHA1
14e129c4e06793f7855ebef42dbb6fdf6a8bdb90

SHA256
db4ab1286c3611d1fe5c8c93372634ad610bcfce5b3929eda4c61a0527efa4c9

SHA512
741dbea35fb478318c8dab728472ed83ae5dc2d3e025cb16c39fdfec61bca6703bc1e69b9cfd952111b6b6818b9727bd6fa384bc00f8142b65f0f62107d89e5f

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Agent.gen-966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d.exe

Filesize
4.8MB

MD5
54ffab494f4b8794817cbb8934bac284

SHA1
50069d24a0072125862e20c4063d1a0d492a3ccd

SHA256
966272d7f96fdeeb00a5d7ec40c4c11fcf41013c32d1c7476ca1b68d5126bd0d

SHA512
b6f36c98777fef5f9f6b5501a125c5568a5b218f41fc97c59b13a0eb66036afa924ad83440ab220c4dc40e1ed21e803e28a5bc10c8c79b2db3ada4e945d14a02

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Blocker.gen-73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960.exe

Filesize
1.3MB

MD5
d8a3c459a8f9da12aa83818612c4f0db

SHA1
f988a85be869d3b9593db1871e5fae4c8698ca22

SHA256
73762f41492c0729180a278f0995f1d1313439022ab87ce1594c9d96295b2960

SHA512
94e1e9e27d89bdea8460da71b1f8fd035e516cf266b8fbd38a7b1815dc77c2056b11b34df1982cfefa0d9d2729c113fbfcc93a902b3c1a735fecbf7e825cb1e6

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Convagent.gen-6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0.exe

Filesize
293KB

MD5
3d92b4cbe518b79777ae0d9104c7b732

SHA1
d061dac95aa6301b94758e7155b2e0579ae2d428

SHA256
6a15591aeecce1f702dd8e23d325384772475823c7ff8710389d3bfb167f11c0

SHA512
b5e09f906796e664e74163ba3d79f1b56a297a363576941f413c609aff971520349220410054308c616a27dd8aa3fd8a4281a7417fb7d0421a3bcfc51203fbff

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Crypren.gen-7eec857793ef7e26e2b4b1fb29ba43ccfd65554372f604343329d3fb699ac216.exe

Filesize
280KB

MD5
a2d9cee5033b6e0a3e26ce510254fed0

SHA1
6af56dfd2fede70fcd3dc287603356804a5985f2

SHA256
7eec857793ef7e26e2b4b1fb29ba43ccfd65554372f604343329d3fb699ac216

SHA512
d6a91010bebe4d51abaccdcf502fe5e04813e7e8bfcbe8a5588b73d7d59295634a1ec2d7df52c4555c0f5ff707e92e97bc167b9369f06946ce0908328fc984aa

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Encoder.gen-133c2fb4374c940815de6e325f3e64bdf99794afc79c3d6aa54457c434becbc2.exe

Filesize
201KB

MD5
6cde51b4812dda47f2013cc404aa806b

SHA1
0b330b52095cb68ef61d79afcfe9f9318ab528b1

SHA256
133c2fb4374c940815de6e325f3e64bdf99794afc79c3d6aa54457c434becbc2

SHA512
57334f23f4203b9fba3798cb6927b0a9c94f2f1487a0d588279dda12d2291c45f6890050573175940f6b86b8c8f347fc56d41e49cf97868a0ab832177f21a936

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6f438425351ae821feb2f2713e25d269a2316c75450b3ea07e1616407a7f37ee.exe

Filesize
250KB

MD5
96aab2800c46e389fe7a65a1dd13d406

SHA1
b007f67f63b86ee197fea6a8c5b6995ef2f2de03

SHA256
6f438425351ae821feb2f2713e25d269a2316c75450b3ea07e1616407a7f37ee

SHA512
4e0e20c04ad1c17a7ec10eecd296957aa553889cd47a48370f628604b25558f06b2bddc26a63b178d5e5ede75d11cc3a71b6b518eb14103a0c35fd25cd9c865c

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Gen.gen-cace1fc6585168677c21abd52448726544b112b2b7296c7878067e7a24014c7a.exe

Filesize
6.3MB

MD5
71901ae70bc8187283b7008540670dea

SHA1
3ba8748162a5a8322743981274a34774b6a705e3

SHA256
cace1fc6585168677c21abd52448726544b112b2b7296c7878067e7a24014c7a

SHA512
a7199c8075d5c670e19c23175d2be0e88889a762944eae26503d9fa9a5eac65e3c86b3422570fb1608ecb2c1349908d8bd663e614a1154532e9eed269ff41ec9

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.MyxaH.gen-67f89d3ccaf35c5ed12e0bd7b314eb5bbd244803548cdf6a25a086d9188b6e33.exe

Filesize
616KB

MD5
77c70773215253bdecf69c2067d63cba

SHA1
66dbf7771c7cd88dfa2d5ffe42758419c7540721

SHA256
67f89d3ccaf35c5ed12e0bd7b314eb5bbd244803548cdf6a25a086d9188b6e33

SHA512
e61af560357184dd428b17b6c0407f0ed5370dfd8e60d0ea9c729b234ed4c80c3cd09e95220628c6d18d46ef5083fb83c970eafa44eda48effb87f9521183d3b

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Sodin.gen-8c716101e118ac65d7bdb900e0100d012256abb1d7cdf64830e5943a795ccce2.exe

Filesize
600KB

MD5
f0db9243fdd14d4755f5b12860d0394d

SHA1
ff1b6fc9398035917e232352fbfae8db7805b5ca

SHA256
8c716101e118ac65d7bdb900e0100d012256abb1d7cdf64830e5943a795ccce2

SHA512
824b21d96fa8ccdad18a8af1aa2dd234fb8c8487a6f81d9b98bdd4108c1ccfd28042b4c3f8bef9a74fadbc22853cc027ee4601f30928fd4ad611f2a38562e96e

Download Submit
C:\Users\Admin\Desktop\00401\HEUR-Trojan-Ransom.Win32.Stop.gen-5bf1d3cc2e187ff1dec1c4291b09869c8ac02712ea26c25d22674c14174d7b81.exe

Filesize
725KB

MD5
60d22219b7aad6ad3a43f68cd18602f0

SHA1
e0c84d0292089a7f5c86f10691b13e024fa22bac

SHA256
5bf1d3cc2e187ff1dec1c4291b09869c8ac02712ea26c25d22674c14174d7b81

SHA512
b1a85a929f15829bd42a996817459cdb433b0f4e3288af028a59108e35a3295c14d5d0e1f00661c142b58cfc3a10b389721e239136aec64b90761bdbfc7f2ee6

Download Submit
C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Blocker.becx-b99f932887045e3bd01759ba67ccbef178af34a1f11db473f0e3367f04ed652d.exe

Filesize
52KB

MD5
29ca79c2a9551f277d74fa78e8070c35

SHA1
ee6cb3639607a8036bfd10c862330f778ed342e8

SHA256
b99f932887045e3bd01759ba67ccbef178af34a1f11db473f0e3367f04ed652d

SHA512
d76f5689f617bf85197ded95deec37654b742e77379923e61e1eb043cf09ab7d141c58d149430c2d08234fa58db3593cc3f7d5abfb6c7d13e99467546b11dcc3

Download Submit
C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Crusis.aec-f9f6364c948e5afae76f40084571d244d5d337c4c63df3ab59f89cba6cfcc92e.exe

Filesize
127KB

MD5
25f940895a0144115c86e641ceeff5a6

SHA1
9c7956a52661ac25fd91bef35af4691bc07aee51

SHA256
f9f6364c948e5afae76f40084571d244d5d337c4c63df3ab59f89cba6cfcc92e

SHA512
8e5cc47d87f878e407dc5cf40982fe0ff022bb06c38db8bb12f320f421bb007b50ce37fe61030ae23629feab48d7333a5f077cb606fd6ca35ac4690cade430af

Download Submit
C:\Users\Admin\Desktop\00401\Trojan-Ransom.Win32.Encoder.kqw-02033d7826280e8d872213b52d63d161891f40c90a3a9cf806f111c4d8e05276.exe

Filesize
602KB

MD5
7bf06858ed76c67370553e2d3f30d36d

SHA1
ff63b6c3def8c55711c6eda93cbe6520904e0b8a

SHA256
02033d7826280e8d872213b52d63d161891f40c90a3a9cf806f111c4d8e05276

SHA512
0db5eb64a83bc5ad6b212b37402da6ee7b004b3291e450fbd1c24b25af19bcbb937ad6dae52cb81963bf823eb27c1ae550e5c91fa701bc776670748f0ea9ecfc

Download Submit
C:\Users\Admin\Desktop\README_encrypted.txt

Filesize
487B

MD5
ac86f00d1544b004819a30b1b0e53287

SHA1
3c6bdda8cee14245cd730422cee29335a8bd4178

SHA256
19101857e1e6c7300c10202483c5e3c2144b9213ec330142c8d1ee48abe46031

SHA512
a9f02d648caf058fa9b376d055cf306df7aebed78592b8698c191bb0b24a9f9446f3ae2524b1de484a8bbb64bc2e53833e9df9645ff774e8da16046ab7f07495

Download Submit
C:\Users\Admin\metadata.bin

Filesize
40B

MD5
3bc885cb6db0024912c4b54747c4bc2e

SHA1
70cd0762e72fc9f2ec5ad24611010067093f8f20

SHA256
adc7694cce4ba039534ec911d5af2dc4e764f64a02028c9b6be1994b5b54136d

SHA512
5d088bdea349402f3b538383dd5445948c2cc0dd2074556d5a04bcbb70a58a2ed97446ae8306bb6c4e4e47166bf3d498ab03be6fefb0c1468ca58a40418c8178

Download Submit
C:\Windows\Resources\Updater.exe

Filesize
307KB

MD5
655a2113fd0b2c79f927dbe7f1ea501e

SHA1
6009a3571adcdd2a5196e2e5e3084d66c0105fe1

SHA256
cf2dab3a1009469e1ed1d07fe168efa2af6c0f15a0be892eae8e690ed27cd05e

SHA512
0d17058952b49c52106fe71e490b88c34934c10527997508bd06cf99bd9b89fc9eb2f018bbb660b46cbedc406d72114ef98c275aa53f3e7d761b649c56cdb556

Download Submit
C:\Windows\Resources\dllhost.exe

Filesize
90KB

MD5
09d27d8bac7f8bc4b6def5f5a6e891b3

SHA1
8bc549b20c636c143584845e515a15035ed1b310

SHA256
41c986437adff3555684208054cba35fa8bad61038723630576c34fa74c8f37e

SHA512
77dda079ed0cbd6db335c185689b7b90118cf9f20a2f600ce0ead3a9f85a05f5a8798b0e43463c51752dcad11c1074db01abea3129978c95e76784c13142300f

Download Submit
C:\Windows\Resources\dllhost1.exe

Filesize
104KB

MD5
7d6a81f077f720d76bc0225383f11244

SHA1
e61219d4c4cce81c9b1c637fdfbdd36ef8fbb760

SHA256
085d4b19abfbdb0897c041c8199acd9eb95c6130b76feaf85933aa6b1ee8111f

SHA512
61bde47e56804dc82ec019e8e3d09ce9bb8fd8804ca29d85d4cd78c1e4100787fcf9e1be3b1456bd88231e024e1094ab92040f26ba3d358b1f292023f004bc96

Download Submit
\??\c:\users\admin\desktop\00401\heur-trojan-ransom.win32.zerber.gen-d98f9c981da1fa1dfba351472d8eec3ab2adf6b2b58b1c4ec42ac8204fbfb45a.exe

Filesize
267KB

MD5
cb22a312b421f599daee0cc1c95144bd

SHA1
b4288a97e3aae2b4c89bccd59713d0fdade18663

SHA256
d98f9c981da1fa1dfba351472d8eec3ab2adf6b2b58b1c4ec42ac8204fbfb45a

SHA512
2b39461c889071fc10f072c58eb770945d3464e7753c07c424f1a29116067cc31ff81bed6c71374437d02426c207e0ca6a3d1ea33135c5488bddcedeba50f8ae

Download Submit
\??\c:\users\admin\desktop\00401\trojan-ransom.win32.foreign.nnsm-0f9ae79ab4f9ab332593751a71f62411c7eccf7d62c79d7fc68e62a6088be32e.exe

Filesize
2.7MB

MD5
ed8b67c2c24794590006bd0350fab557

SHA1
d61da79810bba755b7edcecc22c7a0b4d62176bd

SHA256
0f9ae79ab4f9ab332593751a71f62411c7eccf7d62c79d7fc68e62a6088be32e

SHA512
82712f9d3789fffec6f27c71e8078d428c7fda3674dd803ef809069cf553a5d93cd1605949d5dd898eb469eceaf41124af75350738ea7b74371485b45aa97e50

Download Submit
memory/180-714-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/980-151-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/980-135-0x0000000000B40000-0x0000000000EBE000-memory.dmp

Filesize
3.5MB

Download
memory/980-139-0x000000000D6A0000-0x000000000D73C000-memory.dmp

Filesize
624KB

Download
memory/1388-718-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/1484-576-0x0000000000400000-0x0000000002303000-memory.dmp

Filesize
31.0MB

Download
memory/1816-575-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2524-190-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/2740-736-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2740-717-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2892-715-0x0000000000400000-0x0000000000B6C000-memory.dmp

Filesize
7.4MB

Download
memory/3196-93-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-85-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-87-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-86-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-95-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-91-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-94-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-90-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3196-92-0x000001E422890000-0x000001E422891000-memory.dmp

Filesize
4KB

Download
memory/3268-137-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3268-152-0x0000000007AE0000-0x0000000007BEC000-memory.dmp

Filesize
1.0MB

Download
memory/3268-138-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3268-134-0x0000000000810000-0x000000000091E000-memory.dmp

Filesize
1.1MB

Download
memory/3448-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-737-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4004-110-0x000002AC409F0000-0x000002AC40A66000-memory.dmp

Filesize
472KB

Download
memory/4004-99-0x000002AC40460000-0x000002AC40482000-memory.dmp

Filesize
136KB

Download
memory/4004-112-0x000002AC409B0000-0x000002AC409CE000-memory.dmp

Filesize
120KB

Download
memory/4004-109-0x000002AC40920000-0x000002AC40964000-memory.dmp

Filesize
272KB

Download
memory/4052-56-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-57-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-58-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-47-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-48-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-55-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-54-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-53-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-52-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4052-46-0x00000242CCE10000-0x00000242CCE11000-memory.dmp

Filesize
4KB

Download
memory/4288-218-0x0000000003000000-0x0000000003042000-memory.dmp

Filesize
264KB

Download
memory/4316-136-0x0000000000E50000-0x0000000000E8C000-memory.dmp

Filesize
240KB

Download
memory/4388-177-0x0000000000830000-0x0000000000884000-memory.dmp

Filesize
336KB

Download
memory/4416-574-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/7348-723-0x0000000000400000-0x0000000000DC0000-memory.dmp

Filesize
9.8MB

Download