Analysis
-
max time kernel
243s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00394.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00394.7z
-
Size
31.2MB
-
MD5
76b93f055cb09b9c703f1c934853ff39
-
SHA1
7c82fe366d1ed04a5ada0cab06762e9e8136664d
-
SHA256
38ab2002e8df4e98a0bfd4272f9dd3acb7c1ae6e9137a1343baf2f3e4994cec7
-
SHA512
842e5e23cbac2b6031ac16be6869d2d296dc7233a802edb0a545d513a41698421b6c1a7019e6f470998785df221edad75f708af00ba9cfb35f7602558334aba1
-
SSDEEP
786432:frOl5j9tSAcWHyw7AvM06/p3sC9C18FIz6oD2UHf:fS99vuuSC9C18QHf
Malware Config
Extracted
azorult
http://valhalla42.000webhostapp.com/testcode/index.php
Extracted
C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
balaclava
Extracted
warzonerat
officedesktop004018.webredirect.org:5500
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Balaclava Malware
Balaclava malware is a ransomware program.
-
Balaclava family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/6976-3427-0x00000000020A0000-0x00000000020B7000-memory.dmp family_gandcrab behavioral1/memory/6976-3426-0x0000000000400000-0x000000000045F000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Themida.exe -
Renames multiple (450) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (8746) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral1/memory/8348-39613-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/8348-39628-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/8348-39629-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Blocklisted process makes network request 1 IoCs
flow pid Process 67 7196 wscript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Themida.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Themida.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Themida x32.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 11 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js WScript.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\license.js taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.id-2a16f034.[telegram_@spacedatax].roger taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\heur-trojan-ransom.win32.crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js wscript.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe -
Executes dropped EXE 21 IoCs
pid Process 3548 HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe 3692 HEUR-Trojan-Ransom.Win32.Blocker.gen-aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769.exe 2192 HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe 620 HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe 6976 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-87ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74.exe 224 HEUR-Trojan-Ransom.Win32.Generic-361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539.exe 6836 Trojan-Ransom.Win32.Blocker.lckf-864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c.exe 6824 Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe 5596 Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe 6460 Trojan-Ransom.Win32.DoppelPaymer.au-6ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88.exe 5616 Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe 5200 Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe 4700 Trojan-Ransom.Win32.Snocry.dum-22d46011258236f404f345c0c581690252031132d938d946b66118daaa39047d.exe 2972 UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe 5964 Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe 1560 25E317.exe 5840 comone.exe 8576 Themida x32.exe 7476 Themida x32.exe 6324 Themida x32.exe 4056 Themida.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine Themida.exe -
Loads dropped DLL 11 IoCs
pid Process 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 5764 MsiExec.exe 5764 MsiExec.exe 5764 MsiExec.exe 5764 MsiExec.exe 5764 MsiExec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000023cbd-2390.dat vmprotect -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe = "C:\\Windows\\System32\\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe" HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\comone - Windows XP = "C:\\Windows\\system32\\comone.exe" Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DLLclnbldwrz189r = "C:\\Users\\Admin\\AppData\\Roaming\\DLLclnbldwrz189r.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Razor 1911 Uninstall 25E317.exe = "command.com /C del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\25E317.exe\"" 25E317.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\license = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\license.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Themida.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Music\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Links\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Public\Music\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Themida x32.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: Themida x32.exe File opened (read-only) \??\M: Themida x32.exe File opened (read-only) \??\G: Themida x32.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: Themida x32.exe File opened (read-only) \??\P: Themida x32.exe File opened (read-only) \??\S: Themida x32.exe File opened (read-only) \??\X: Themida x32.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\u: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\N: Themida x32.exe File opened (read-only) \??\e: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\I: Themida x32.exe File opened (read-only) \??\S: Themida x32.exe File opened (read-only) \??\W: Themida x32.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\j: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\y: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\z: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\p: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\t: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\v: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\Y: Themida x32.exe File opened (read-only) \??\h: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\q: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\s: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\B: Themida x32.exe File opened (read-only) \??\K: Themida x32.exe File opened (read-only) \??\i: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\o: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\E: Themida x32.exe File opened (read-only) \??\J: Themida x32.exe File opened (read-only) \??\T: Themida x32.exe File opened (read-only) \??\W: Themida x32.exe File opened (read-only) \??\l: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\B: Themida x32.exe File opened (read-only) \??\L: Themida x32.exe File opened (read-only) \??\M: Themida x32.exe File opened (read-only) \??\T: Themida x32.exe File opened (read-only) \??\X: Themida x32.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: Themida x32.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: Themida x32.exe File opened (read-only) \??\x: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\V: Themida x32.exe File opened (read-only) \??\Z: Themida x32.exe File opened (read-only) \??\Q: Themida x32.exe File opened (read-only) \??\n: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\w: Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 48 iplogger.org 49 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Themida.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\System32\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Windows\SysWOW64\comone.exe Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\msscript.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\tdc.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created C:\Windows\SysWOW64\comone.exe Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe File created C:\Windows\SysWOW64\comone.exe comone.exe File opened for modification \??\c:\Windows\SysWOW64\sysmon.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\wshom.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created C:\Windows\System32\Info.hta HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification \??\c:\Windows\SysWOW64\dmview.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\hhctrl.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\SysWOW64\msdxm.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4056 Themida.exe 4056 Themida.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3548 set thread context of 8348 3548 HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe 160 -
resource yara_rule behavioral1/files/0x0007000000023cbb-93.dat upx behavioral1/files/0x0007000000023cc6-2784.dat upx behavioral1/files/0x0007000000023cc5-2782.dat upx behavioral1/memory/2972-3841-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral1/memory/2972-3160-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral1/memory/4700-3157-0x0000000000400000-0x0000000000943000-memory.dmp upx behavioral1/memory/1560-3839-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral1/memory/1560-6883-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral1/memory/4700-7685-0x0000000000400000-0x0000000000943000-memory.dmp upx behavioral1/memory/4700-11354-0x0000000000400000-0x0000000000943000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\Globals.hlsl Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_48x48x32.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlFrontIndicatorHover.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80_altform-lightunplated.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\placeholder.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1 HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-100_contrast-black.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-200_contrast-white.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-200.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\MemMDL2.1.85.ttf HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\HOW_TO_RECOVERY_FILES.txt Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js.id-2A16F034.[telegram_@spacedatax].ROGER HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\Flash.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification C:\Windows\Installer\MSI78D3.tmp msiexec.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.xls Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_2560x1600.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.1_none_51facbaf4051768b\sysmon.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_11.0.19041.746_none_400d31fc5cce434d\tdc.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme2\img12.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.1_none_b977d9566df127e9\wmpnss_color32.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.1_none_b977d9566df127e9\wmpnss_color48.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\security_watermark.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.746_none_b0a3ebd117ec81d4\f\hhctrl.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_gb.t Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme1\img3.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Windows\img0.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.746_none_b0a3ebd117ec81d4\hhctrl.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_1200x1920.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Screen\img102.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Screen\img104.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\security_watermark.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.906_none_699a0ca245158f14\logui.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img4.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2dad4b68cbfd8794\Flash.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img100.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme2\img8.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.1_none_41668bdd85c44640\Cnfgprts.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\f\msdxm.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2358a116979cc599\Flash.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.906_none_699a0ca245158f14\Cnfgprts.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_3840x2160.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_768x1024.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Screen\img100.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.746_none_a64f417ee38bbfd9\hhctrl.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.264_none_2649f3f85f3b49b1\wshom.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_768x1366.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme1\img2.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\msdxm.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\wshom.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7874.tmp msiexec.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_768x1366.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created C:\Windows\Installer\e5974ab.msi msiexec.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme1\img4.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.ppt Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.WannaRen Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.1_none_3711e18b51638445\Cnfgprts.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_1200x1920.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_120.jpg Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.1_none_7e470436241a018f\hhctrl.ocx Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 5488 6976 WerFault.exe 115 7156 224 WerFault.exe 116 8956 6460 WerFault.exe 121 6896 5596 WerFault.exe 120 -
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Themida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language comone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Themida x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Themida x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-87ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lckf-864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Themida x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25E317.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.DoppelPaymer.au-6ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88.exe -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4340 vssadmin.exe 8444 vssadmin.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\ProductName = "Themida" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1551CE832DF6D04FB6936DD2DEE37CB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Oreans\\Themida 2.4.6.0\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Oreans\\Themida 2.4.6.0\\install\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\Version = "33816582" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1551CE832DF6D04FB6936DD2DEE37CB\7952DF563754A2E4BA7672499EADAC0A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\PackageName = "Themida.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7952DF563754A2E4BA7672499EADAC0A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7952DF563754A2E4BA7672499EADAC0A\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\PackageCode = "B6E93C3564B2AB343B5F8A18251553EE" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7952DF563754A2E4BA7672499EADAC0A\DeploymentFlags = "3" msiexec.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 9696 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 64 7zFM.exe 2112 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3548 HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2192 HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 64 7zFM.exe Token: 35 64 7zFM.exe Token: SeSecurityPrivilege 64 7zFM.exe Token: SeDebugPrivilege 3188 taskmgr.exe Token: SeSystemProfilePrivilege 3188 taskmgr.exe Token: SeCreateGlobalPrivilege 3188 taskmgr.exe Token: SeDebugPrivilege 2112 taskmgr.exe Token: SeSystemProfilePrivilege 2112 taskmgr.exe Token: SeCreateGlobalPrivilege 2112 taskmgr.exe Token: 33 3188 taskmgr.exe Token: SeIncBasePriorityPrivilege 3188 taskmgr.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeSecurityPrivilege 10148 msiexec.exe Token: SeBackupPrivilege 7484 vssvc.exe Token: SeRestorePrivilege 7484 vssvc.exe Token: SeAuditPrivilege 7484 vssvc.exe Token: SeCreateTokenPrivilege 8576 Themida x32.exe Token: SeAssignPrimaryTokenPrivilege 8576 Themida x32.exe Token: SeLockMemoryPrivilege 8576 Themida x32.exe Token: SeIncreaseQuotaPrivilege 8576 Themida x32.exe Token: SeMachineAccountPrivilege 8576 Themida x32.exe Token: SeTcbPrivilege 8576 Themida x32.exe Token: SeSecurityPrivilege 8576 Themida x32.exe Token: SeTakeOwnershipPrivilege 8576 Themida x32.exe Token: SeLoadDriverPrivilege 8576 Themida x32.exe Token: SeSystemProfilePrivilege 8576 Themida x32.exe Token: SeSystemtimePrivilege 8576 Themida x32.exe Token: SeProfSingleProcessPrivilege 8576 Themida x32.exe Token: SeIncBasePriorityPrivilege 8576 Themida x32.exe Token: SeCreatePagefilePrivilege 8576 Themida x32.exe Token: SeCreatePermanentPrivilege 8576 Themida x32.exe Token: SeBackupPrivilege 8576 Themida x32.exe Token: SeRestorePrivilege 8576 Themida x32.exe Token: SeShutdownPrivilege 8576 Themida x32.exe Token: SeDebugPrivilege 8576 Themida x32.exe Token: SeAuditPrivilege 8576 Themida x32.exe Token: SeSystemEnvironmentPrivilege 8576 Themida x32.exe Token: SeChangeNotifyPrivilege 8576 Themida x32.exe Token: SeRemoteShutdownPrivilege 8576 Themida x32.exe Token: SeUndockPrivilege 8576 Themida x32.exe Token: SeSyncAgentPrivilege 8576 Themida x32.exe Token: SeEnableDelegationPrivilege 8576 Themida x32.exe Token: SeManageVolumePrivilege 8576 Themida x32.exe Token: SeImpersonatePrivilege 8576 Themida x32.exe Token: SeCreateGlobalPrivilege 8576 Themida x32.exe Token: SeCreateTokenPrivilege 8576 Themida x32.exe Token: SeAssignPrimaryTokenPrivilege 8576 Themida x32.exe Token: SeLockMemoryPrivilege 8576 Themida x32.exe Token: SeIncreaseQuotaPrivilege 8576 Themida x32.exe Token: SeMachineAccountPrivilege 8576 Themida x32.exe Token: SeTcbPrivilege 8576 Themida x32.exe Token: SeSecurityPrivilege 8576 Themida x32.exe Token: SeTakeOwnershipPrivilege 8576 Themida x32.exe Token: SeLoadDriverPrivilege 8576 Themida x32.exe Token: SeSystemProfilePrivilege 8576 Themida x32.exe Token: SeSystemtimePrivilege 8576 Themida x32.exe Token: SeProfSingleProcessPrivilege 8576 Themida x32.exe Token: SeIncBasePriorityPrivilege 8576 Themida x32.exe Token: SeCreatePagefilePrivilege 8576 Themida x32.exe Token: SeCreatePermanentPrivilege 8576 Themida x32.exe Token: SeBackupPrivilege 8576 Themida x32.exe Token: SeRestorePrivilege 8576 Themida x32.exe Token: SeShutdownPrivilege 8576 Themida x32.exe Token: SeDebugPrivilege 8576 Themida x32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 64 7zFM.exe 64 7zFM.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 3188 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe 2112 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 620 HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe 620 HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe 1364 cmd.exe 5964 Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe 5964 Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe 4056 Themida.exe 4056 Themida.exe 4056 Themida.exe 4056 Themida.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 2112 3188 taskmgr.exe 101 PID 3188 wrote to memory of 2112 3188 taskmgr.exe 101 PID 4784 wrote to memory of 1364 4784 powershell.exe 108 PID 4784 wrote to memory of 1364 4784 powershell.exe 108 PID 1364 wrote to memory of 3548 1364 cmd.exe 109 PID 1364 wrote to memory of 3548 1364 cmd.exe 109 PID 1364 wrote to memory of 3548 1364 cmd.exe 109 PID 1364 wrote to memory of 3692 1364 cmd.exe 110 PID 1364 wrote to memory of 3692 1364 cmd.exe 110 PID 1364 wrote to memory of 3692 1364 cmd.exe 110 PID 1364 wrote to memory of 2192 1364 cmd.exe 111 PID 1364 wrote to memory of 2192 1364 cmd.exe 111 PID 1364 wrote to memory of 2192 1364 cmd.exe 111 PID 1364 wrote to memory of 620 1364 cmd.exe 112 PID 1364 wrote to memory of 620 1364 cmd.exe 112 PID 1364 wrote to memory of 620 1364 cmd.exe 112 PID 2192 wrote to memory of 512 2192 HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe 113 PID 2192 wrote to memory of 512 2192 HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe 113 PID 1364 wrote to memory of 6976 1364 cmd.exe 115 PID 1364 wrote to memory of 6976 1364 cmd.exe 115 PID 1364 wrote to memory of 6976 1364 cmd.exe 115 PID 1364 wrote to memory of 224 1364 cmd.exe 116 PID 1364 wrote to memory of 224 1364 cmd.exe 116 PID 1364 wrote to memory of 224 1364 cmd.exe 116 PID 1364 wrote to memory of 6836 1364 cmd.exe 117 PID 1364 wrote to memory of 6836 1364 cmd.exe 117 PID 1364 wrote to memory of 6836 1364 cmd.exe 117 PID 1364 wrote to memory of 6824 1364 cmd.exe 118 PID 1364 wrote to memory of 6824 1364 cmd.exe 118 PID 1364 wrote to memory of 6824 1364 cmd.exe 118 PID 1364 wrote to memory of 5964 1364 cmd.exe 119 PID 1364 wrote to memory of 5964 1364 cmd.exe 119 PID 1364 wrote to memory of 5964 1364 cmd.exe 119 PID 1364 wrote to memory of 5596 1364 cmd.exe 120 PID 1364 wrote to memory of 5596 1364 cmd.exe 120 PID 1364 wrote to memory of 5596 1364 cmd.exe 120 PID 1364 wrote to memory of 6460 1364 cmd.exe 121 PID 1364 wrote to memory of 6460 1364 cmd.exe 121 PID 1364 wrote to memory of 6460 1364 cmd.exe 121 PID 1364 wrote to memory of 5616 1364 cmd.exe 122 PID 1364 wrote to memory of 5616 1364 cmd.exe 122 PID 1364 wrote to memory of 5200 1364 cmd.exe 123 PID 1364 wrote to memory of 5200 1364 cmd.exe 123 PID 1364 wrote to memory of 5200 1364 cmd.exe 123 PID 1364 wrote to memory of 4700 1364 cmd.exe 124 PID 1364 wrote to memory of 4700 1364 cmd.exe 124 PID 1364 wrote to memory of 2972 1364 cmd.exe 125 PID 1364 wrote to memory of 2972 1364 cmd.exe 125 PID 1364 wrote to memory of 2972 1364 cmd.exe 125 PID 2972 wrote to memory of 1560 2972 UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe 128 PID 2972 wrote to memory of 1560 2972 UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe 128 PID 2972 wrote to memory of 1560 2972 UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe 128 PID 6824 wrote to memory of 6324 6824 Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe 153 PID 6824 wrote to memory of 6324 6824 Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe 153 PID 6824 wrote to memory of 6324 6824 Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe 153 PID 512 wrote to memory of 7980 512 cmd.exe 138 PID 512 wrote to memory of 7980 512 cmd.exe 138 PID 5616 wrote to memory of 7508 5616 Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe 139 PID 5616 wrote to memory of 7508 5616 Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe 139 PID 5200 wrote to memory of 5840 5200 Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe 141 PID 5200 wrote to memory of 5840 5200 Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe 141 PID 5200 wrote to memory of 5840 5200 Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe 141 PID 6324 wrote to memory of 8576 6324 WScript.exe 143 PID 6324 wrote to memory of 8576 6324 WScript.exe 143 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 6828 attrib.exe 4812 attrib.exe 5452 attrib.exe 9836 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00394.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:64
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:3548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8348
-
-
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Blocker.gen-aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3692
-
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exeHEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\system32\mode.commode con cp select=12515⤵PID:7980
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4340
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:7300
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:3948
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:8444
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:8468
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:6488
-
-
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:620
-
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-87ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-87ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 4884⤵
- Program crash
PID:5488
-
-
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Generic-361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539.exeHEUR-Trojan-Ransom.Win32.Generic-361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 5404⤵
- Program crash
PID:7156
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Blocker.lckf-864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c.exeTrojan-Ransom.Win32.Blocker.lckf-864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6836
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exeTrojan-Ransom.Win32.Blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\license.js"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6324 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8576 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe" /i "C:\Users\Admin\AppData\Roaming\Oreans\Themida 2.4.6.0\install\Themida.msi" CLIENTPROCESSID="8576" SECONDSEQUENCE="1" CHAINERUIPROCESSID="8576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" AGREE_CHECKBOX="Yes" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\RarSFX0\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files (x86)\Themida\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"6⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:6324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEA6DC.tmp.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Oreans\THEMID~1.0\install\Themida.msi"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:6828
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXEA6DC.tmp.bat"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEA6DC.tmp.bat" "7⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"7⤵
- System Location Discovery: System Language Discovery
PID:9324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEA70C.tmp.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:7132 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Oreans\THEMID~1.0\install\Themida.msi"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5452
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXEA70C.tmp.bat"7⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:9836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEA70C.tmp.bat" "7⤵
- System Location Discovery: System Language Discovery
PID:7384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"7⤵
- System Location Discovery: System Language Discovery
PID:9224
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\license.js"5⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:7196 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themida x32.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7476
-
-
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exeTrojan-Ransom.Win32.Crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5964
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exeTrojan-Ransom.Win32.Crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 25524⤵
- Program crash
PID:6896
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.DoppelPaymer.au-6ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88.exeTrojan-Ransom.Win32.DoppelPaymer.au-6ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 4444⤵
- Program crash
PID:8956
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exeTrojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5616 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7068.tmp\7069.tmp\706A.bat C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe"4⤵PID:7508
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exeTrojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Windows\SysWOW64\comone.exe"C:\Windows\system32\comone.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5840
-
-
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Snocry.dum-22d46011258236f404f345c0c581690252031132d938d946b66118daaa39047d.exeTrojan-Ransom.Win32.Snocry.dum-22d46011258236f404f345c0c581690252031132d938d946b66118daaa39047d.exe3⤵
- Executes dropped EXE
PID:4700
-
-
C:\Users\Admin\Desktop\00394\UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exeUDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\25E317.exeC:\Users\Admin\AppData\Local\Temp\25E317.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6976 -ip 69761⤵PID:2800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 224 -ip 2241⤵PID:6480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6460 -ip 64601⤵PID:1200
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:10148 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E69D4C2116E8C36850717F6355683A04 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3308
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:9596
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 20823A819EA70EBDAFE4A8BD114785312⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5764
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:7484
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7cdd19d929164c7db4609d8f4f37ce60 /t 6228 /p 64881⤵PID:7912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5596 -ip 55961⤵PID:7052
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\abd15c80f16e4edab43860021057cf91 /t 10204 /p 84681⤵PID:9832
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
PID:9696
-
C:\Program Files (x86)\Themida\Themida.exe"C:\Program Files (x86)\Themida\Themida.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4056
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5760
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dde4eeed33fca4b00ed69a2c54c32375
SHA19da210ede81d72961eeb87ac349e346edb460f3d
SHA256cd90ccf38a1af1030b9bde388c8dc754d32f25e515cd6ea686d030e491c9c371
SHA51264fa7a988cbd7468f03ab5016ab1c8264f8e9e62862ea98fd3c41dfeee32ae660bf28788b613e8f751fbce51d83be05efb79deeece576d3066b6e19de3887e55
-
C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.id-2A16F034.[telegram_@spacedatax].ROGER
Filesize2KB
MD52562cbf5f6166b984f7e794c8d5c6aa7
SHA1beb148df0fb9667f6c8ab5ae83050fe3050f9542
SHA2568156cf9b16694cc3d738561faf9568da6cf8b8b4eebe690a44c788b819ace324
SHA512f6633c98204e3ed4f26b328c20f8b76a8271030c1e3e0a217673aad6098dab26c5fec2621546a4b57df4f4169d158653a84c2945d94408cd4f9530cfc431a19f
-
Filesize
41KB
MD544ad2f405e87cee197885b33b291ba3f
SHA1fab04001277dc1679bb10d86ea7d4833aa921dbd
SHA2560d36603df9e450601a13d35b541259c205edb2a300e5dea77087e43a89d20ae4
SHA512fef558b5e687d916cbfc22561883071fb1e9c6dbb7681964dd173c55e045b679dcd64813032590139bf82024df2591ebae1873259f31746684bb870360433a47
-
C:\Program Files (x86)\Themida\ThemidaSDK\ExamplesSDK\Macros(Check Protection)\Delphi\Via Inline Assembly\Project1.cfg
Filesize434B
MD5d8ff66a45c69860931690ad87575813b
SHA10eb8f818d6374031a791767ff2a60e8dc8c8bd94
SHA256be4b309251a5ecc7111b5a044c637a6ddf3a548176ac5c66480ccb0a4c20a444
SHA512f5721d3db7f66c29d663502661d11c06a567ac3d55281b83836e1ebd9363dbb83aec8fa397bc4cf4bd1166c5d4351ad1167a48ab0f8805e56339a929899e1a25
-
Filesize
114KB
MD5f208d7d455a736398253ff683197b621
SHA135d6ec6044d518bbe64f58d3f4ab0d1934db83ea
SHA256443c2daabb300044b46d06889b09c3eaa20c5fed44cd2c4f1b0954067f541e6e
SHA5122eaf3989e07f3762f2b7522f1294a2f3758f9a2616939c5f6b13fa5ee8b8d5e97391ba4a1c8ca6345ee296daf268bb1a67538a35a509e6dc6c79fc6fc7aa09f4
-
Filesize
67KB
MD52d647dc204fbe60cc8c45af07f79ccab
SHA1e568aeabd45eaee50b279d2622092494bed42fb3
SHA256bbe83a6888377187e26ec3927199e486668de98eab5b7caae858f5f7e0cbf5df
SHA51290e5ebb91322e089c93d8ad3f144e0c6a2d8679c3a521f4f77881753f71df1816676209cdd94d53fa109c44f221bebf0bcaf07992e45e1cb81255ab6acb5f6e2
-
Filesize
2.5MB
MD5cdf255cf4158968558f44f3c871314bf
SHA15bd08dc7d1ae1c2811e7c6372f3599a9c9f48333
SHA256dc36f18f7fd462d5aa72afede7706ed17b8f04942c6b0618852f1b22c5ccb614
SHA512f5264dbf40d83005aaf62de26f292a3525a04208b4f6f12b5f42cc4eb805d2b706d49eebd2ea26d0e7f37ef1825498cae65291af7686171806ceec78840dd413
-
Filesize
546KB
MD50e618bf1921eac9cc014e0ed6623e873
SHA1647f5cc413679b06d71382ff24b87f108b613a71
SHA2560a2ed11d6edb67ad56ce90cad44c894a9003a8a4829532753e7031e3e9db3559
SHA5126737c7123382af369dfcdbd3bc8103e5bd84479d56dd42ea8254d368adabe24b79c55f67af67908ec0b5f00fb32bc468ca1069baa8eba2067175bff98c1210be
-
Filesize
211KB
MD5e4056feaa2b9b6726b402eae71e9e860
SHA1c1d9e3e0003970d07568859f3e1883f5483e5980
SHA256e4e01c5a11962cad8f36641e6b713e9eaeb51571289cdf0de9f4e9bdab93653f
SHA51250b136d82af449f5d184f3af9be213d9d163997a4ab0e41a77c4c238f66f3c883da3d89358521a79683d815c13dc5ba663bd16468238b68da336fa41967081de
-
Filesize
190KB
MD59ef5ab0ea574da7a6ff4c7fae51dd9f1
SHA14a1c215a3b77f33db09089101e47246c7da7258c
SHA256e62b81795a65e8dea5c0c6cb71274c9f64808b2f2f4a81b44d3b7dc153b8fd2a
SHA512f7f25fa43e5a2f89baca643da7906500050b6b6d9baa02baba6b78a74ba48621a33384e6ebbd1a4a6a7a096576cf088ff9c0b9190204bfbf841a889e3fc4d926
-
Filesize
932KB
MD53fbbf546e12a85fa87f77c2aa7739d47
SHA1b3b8e2b5743d6401bc66581124272e0bc8d07fbc
SHA2563d670c2d51647d6f67ed27d7b10536e1a41f0dffcca3714f38ee5fd685129a0a
SHA512d429cf6513cc2a7076b22df0706e4c89fcd5ac159e0193f3b5092a6a509718dd5039016e7db90e06c30929d0e4114ff62027c6f22080d4a45b9eb3111d793521
-
Filesize
686KB
MD50bc0c17b4706ecff98c6494b87d0c95a
SHA14d5089e3eb0b63e06117edf6aa1569401b6ed54a
SHA256db818c12539deb290a36ae2de219da030e4f01bba767514ed4492e2adf1c8218
SHA512fd368120e85cc26eb726b115fc3014f6166b776b25c044ea2d19c642e726e89569b5b6cac8adecca7c9dd67ff500426affc1aa7736e5fcf174d9c7f296f0cc67
-
Filesize
59KB
MD5173be1dee835691062365b8fd79a15b9
SHA159028815dcab19d3568098aabdf86f89d544de13
SHA2563f12749f1105f13b5794d2795055f3c741e3bb015dab284a0fbd51ec361b8b20
SHA512dadd3ff7123c75578c3b5fa19b0239e9385c58578b8a150c444ed59f4357873582224496f6f4ef5076bc51f73713457485e0d1b2b75d85b2a07a2ed3e3205192
-
Filesize
7KB
MD53eae58b3f6c7598c1b13cf1ae888a033
SHA1b6694a7b8a5a6e015b09d7c53cba1bd6a238bae7
SHA2564c48fb3f809efebd784d492a18dd3807d4d8f138828f75f6f37ad85b4721d4e3
SHA5123a76f7ee8ba0e601c09763425d667a7c16f7a8f4d59ed5f2ae944be0f78b8bd8398e6a5a1402716a54e4140dccec3410f2bdde4b77e7711e43af1eddce7da67f
-
Filesize
9KB
MD5dcc85ea00df10022c1eb54773c6bb12c
SHA1053dfb176a8d764d2dfce7e09df12ff3fc94ebbb
SHA25683ec76494ab9d2ae2356b15ebe50246ca81c3619dd58621123001f7aa1e4d437
SHA5123c986c82f160dda959a8e8275f61a268c85b01cd2b2be10ea3b8d427ca029c58cf1c41015d2ee42f7751849c35f83972d2014db1d8333658495219119659d179
-
Filesize
14KB
MD59c0833c44a2d95133f432abaece559a7
SHA14b92c2cc3d7667917aaff42dc870e3f43ec5051d
SHA256550012b9f1956424f3805b8e0eed4c3425a121daa5e1a18660b1a6e65c16aa9c
SHA512db0b1664af6078034feea2a339a7b7f95621f02dad8abe5eb214a98752377e4537ee26a1a8e4027ee88088a3103866852864bcaae12b7536a5781d3a34385bd5
-
Filesize
7KB
MD529e3320558af17334d8773f73255036e
SHA1ff6eda86125ff284641191ec9066682ac16f26b1
SHA256bace7721ad04faa39e06cf96da9bc99c2b65f222cbaee93f90a7fd9adc7c26d3
SHA512abbb728e79d6a000f6296d8696ca72e5f737f13e8f905934e56f87572adfef221f0d2dc5ec479a12dcfbb6cc8e69937587e880f19378114dcf40305100cd0dd5
-
Filesize
11KB
MD5d53e2cc29c1fdf0741d894fee3288578
SHA1037e6c0dddefecb71b4b17ac691e9c8ff56795fc
SHA256aae0cf1f3dcf721ecc997f670d3ffa8df2596da9d9978912f19bd5ef9feb01ca
SHA51236534d534ab7d9ccbe260f58667cf9efb68cd1259fa695fa7edc0344ffaf18e6d40168b6ad517d27626e2e8f3ef0794427ea76299d141304d2f1e5b1935554b8
-
Filesize
13KB
MD51c576f5f5820d2091e6acb6029bc0b81
SHA1b3f247567ceded1bc4e10e45d854e6ca75fd483a
SHA25621b5c804fdd6f37fc286e4e56c3677a72378d12d98a24c257905bc9d6d0d654e
SHA512573e5b970a0daee0e1b56f10dab09beb0218738898fec1fb773e18be9464646d6a82a9423d40bbf71bd57b244dc1bfd2f3cd2cd319829faa3d8e7cc11176a7b8
-
Filesize
13KB
MD5427eceacdbea9f97f3931bc172e5504d
SHA1864cdf21fd5123345ede37bb0c334d0dd5ecfb40
SHA256ce7b0537ca654dd14402c787c34bc407a0582276199ce7ac1df5a1411591d91b
SHA5127b775dd67c24fb83fd0c53441be5a3a7e80080021914cc63422698c6cb4d174e731ecec4bca6a9c978d35ce89e7d936adf622018c071cf4ba372f487be257ac2
-
Filesize
14KB
MD5ffcd27feaaecee1aa6b5f79809dfc32a
SHA181e45017beacd5ee427e15257f4cbc262291b437
SHA2561d9d42b9f5c10b697d707e5f194c33de8079ac0a8f3938fd4db2aec3335d1c77
SHA5129baa44735d857009b727984471dd85ad6afc05ba70e148b6803c84d8e7abd0e5fbdbfa80171d1a3fab9d702a6ffc4df169d1f3f0a44a878f49abeafb88f88360
-
Filesize
16KB
MD5a2651a7fc97734534f4f232c30af1bcb
SHA1fcba3924d5934ea415a0e7f0c2bd99555b80f5d3
SHA256a5c72b229791f8ccb24128899ab0616db51eb7649e6ed9ab13609c2be33ac4ae
SHA51210d12fa04fa8e19323c1cfe981d616892e2c70a4ec46237057cce32bffae1ed671a82a26fa9bb3bbb14b65afd29dde7abfb7a0029a3c45a5166bf921490ad7dd
-
Filesize
7KB
MD51b441190adf2853cfbde361f6056c9e7
SHA1a62c397f0018083343c9287b1d35f8fe582af8fd
SHA256121d14c04d0e4c8a2cc3eb2a4693cfb1aaac09bc1748506865d30bf6f94d81e3
SHA5127d5f88841b7bbb4b33044520dab39c49e4fbf515c72962a14eeceeba49296c68397be9f00dad95837eb8376053801ee89eaa5718b1b2c5c6d51b3039a3094f62
-
Filesize
11KB
MD59180fe99736e3cf701d7cc992632e3d2
SHA16ea4fd8b62b4eaf1e63877df9c6bbee74f41b3f0
SHA256e5b3410b94a616b0ca78cc7f04ebe57d3562033f4aea09d5f82780a21ff4b53d
SHA512af0da25eafb79e7df57e14f97e9b45aeb7cce3f7afd993868b8b6c2c37b93b76c6a9a6284e37ddfa6753323dbe486b725d8286f498e09a727c2d906c6f4ec701
-
Filesize
12KB
MD5d73cd76eafbe50595ab03477abbaa653
SHA154b19d7c168397bc4c131d050926300801031e74
SHA256504aee1e3be467acb7f3ceed73c04609a95044894afa5f3df1f28c00a5da001d
SHA5127d79b31fead6bd25d6d6810c3083957d19690b204ebc3e9f39b71830411be8e89e985ae7ebf6ae3fdd49bcebf52afbd8a7366036c3293c88d254315f356bf1b3
-
Filesize
11KB
MD5d4c666c61388ef8827814175c49cdd45
SHA101d6ee834d6676516c8c03706e2e44308efec1d9
SHA2561b88a734298b1a2200bb86d1d3fcf8955e1d4f78dd1774758302b369d24d34af
SHA51256fac17c139484af471ad307e5ecbcf68d2b4d6dc7377bcc6c4a9271a3664d4a9fd81a763ee2abd91a7000895d73f8eedb1c3f2f155649c69c4c8966bc8d4b5c
-
Filesize
7KB
MD5a326e2c3da5966c5e5ae17ac6417d74c
SHA1cb2604a57e5dfeb26355298dba6175dab19edb9b
SHA256e7d2d202746d6eaa4244a5fab27ada608e9d8cf95ad93610e0a1eb58f219e502
SHA51258de8a5dfa959e8ebcfd4aba5209106d75a3a8ea24d64c62b82678deff702334f05f7eea617c7d1654de4137c58ed787c4188a4b66d03af02e6a1ed1a8022126
-
Filesize
10KB
MD5c9d7669742fcb75d42179fce0b34353b
SHA1e37198a038c0ee40feb10cf684b2e8e0fed1c79e
SHA256d6364ea4e3d04268dd8cb14eb5221c7baa98247afbc985782b3476aebd9d7193
SHA512fba080e62befef98fa36c5e87552876661396775af9e34b1645cb23e6ad0c0fcfc1c22206447675ae30979cb8a32b0be223ed60e6a8650678d69377f34193679
-
Filesize
11KB
MD5d1c0bf9dfc73428ebe9334730145cdb8
SHA1ba7586a2d4866708a07037e399996366ee90bb8b
SHA256c0d05597e4eedcb9e9c450048a5b31d4995477978ed552fb88aa10f5a4c20d70
SHA5127ebf10304f4593373c77b4f7ca53b5bd91b098d1f11df04c07370f5688bd9c2d50ea434a158b926e07396c95563c226a9fdc6fe32ebf853327cf5bcf28d77b5b
-
Filesize
18KB
MD577f2d06706eac7587d532429eb336237
SHA1ce7b76a5e3c582d36442f0cb0982f60da75d3be6
SHA2564fc11b53688c613c2bcae4089a47eba42aedbcfee985fef8f04bb54a7038f38b
SHA5127d497b05585a2f30383ada6c498c722075116e766be966fc68c32e32e75912a6a51c3af7c3f27f84d795a74707d24bc93bcbc94e0a246a83f0fd7508ccd91199
-
Filesize
2KB
MD5d4e602db4b9ca79a4b84145ced52bf52
SHA1cf617b410113aae8dbd2d0034a01b0805d93e5ef
SHA256a619391bdc1e7a2728f419032eae4c18b89c16f070870390fd7c54e504540af3
SHA5122dcbc672d249a3176c9984e31ac1067ebef0ebce763bd99b8f2464bfd90a0ac85655aea659faa234eda1a782e215a4fdefa75c6779e0a7204c5ec63e6ab0af65
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-2A16F034.[telegram_@spacedatax].ROGER
Filesize3.2MB
MD56b69acf8229f2d3621a24ba6a33f2319
SHA10db5136e40de4cbd1c99b74f94d4d1924aa08f07
SHA25655b86f4e69861b1552ef53f766e4212bbc432b40cca5776d21d78f42c6023b45
SHA512b4502bbf7241e98facfb4bf5160631f63b1ccdf0cef0c055da155ec292672532c8659e2c78e3b15559cd8fc9285d97ed94c594bad75eb059f26b9e1de527632b
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
24KB
MD5f550f449baed1315c7965bd826c2510b
SHA1772e6e82765dcfda319a68380981d77b83a3ab1b
SHA2560ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d
SHA5127608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09
-
Filesize
80KB
MD58fba38514c65d78433176678600cdc5b
SHA18fdeed8181c940649bda310c74d29d301e7ffeec
SHA256af4cc127f9801621641ab6d96f38ddaf6a6d94d73d9907e283a0d7594ac19bfd
SHA512cf2555c6e15eb95c2dad9faf2f2a3fb2033e15fdad74221a3dfb139c2819640a673f494adef23b5531ab731f961bbc03dbd6cf2ac08ab9c2e055f6a897a3a015
-
Filesize
173B
MD56bbc544a9fa50b6dc9cd6c31f841548e
SHA1e63ffd2dd50865c41c564b00f75f11bd8c384b90
SHA256728c6cc4230e5e5b6fdf152f4b9b11ac4d104fa57a39668edea8665527c3bcc2
SHA5122cf43d3a3f2e88805824e4c322832af21c4c49d5309387aa731ddbea8cc280a6049cab4526e20b1c87c39c8781168c5ff80083c94becf0984b94593b89ab77f8
-
Filesize
404B
MD550e27244df2b1690728e8252088a253c
SHA1b84ad02fd0ed3cb933ffbd123614a2495810442b
SHA25671836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3
SHA512ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e
-
Filesize
134B
MD5a0efb0e7b9cee25b09e09a1a64e96ba6
SHA10c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39
SHA256f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787
SHA5127e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c
-
Filesize
253B
MD59554be0be090a59013222261971430ad
SHA19e307b13b4480d0e18cfb1c667f7cfe6c62cc97c
SHA256f4302ee2090bc7d7a27c4bc970af6eb61c050f14f0876541a8d2f32bc41b9bab
SHA512ac316f784994da4fed7deb43fe785258223aba5f43cc5532f3e7b874adc0bc6dbcd8e95e631703606dfaa2c40be2e2bb6fa5bc0a6217efe657e74531654ea71c
-
Filesize
1KB
MD50b044ccde7aa9d86e02a94030d744ac2
SHA10594ebb3737536703907ba5672ccd351c6afb98a
SHA256bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3
SHA512dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8
-
Filesize
66B
MD51fb3755fe9676fca35b8d3c6a8e80b45
SHA17c60375472c2757650afbe045c1c97059ca66884
SHA256384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21
SHA512dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3
-
Filesize
154B
MD51966f4308086a013b8837dddf88f67ad
SHA11b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190
SHA25617b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741
SHA512ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17
-
Filesize
404B
MD517368ff7073a6c7c2949d9a8eb743729
SHA1d770cd409cf1a95908d26a51be8c646cace83e4c
SHA25616e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4
SHA512cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d
-
Filesize
520B
MD570db38d656afa3778dcf6173d390e61b
SHA18b8674d6d70d67943d313d2b74222daa4bd1691d
SHA2563a0a5b69f9da7cae9fc631326ed8aa97abbaaecf2bf15d0a73169a29f3381e83
SHA5128888ab493c7342f69b33279eaec4f99c41a906929d65503c48c7059d199fbab267ba9ad6ef6e57a7a56d2a321c01e46008f770afe67fa99ec7b7676ec2376c05
-
Filesize
3KB
MD549ad8e9164fd6facb8a8bfd6f62972b8
SHA1e23605df242772a047d6d3543aaa72241066abb9
SHA256914a0241a557591dfdcf3ed1ef0e557ceb153f32c716c53d13342dc5318bbb79
SHA512843359888242b97b12185954fe6f04bbe8ed14c71f101a79d4863ccdca7d1b03b4e1f0c6cacf26f87a91c5eacb0d4571481bca81a0c3dfd8add475310a6269f2
-
Filesize
404B
MD5583580e2c651f5c230fb3235b7ca0e3b
SHA1a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3
SHA25665172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f
SHA5126c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce
-
Filesize
18KB
MD5f5a120b564fc7823d1c269b7a6e70473
SHA11b85466c12f83b7872214f787390614df50eaddb
SHA256c178ed81de4aa8b049efcf0670c10cf2043a51c6be1144ee95d09c1c2afd6087
SHA51296d285759f8a8c5d17d7cac4ef224995dfa09554a3687c7f34e63651888c98a9c60095cd1a71c82030781ff6e7d58b7d49068bd9f53126ff7b775579d3368ace
-
Filesize
273B
MD5f6a5e71e9cbe8d3654a2cdf91aae98fa
SHA18871a1ae25cff6c5a3e6288a58fc5f4d7a92409d
SHA2564801d63bd9bdc6279765ba785b0da9e10730764a9c3645934a46c691547c0612
SHA5121b3146dfdef9c46123f27fa355790036f296d600bb10fbad12363c71c8e3a840863512f4a581daa18ffabb3ec5a3720a6337c4bac54be8b9b49d161b9459a1c9
-
Filesize
276B
MD517242d201d004bb34449aab0428d2df1
SHA177a332c6a6c4bfc47a2120203cfeabb8a2268a6b
SHA25615405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033
SHA512605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f
-
Filesize
225B
MD58ba33e929eb0c016036968b6f137c5fa
SHA1b563d786bddd6f1c30924da25b71891696346e15
SHA256bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5
SHA512ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e
-
Filesize
205B
MD55e947815d865acf099fa753283e09179
SHA17d98046d20a73439c53044e0ebb5f0b34afaeea9
SHA256c1d0663131fe901d890cdd9f18af8f9a553bee4848cbd978f5122e8383b5534b
SHA512b22e31c37d84128b271c5e5a70fdce90a3bbc02059d1bd032841b3383dbeeca56ec9abe6335453abc8ded1de84e6fcafb648d76d4dcc79246339e9a5eb6d5270
-
Filesize
180B
MD51a883668b735248518bfc4eefd248113
SHA11112803a0558a1ad049d1cac6b8a9d626b582606
SHA256bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e
SHA512d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04
-
Filesize
175B
MD5a2c4802002bb61994faabda60334a695
SHA10a2b6b0ceb09425080c5ba4b9cbdef533cf69eba
SHA256a3b59dbc5a39d551455ff838e71b5820560ca3484c6411b9d69df33d8113619c
SHA51234e130edc650c3de6020f2d2b5dc1404b7aee0105eb7e315c15c5aa61398d174377e9b6a2aecc55f79f54c04812b8745c6739a201539e291538979e6b024da31
-
Filesize
238B
MD5516172d0ebf941237cef32fcee8cdf43
SHA16bee117996c16c7413be876dfc15978d14813091
SHA25656e64eaf6349ece08005e6f7299de413ed00112d53518215d90690be2b2a4f1a
SHA51246477a58aa7e9eeae29e1c1d826bf045422709b7c8f428985c617b366012c58121d4404523a75efe77fc6d8e061a6bb209743d0a2af81545898f51c8855728ec
-
Filesize
2KB
MD5c288a7a350a1a5a5eee9ada36cb6011c
SHA1d1174e488d08dc4ab9bba3fd7653724d5553898f
SHA256030e5bb7b7fff395c38433516cf96988939cb794d9d62d550d7eab9cef7d2b2e
SHA512dc7f9486699b4eb4b8295590112b540ed619c2b956948eec3b72fe86226740f43392dd1898d5f27d553e775351c527ac316f4606389b92bedfc996845649a859
-
Filesize
86KB
MD5616d33d84937a1edde1bb431b8cd8fc0
SHA14a690e056a7808d10d0667351697fa43640aecb3
SHA256494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede
SHA512daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD58ff0b207200c87f2d7629120ab57980b
SHA16e30b18e97d0d5d262df41b1d8a8ea8c2bce81e6
SHA256e9b0a8fa04f2ecc69447b9263389d87ae748fe219b0f85e83c3c7289ffd7553e
SHA51248f67d8a9c2a241e4e3234b45de28105b4120bffa7fc020d115591fcdb6a68a2c6525b4294f260777eb9da14a936114bef5263cb9257702a76b2f102d207f566
-
Filesize
254KB
MD5869ebc637e29b28668bfaa56a4482cbb
SHA18f8674f3a4d80c02be96e30e58389abdbdc5a441
SHA25699af43ab309334577b01e9a4caebc5e7ba01602c5aa2aa402f07b2cc2c3038af
SHA5126656505fdbf62e415b281682c3c2b472f960030a12fd06e15cea511061016b4f102829833c7b0590e7554c27b508723f88f4837e41cf3cb3aa2d9e183a2834a9
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc.exe
Filesize628KB
MD5c3ded2ff55251338c0fdec3333b1c6ab
SHA1fbe88ff5c0de0025c306b22b77432ea4590d5e05
SHA2560d6673edd2998e93f605a0d828dafd54055169580e8390e48fcbae7216bf1cfc
SHA5123b322cd02ed4a1139bd8e4d1c52a541486c754bf9a4e610ce191870a77c72db405a33cd5fc301a13ca4c2f7a8b970007a6834a54b31f56fb68b0671aebf59de3
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Blocker.gen-aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769.exe
Filesize1.3MB
MD5330adeea904a1b244338884d414364f0
SHA131d87590bc332a7c2570628bea6e4ae16f36af79
SHA256aeda2014bf5250cb3a6c32fe9da4cf97793f8849221047bf155fe515c9bc1769
SHA512502cfc7b49b9a6ad83b2efee197966d64d61368398cd56db1e06d24dff32e0d50067f336d6a5ef1520a16171db516824a315117ee3dcfca8b54e0041d6a4152d
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Crypren.gen-d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08.exe
Filesize263KB
MD502062ed82e5359e9094eb74767e6a007
SHA19785f019e92675899d0284a1c293727c4afb0e4f
SHA256d48b4ccd17d23b9935c7426671918ce48dbc8cf25e7cf98550300b43fb16bd08
SHA512268e2797a861c8b6c40ee7c0b36485e22ee3bf0bb1a3d22fc87c0cfb3f345b176509b23d989ff833df93fe233aae8ff2b02104b6f8d5e5a03d8c6107dca335fe
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Encoder.gen-f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a.exe
Filesize1.1MB
MD51c3b67ada6d6ca547a80f5ecf116369b
SHA144e430315ae5a85450b5de2354fd555774929b98
SHA256f5464d39819344e94f36215f6e68a090031fe616437612a4abd82bfb7492887a
SHA51268949bd7973e45fdfe9ea075ddf505400cf8a79163b2eb3ad5f64b43d1f9a59196e6f98ad7b88d0ecf666536562d7b20fd20db1f08e39ffde366534b7729e62b
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Fonix.vho-e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a.exe
Filesize512KB
MD571b664b09dd6463b23899855eb62681e
SHA1a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e
SHA256e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a
SHA51233d5037ac8538f7efee692f38ea38356da41125746e2a59e83625ed9ddca0e715128baf1d6bd73281b658b9c4ad65c9110f9fde962df4dc72ad6a8574f9b068f
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-87ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74.exe
Filesize321KB
MD502e37a2c12689e648d2936047e0effa5
SHA1c8cb8b40c5b60e191ae3b4a56db3e9bf84700570
SHA25687ee41b3141fd60ce9e1c8b744c67dee643a942e03e09a81026b31762104ce74
SHA51286cde210e2d41e604db44dec2de7ffb704ec5fc1cb0aa45ab0c76e357eb2ec954932723934f32fcbac285f494e1c4bae1276748c898d66fc42c654a119240358
-
C:\Users\Admin\Desktop\00394\HEUR-Trojan-Ransom.Win32.Generic-361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539.exe
Filesize5.6MB
MD5d47ffcff40d70127b8e3ead9ed820c86
SHA13cf746b669ab4de3445a7f7055c143e611b9d70e
SHA256361fc41e13edf9845b4ca36c770138b033df619138622deddd10c7f3e00d7539
SHA5125fddeea07fa918aa3cd4ed918b0c9bdb59cd365a2708387937f163b64cf2f464dd7b84bc28eb4c364f8cc036dddc3d3a9948e5b07b7b13e0550a9e82d4ba6ce3
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Blocker.lckf-864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c.exe
Filesize112KB
MD50a9ee4058fce2dd656f08be22701d0d8
SHA1d2951d4aa6469c57af03e45ccd1e33b881db02c1
SHA256864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243c
SHA512ca4fa3ec18053b1004a171e783a8222c901f3b95b8a7ec80dc671ab6bd5b2bd261f20a63afeb76eee9472cd229dd4cda902047b713648eeaa3c45df19d593cf5
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.DoppelPaymer.au-6ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88.exe
Filesize3.5MB
MD58ec4bad8353ce03ddfb833f73034a617
SHA14046a99a43ee201f7db7a9d0b0edc706175ddbec
SHA2566ec458fe4d57f4637b12a9f740ae9a5bbc903d4499a89969ef9b564a5ba96d88
SHA512bfeaa4f2067c92d01ea1c555f7cc55a73e84766a3bf9e9d993149e45fcd52676e7d3e3c3c8af2f8b1b152d14c1c205b85f377bfaaa7b6118f6ba7c5457f9ad81
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Encoder.kic-1c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e.exe
Filesize1.1MB
MD5ad280456e87ad7aeef1b4d3bdbd7573e
SHA15ca2b1928121f99f5a2b5ad90c3cdcfa2d00a6cc
SHA2561c657d12c407867f9fca7b2386a9cff3f563f44b2c523bd33c9c20fc0cbbc24e
SHA51259a9ab8ecbc96539823e4680e68dbe07b28cc573f1a2fcf9a31985bfe1418731303894f06872e03db08a49420c9e9f4457ffb7e06937861fbd6870056fe7363a
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.PornoAsset.dkwp-a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b.exe
Filesize537KB
MD5b020d7d9ff0c771b9245a74c2486e1f2
SHA1814634df2cc90febbe916cd17fab7293e96dd63e
SHA256a96181b68cae9625f9881b885009490f142c83cab3afe02b4c2c2813ec26088b
SHA512fb7a87d62041c2570cc001ded486bf2a35f9a37fa67ca47d41365d9c343d786a8161a469761aa514825396c05570eb8ff64a3329551cd727e0734e00f8463587
-
C:\Users\Admin\Desktop\00394\Trojan-Ransom.Win32.Snocry.dum-22d46011258236f404f345c0c581690252031132d938d946b66118daaa39047d.exe
Filesize1.9MB
MD524615b25084cf1dbfe3f5c0302c3eeae
SHA1bfebc9169e21a6d46e754a56e7502357988edd74
SHA25622d46011258236f404f345c0c581690252031132d938d946b66118daaa39047d
SHA51249e8072328a0cd58831590c1e4733d5e5d4fa5ad05a9af8996b7caeaccd8ebd1179027c196bc347d64f75babea389b8ce3e7bb1b09c1f3e00c390b732a82800d
-
C:\Users\Admin\Desktop\00394\UDS-Trojan-Ransom.Win32.Encoder-23d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04.exe
Filesize212KB
MD5af6db1e5eb0784631dca750bceb0b353
SHA16cca4c7459f22a485167457aeb36bb711c442c6f
SHA25623d38f76f8e559c3eae61af733052138f2a01221f2d2c1206d845a6415e80c04
SHA512cab8f583166566e262603ee421ed52d87e8a56835f2fc1e8c8de7676728d6e2251f40c09970cdb261a9d4f06c1dcbd4a565d1a182426e199de92d23bb5e6f2b6
-
Filesize
309KB
MD56509b4aa5d8561d61dd7699088bede3b
SHA1126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6
SHA2563b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152
SHA512085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370
-
\??\c:\users\admin\desktop\00394\trojan-ransom.win32.blocker.mpzi-4aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e.exe
Filesize18.2MB
MD56ff64ea658bb6e3f526698c49b0b3445
SHA146970329cebb2be6aaa3c96ec8ce99ac4da08ccf
SHA2564aeaf7f2d61fa7bf5fefe8d8e4c1755ec89ea337ae99dcbdbcaa18c97d1b271e
SHA5129170fcd5ba0766d615cb4a2a1388427a5c28af946c0fca3492dd1eea06ed679df07c23f34a363297377fe12476614327a546b27d48a1c3a0abce1f75a434f8bf
-
\??\c:\users\admin\desktop\00394\trojan-ransom.win32.crypmod.adok-4b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53.exe
Filesize1.1MB
MD51556f2668d519e4401a82d6f4e490d83
SHA167a2348ac4d4e5d8e5721a2f294006f028b38df6
SHA2564b4cf0cb7674e0ef6e4a7a9c5f8cc46056d7538932cc2f86ff2698abcf100b53
SHA512173158ec12b929eacf6c80cf194f7fb8fde717da1c25878d12402bc1aa3d1e1226e81685a5d85197ac884579cd262ae9ae9a05fee77583b82c2925960ef8c865
-
\??\c:\users\admin\desktop\00394\trojan-ransom.win32.crypren.afyz-355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda.exe
Filesize66KB
MD50ecfdc386b4876c4fea7deddfc9649f4
SHA12a7805af4ce551bb7d6f03915b361e4413f125bc
SHA256355b8ed7476cf09a8c510e1442fa57ca1ade6c54a7306522a6e48f34e8905bda
SHA512f3c69bbd3e19949367a4cd88cb4b33576cb3d6879ef55a93bca742f6a2fec6eadcd13cb45420b5a0fe5cbeba216073bfa91c24c20741369c5cc34f4866417b14