Analysis
-
max time kernel
52s -
max time network
424s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00380.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00380.7z
-
Size
16.4MB
-
MD5
d52392253e837d87a4d550b3b0e17ebb
-
SHA1
f11f1b17d06b749034346cdddac52007aca54926
-
SHA256
c019141bc3d483634d38672e50660478aa452db9066da062e72cd099a7d4937a
-
SHA512
a79021e35a83223e47371f9468ecba168dcb02b806a7d2b97a0e915047d8249cc9c78766f3abfec25d50241ec96356f5d3bd4588ce2bc05e92d27318ea96f6e1
-
SSDEEP
393216:8Iy7MoOupjBZ1VPIIwiV2NQVk9V0J0vTIdwJ1KXtaGXPJ1:Zy7MPuRvTPzYD957Id6ikWJ1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.jpme.org.in - Port:
587 - Username:
[email protected] - Password:
Ehimembano1@
Extracted
azorult
http://23.249.162.26/DB1/index.php
Extracted
C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT
Extracted
F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\YIPBAPHO-DECRYPT.txt
http://gandcrabmfe6mnef.onion/81370634933a7906
Extracted
C:\PerfLogs\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/87c2097c933a7906
https://mazedecrypt.top/87c2097c933a7906
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2064-180-0x0000000000150000-0x00000000001BE000-memory.dmp disable_win_def behavioral1/files/0x0007000000023cbc-179.dat disable_win_def -
Detect ZGRat V2 1 IoCs
resource yara_rule behavioral1/memory/4276-160-0x0000000006190000-0x00000000061D8000-memory.dmp family_zgrat_v2 -
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Hakbit family
-
Maze
Ransomware family also known as ChaCha.
-
Maze family
-
Zgrat family
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/4248-156-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4384 bcdedit.exe 9344 bcdedit.exe -
Contacts a large (1609) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
pid Process 5180 wbadmin.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe -
Executes dropped EXE 8 IoCs
pid Process 808 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe 4276 HEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exe 812 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 5004 HEUR-Trojan-Ransom.Win32.Convagent.gen-a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c.exe 2376 HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe 3172 HEUR-Trojan-Ransom.Win32.Crypmod.gen-5cd3ee5cfb9241ad12e7dae0cd9c2764d91deee58e1a07bb37c544bc8eb57448.exe 4248 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 974 raw.githubusercontent.com 976 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ip-api.com 46 ipinfo.io 47 ipinfo.io -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2820 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2376 HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1052 set thread context of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 7552 sc.exe 5940 sc.exe 1700 sc.exe 6504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1352 3588 WerFault.exe 129 4864 2128 WerFault.exe 119 5380 3588 WerFault.exe 129 5544 3588 WerFault.exe 129 5724 3588 WerFault.exe 129 6040 3588 WerFault.exe 129 3664 4480 WerFault.exe 135 5472 3588 WerFault.exe 129 7896 3588 WerFault.exe 129 6168 3588 WerFault.exe 129 6332 3588 WerFault.exe 129 9324 3588 WerFault.exe 129 6788 7588 WerFault.exe 185 7720 3588 WerFault.exe 129 7044 3588 WerFault.exe 129 6944 5460 WerFault.exe 145 7080 3588 WerFault.exe 129 7728 3588 WerFault.exe 129 1116 3588 WerFault.exe 129 10020 3588 WerFault.exe 129 4164 3588 WerFault.exe 129 5724 3588 WerFault.exe 129 8468 3588 WerFault.exe 129 7744 3588 WerFault.exe 129 6280 3588 WerFault.exe 129 7496 3588 WerFault.exe 129 8832 3588 WerFault.exe 129 5012 3588 WerFault.exe 129 6020 3588 WerFault.exe 129 8804 3588 WerFault.exe 129 7624 3588 WerFault.exe 129 4724 3588 WerFault.exe 129 6836 3588 WerFault.exe 129 9392 3588 WerFault.exe 129 6120 3588 WerFault.exe 129 5060 3788 WerFault.exe 126 9936 3588 WerFault.exe 129 8104 3588 WerFault.exe 129 7136 3588 WerFault.exe 129 7572 3588 WerFault.exe 129 724 3588 WerFault.exe 129 3428 3588 WerFault.exe 129 7712 3588 WerFault.exe 129 4596 3588 WerFault.exe 129 9160 2304 WerFault.exe 127 4180 3588 WerFault.exe 129 6020 3588 WerFault.exe 129 7728 3588 WerFault.exe 129 10036 3588 WerFault.exe 129 7892 3588 WerFault.exe 129 4500 3588 WerFault.exe 129 6096 3588 WerFault.exe 129 8332 3588 WerFault.exe 129 5016 3588 WerFault.exe 129 9800 3588 WerFault.exe 129 10780 3588 WerFault.exe 129 8520 3588 WerFault.exe 129 7816 3588 WerFault.exe 129 7044 3588 WerFault.exe 129 12232 3588 WerFault.exe 129 10724 3588 WerFault.exe 129 11588 3588 WerFault.exe 129 11460 3588 WerFault.exe 129 7612 3588 WerFault.exe 129 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Convagent.gen-a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 3 TTPs 18 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 9064 vssadmin.exe 7312 vssadmin.exe 4272 vssadmin.exe 9928 vssadmin.exe 3200 vssadmin.exe 3332 vssadmin.exe 6008 vssadmin.exe 2452 vssadmin.exe 7200 vssadmin.exe 116 vssadmin.exe 7796 vssadmin.exe 2100 vssadmin.exe 6416 vssadmin.exe 6520 vssadmin.exe 2284 vssadmin.exe 7248 vssadmin.exe 8340 vssadmin.exe 5616 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 7392 taskkill.exe 6836 taskkill.exe 2864 taskkill.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 3496 NOTEPAD.EXE 8904 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 4460 powershell.exe 4460 powershell.exe 4460 powershell.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 436 7zFM.exe 1840 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 436 7zFM.exe Token: 35 436 7zFM.exe Token: SeSecurityPrivilege 436 7zFM.exe Token: SeDebugPrivilege 3080 taskmgr.exe Token: SeSystemProfilePrivilege 3080 taskmgr.exe Token: SeCreateGlobalPrivilege 3080 taskmgr.exe Token: SeDebugPrivilege 1840 taskmgr.exe Token: SeSystemProfilePrivilege 1840 taskmgr.exe Token: SeCreateGlobalPrivilege 1840 taskmgr.exe Token: 33 3080 taskmgr.exe Token: SeIncBasePriorityPrivilege 3080 taskmgr.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 812 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe Token: SeIncBasePriorityPrivilege 812 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe Token: SeDebugPrivilege 4276 HEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exe Token: SeDebugPrivilege 4248 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 436 7zFM.exe 436 7zFM.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1840 3080 taskmgr.exe 100 PID 3080 wrote to memory of 1840 3080 taskmgr.exe 100 PID 4460 wrote to memory of 632 4460 powershell.exe 105 PID 4460 wrote to memory of 632 4460 powershell.exe 105 PID 632 wrote to memory of 808 632 cmd.exe 108 PID 632 wrote to memory of 808 632 cmd.exe 108 PID 632 wrote to memory of 808 632 cmd.exe 108 PID 632 wrote to memory of 4276 632 cmd.exe 109 PID 632 wrote to memory of 4276 632 cmd.exe 109 PID 632 wrote to memory of 4276 632 cmd.exe 109 PID 632 wrote to memory of 812 632 cmd.exe 110 PID 632 wrote to memory of 812 632 cmd.exe 110 PID 632 wrote to memory of 812 632 cmd.exe 110 PID 632 wrote to memory of 1052 632 cmd.exe 111 PID 632 wrote to memory of 1052 632 cmd.exe 111 PID 632 wrote to memory of 1052 632 cmd.exe 111 PID 632 wrote to memory of 5004 632 cmd.exe 112 PID 632 wrote to memory of 5004 632 cmd.exe 112 PID 632 wrote to memory of 5004 632 cmd.exe 112 PID 632 wrote to memory of 2376 632 cmd.exe 113 PID 632 wrote to memory of 2376 632 cmd.exe 113 PID 632 wrote to memory of 2376 632 cmd.exe 113 PID 632 wrote to memory of 3172 632 cmd.exe 114 PID 632 wrote to memory of 3172 632 cmd.exe 114 PID 632 wrote to memory of 3172 632 cmd.exe 114 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 1052 wrote to memory of 4248 1052 HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe 115 PID 2376 wrote to memory of 3268 2376 HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe 116 PID 2376 wrote to memory of 3268 2376 HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe 116 PID 2376 wrote to memory of 3268 2376 HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe 116
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00380.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:436
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe"HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe"4⤵PID:6260
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵PID:9336
-
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\SysWOW64\tasklist.exe"tasklist" /V /FO CSV4⤵
- Enumerates processes with tasklist
PID:2820
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe"{path}"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Convagent.gen-a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c.exeHEUR-Trojan-Ransom.Win32.Convagent.gen-a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exeHEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\abkrlnduo\fjchsuw.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:4236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /a:-d /b /s ""c:"\*ledger*.txt" ""c:"\*trezor*.txt" ""c:"\coin*.txt" ""c:"\private*.txt" ""c:"\eth*.txt" ""c:"\jaxx*.txt" ""c:"\exodus*.txt" ""c:"\seed*.txt" ""c:"\mnemonic*.txt" ""c:"\*monero*.txt" ""c:"\crypt*.txt" ""c:"\wallet*.txt" ""c:"\electrum*.txt" ""c:"\xrp.txt" ""c:"\ripple.txt" ""c:"\btc*.txt" ""c:"\2fa*.txt" ""c:"\pass*.txt" ""c:"\*money*.txt" ""c:"\*ledger*.doc*" ""c:"\*trezor*.doc*" ""c:"\*coin*.doc*" ""c:"\private*.doc*" ""c:"\eth*.doc*" ""c:"\jaxx*.doc*" ""c:"\exodus*.doc*" ""c:"\seed*.doc*" ""c:"\mnemonic*.doc*" ""c:"\*monero*.doc*" ""c:"\*crypt*.doc*" ""c:"\wallet*.doc*" ""c:"\electrum*.doc*" ""c:"\xrp*.doc*" ""c:"\ripple*.doc*" ""c:"\btc*.doc*" ""c:"\2fa*.doc*" ""c:"\pass*.doc*" ""c:"\money*.doc*" ""c:"\*ledger*.xlsx" ""c:"\*trezor*.xlsx" ""c:"\coin*.xlsx" ""c:"\private*.xlsx" ""c:"\eth*.xlsx" ""c:"\jaxx*.xlsx" ""c:"\exodus*.xlsx" ""c:"\*seed*.xlsx" ""c:"\crypt*.xlsx" ""c:"\wallet*.xlsx" ""c:"\electrum*.xlsx" ""c:"\btc*.xlsx" ""c:"\2fa*.xlsx" ""c:"\pass*.xlsx" ""c:"\btc.jpg" ""c:"\2fa.jpg" ""c:"\coin.jpg" ""c:"\ether.jpg" ""c:"\seed.jpg" ""c:"\wallet.jpg"5⤵PID:8064
-
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Crypmod.gen-5cd3ee5cfb9241ad12e7dae0cd9c2764d91deee58e1a07bb37c544bc8eb57448.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-5cd3ee5cfb9241ad12e7dae0cd9c2764d91deee58e1a07bb37c544bc8eb57448.exe3⤵
- Executes dropped EXE
PID:3172
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f7feaeb31f6c6b7056b05a252ac0531a8fbb7488fd26791d0aec433d21c07fd.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f7feaeb31f6c6b7056b05a252ac0531a8fbb7488fd26791d0aec433d21c07fd.exe3⤵PID:2128
-
C:\Windows\V49050494020\winsvcin32.exeC:\Windows\V49050494020\winsvcin32.exe4⤵PID:3168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 4164⤵
- Program crash
PID:4864
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Generic-81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.exeHEUR-Trojan-Ransom.Win32.Generic-81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.exe3⤵PID:2064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:2716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y4⤵PID:2488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵PID:8172
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵PID:8696
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵PID:6040
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y4⤵PID:6960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵PID:9512
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y4⤵PID:9380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵PID:376
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵PID:388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y5⤵PID:1436
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:7552
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:5940
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:1700
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:6504
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:6836
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:2864
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:7392
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet4⤵
- Interacts with shadow copies
PID:6520
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:2452
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:6008
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:2284
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:7796
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:3332
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:7248
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:7200
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:8340
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:7312
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:4272
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:116
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:9928
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3200
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt4⤵
- Opens file in notepad (likely ransom note)
PID:8904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Generic-81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.exe4⤵PID:9064
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵PID:7744
-
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Gimemo.gen-09d0890a500d3840c71451ca07f120bbce4fb6eaf293cb805dcc5ecde0c4403c.exeHEUR-Trojan-Ransom.Win32.Gimemo.gen-09d0890a500d3840c71451ca07f120bbce4fb6eaf293cb805dcc5ecde0c4403c.exe3⤵PID:3788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 14884⤵
- Program crash
PID:5060
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.JSWorm.gen-71cafb0417b9467a91e7d710cf6b6fc4f5017fc666de154c34e61725fb21b1c0.exeHEUR-Trojan-Ransom.Win32.JSWorm.gen-71cafb0417b9467a91e7d710cf6b6fc4f5017fc666de154c34e61725fb21b1c0.exe3⤵PID:2304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 8884⤵
- Program crash
PID:9160
-
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a9022b4592e1f45576b35b0bec7a3756b27688295a3b8386094c0613f4e14314.exeHEUR-Trojan-Ransom.Win32.PolyRansom.gen-a9022b4592e1f45576b35b0bec7a3756b27688295a3b8386094c0613f4e14314.exe3⤵PID:1232
-
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Rack.vho-947196ecb0723f7bfe47b7f01a761a0e9bfbe55ae1f23d787eed4727d1e057b9.exeHEUR-Trojan-Ransom.Win32.Rack.vho-947196ecb0723f7bfe47b7f01a761a0e9bfbe55ae1f23d787eed4727d1e057b9.exe3⤵PID:3588
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4496
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:5260
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5404⤵
- Program crash
PID:1352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5484⤵
- Program crash
PID:5380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5764⤵
- Program crash
PID:5544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5844⤵
- Program crash
PID:5724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5884⤵
- Program crash
PID:6040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6724⤵
- Program crash
PID:5472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6644⤵
- Program crash
PID:7896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6884⤵
- Program crash
PID:6168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 5404⤵
- Program crash
PID:6332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8004⤵
- Program crash
PID:9324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7964⤵
- Program crash
PID:7720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8044⤵
- Program crash
PID:7044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8364⤵
- Program crash
PID:7080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8124⤵
- Program crash
PID:7728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8564⤵
- Program crash
PID:1116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8564⤵
- Program crash
PID:10020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8804⤵
- Program crash
PID:4164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8844⤵
- Program crash
PID:5724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8404⤵
- Program crash
PID:8468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8004⤵
- Program crash
PID:7744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8284⤵
- Program crash
PID:6280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8004⤵
- Program crash
PID:7496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8044⤵
- Program crash
PID:8832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8884⤵
- Program crash
PID:5012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8524⤵
- Program crash
PID:6020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8164⤵
- Program crash
PID:8804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8004⤵
- Program crash
PID:7624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 10684⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14404⤵
- Program crash
PID:6836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14444⤵
- Program crash
PID:9392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14404⤵
- Program crash
PID:6120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 8604⤵
- Program crash
PID:9936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14564⤵
- Program crash
PID:8104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14644⤵
- Program crash
PID:7136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 6604⤵
- Program crash
PID:7572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14564⤵
- Program crash
PID:724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15004⤵
- Program crash
PID:3428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15084⤵
- Program crash
PID:7712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15404⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15204⤵
- Program crash
PID:4180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15524⤵
- Program crash
PID:6020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15004⤵
- Program crash
PID:7728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15684⤵
- Program crash
PID:10036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15564⤵
- Program crash
PID:7892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15644⤵
- Program crash
PID:4500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15764⤵
- Program crash
PID:6096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15444⤵
- Program crash
PID:8332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15204⤵
- Program crash
PID:5016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15524⤵
- Program crash
PID:9800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15604⤵
- Program crash
PID:10780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15404⤵
- Program crash
PID:8520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15124⤵
- Program crash
PID:7816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 17924⤵
- Program crash
PID:7044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18004⤵
- Program crash
PID:12232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18244⤵
- Program crash
PID:10724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 17564⤵
- Program crash
PID:11588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18444⤵
- Program crash
PID:11460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18364⤵
- Program crash
PID:7612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 17604⤵PID:7612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18044⤵PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 18404⤵PID:12420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 17284⤵PID:12468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 17324⤵PID:12736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 16044⤵PID:7020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14604⤵PID:13832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14804⤵PID:11052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14644⤵PID:13388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14404⤵PID:14124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12844⤵PID:10980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 16164⤵PID:4704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15804⤵PID:9232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15964⤵PID:13556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15084⤵PID:14152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15804⤵PID:12732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15604⤵PID:10636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 15524⤵PID:12544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 16364⤵PID:12456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 16284⤵PID:12844
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.cjtx-3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436.exeTrojan-Ransom.Win32.Blocker.cjtx-3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436.exe3⤵PID:3596
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.cjtx-3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436.exe"C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.cjtx-3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436.exe"4⤵PID:1356
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp977cd165.bat"5⤵PID:6456
-
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.klrp-45167945141c95c5a012feeb0fcfc6667fc43e781cd9e43ab0be4bcc1b9ed6b2.exeTrojan-Ransom.Win32.Blocker.klrp-45167945141c95c5a012feeb0fcfc6667fc43e781cd9e43ab0be4bcc1b9ed6b2.exe3⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2404⤵
- Program crash
PID:3664
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.lckf-5140c53c5f3e25069731a723d05f52dd3b7e36437ab56c2456b751f229cf1491.exeTrojan-Ransom.Win32.Blocker.lckf-5140c53c5f3e25069731a723d05f52dd3b7e36437ab56c2456b751f229cf1491.exe3⤵PID:964
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.mbhj-a7ca204632f7c62e75b02978c62be386b47d4d0741f9bd7d826986cef7ca4304.exeTrojan-Ransom.Win32.Blocker.mbhj-a7ca204632f7c62e75b02978c62be386b47d4d0741f9bd7d826986cef7ca4304.exe3⤵PID:5460
-
C:\Windows\1233994211794075\winrcfu.exeC:\Windows\1233994211794075\winrcfu.exe4⤵PID:7296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 5724⤵
- Program crash
PID:6944
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Cortex.i-11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73.exeTrojan-Ransom.Win32.Cortex.i-11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73.exe3⤵PID:5608
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Crusis.drg-c12472bf9837449057268026463065fc9961ebbd3dc31d91d243392addfade9c.exeTrojan-Ransom.Win32.Crusis.drg-c12472bf9837449057268026463065fc9961ebbd3dc31d91d243392addfade9c.exe3⤵PID:5864
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Crypren.agpe-4eac200afdbf3ed368074c0a544bfdbbe0b33f9366905a2b0bd0a51aa1c65477.exeTrojan-Ransom.Win32.Crypren.agpe-4eac200afdbf3ed368074c0a544bfdbbe0b33f9366905a2b0bd0a51aa1c65477.exe3⤵PID:5176
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1360
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:2272
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2100
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4508
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:5996
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:6416
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:4716
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵PID:744
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Cryptor.dhy-c89a16d617c7e36ceb6a42c306867b2464ede65f94e858484b8405b1497a2c72.exeTrojan-Ransom.Win32.Cryptor.dhy-c89a16d617c7e36ceb6a42c306867b2464ede65f94e858484b8405b1497a2c72.exe3⤵PID:6812
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Cryptor.dhy-c89a16d617c7e36ceb6a42c306867b2464ede65f94e858484b8405b1497a2c72.exe"C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Cryptor.dhy-c89a16d617c7e36ceb6a42c306867b2464ede65f94e858484b8405b1497a2c72.exe" n68124⤵PID:3520
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:6048
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:9064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:1140
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4384
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:9344
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:5180
-
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Encoder.cwz-591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeTrojan-Ransom.Win32.Encoder.cwz-591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe3⤵PID:7760
-
C:\Windows\SysWOW64\mshta.exemshta.exe C:\Users\Admin\AppData\Local\Temp\readme.hta4⤵PID:8184
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Foreign.nxyr-b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd.exeTrojan-Ransom.Win32.Foreign.nxyr-b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd.exe3⤵PID:8112
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe4⤵PID:7928
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Foreign.ojiw-46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exeTrojan-Ransom.Win32.Foreign.ojiw-46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe3⤵PID:7588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 23004⤵
- Program crash
PID:6788
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Foreign.okmc-23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787.exeTrojan-Ransom.Win32.Foreign.okmc-23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787.exe3⤵PID:1924
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.GandCrypt.hou-663588f9cb662b9c620e1a77728d424fcd91409e1546b50a8763f61c8a2ee776.exeTrojan-Ransom.Win32.GandCrypt.hou-663588f9cb662b9c620e1a77728d424fcd91409e1546b50a8763f61c8a2ee776.exe3⤵PID:9292
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Mailto.g-06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036.exeTrojan-Ransom.Win32.Mailto.g-06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036.exe3⤵PID:9716
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Maze.al-806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee9ba9403c0627.exeTrojan-Ransom.Win32.Maze.al-806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee9ba9403c0627.exe3⤵PID:6672
-
C:\Windows\system32\wbem\wmic.exe"C:\ct\sgo\..\..\Windows\cegm\..\system32\p\venu\..\..\wbem\c\..\wmic.exe" shadowcopy delete4⤵PID:1200
-
-
C:\Windows\system32\wbem\wmic.exe"C:\co\uki\..\..\Windows\flw\iuti\..\..\system32\hn\..\wbem\rmm\..\wmic.exe" shadowcopy delete4⤵PID:6096
-
-
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Maze.ed-5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353.exeTrojan-Ransom.Win32.Maze.ed-5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353.exe3⤵PID:7364
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3588 -ip 35881⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2128 -ip 21281⤵PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3588 -ip 35881⤵PID:5312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3588 -ip 35881⤵PID:5492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3588 -ip 35881⤵PID:5672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3588 -ip 35881⤵PID:5956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4480 -ip 44801⤵PID:6096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3588 -ip 35881⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3588 -ip 35881⤵PID:5988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3588 -ip 35881⤵PID:5152
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3588 -ip 35881⤵PID:3132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3588 -ip 35881⤵PID:5808
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YIPBAPHO-DECRYPT.txt1⤵PID:6800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3588 -ip 35881⤵PID:8832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 7588 -ip 75881⤵PID:6560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3588 -ip 35881⤵PID:8520
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\cb00a7bea4f84eeba8ac52e4f5a3ca66 /t 6768 /p 81841⤵PID:8356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3588 -ip 35881⤵PID:8344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5460 -ip 54601⤵PID:7780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3588 -ip 35881⤵PID:9112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3588 -ip 35881⤵PID:9676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3588 -ip 35881⤵PID:3652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3588 -ip 35881⤵PID:7532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3588 -ip 35881⤵PID:7152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3588 -ip 35881⤵PID:4380
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\39ba3c47979e496fbb574dc194870cc5 /t 7736 /p 7441⤵PID:9844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3588 -ip 35881⤵PID:6640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3588 -ip 35881⤵PID:9836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3588 -ip 35881⤵PID:2284
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d362aa5553394fe5ac2c3e7fae2df041 /t 6896 /p 47161⤵PID:8568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3588 -ip 35881⤵PID:9696
-
C:\ProgramData\oubgh\drgtuj.exeC:\ProgramData\oubgh\drgtuj.exe start21⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 3588 -ip 35881⤵PID:5608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3588 -ip 35881⤵PID:9140
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT-FILES.txt1⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3588 -ip 35881⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3588 -ip 35881⤵PID:9464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 3588 -ip 35881⤵PID:9792
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x4d01⤵PID:9996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3588 -ip 35881⤵PID:5828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3588 -ip 35881⤵PID:6504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3588 -ip 35881⤵PID:5860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3588 -ip 35881⤵PID:8632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3788 -ip 37881⤵PID:7208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3588 -ip 35881⤵PID:640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 3588 -ip 35881⤵PID:10224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3588 -ip 35881⤵PID:5924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3588 -ip 35881⤵PID:1296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3588 -ip 35881⤵PID:2356
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:8536
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:9460
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:9728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3588 -ip 35881⤵PID:8992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 3588 -ip 35881⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3588 -ip 35881⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2304 -ip 23041⤵PID:7592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3588 -ip 35881⤵PID:8104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3588 -ip 35881⤵PID:6632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3588 -ip 35881⤵PID:7248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 3588 -ip 35881⤵PID:7812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3588 -ip 35881⤵PID:8728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3588 -ip 35881⤵PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3588 -ip 35881⤵PID:6308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3588 -ip 35881⤵PID:6788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3588 -ip 35881⤵PID:916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3588 -ip 35881⤵PID:3424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3588 -ip 35881⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3588 -ip 35881⤵PID:11024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3588 -ip 35881⤵PID:10428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3588 -ip 35881⤵PID:2704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3588 -ip 35881⤵PID:9304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3588 -ip 35881⤵PID:10572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3588 -ip 35881⤵PID:8852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3588 -ip 35881⤵PID:6504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3588 -ip 35881⤵PID:11908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3588 -ip 35881⤵PID:10272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3588 -ip 35881⤵PID:10856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3588 -ip 35881⤵PID:11252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3588 -ip 35881⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3588 -ip 35881⤵PID:7020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3588 -ip 35881⤵PID:12056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3588 -ip 35881⤵PID:8892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3588 -ip 35881⤵PID:388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3588 -ip 35881⤵PID:11496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3588 -ip 35881⤵PID:12264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3588 -ip 35881⤵PID:11448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3588 -ip 35881⤵PID:11948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3588 -ip 35881⤵PID:11336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3588 -ip 35881⤵PID:10248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3588 -ip 35881⤵PID:13648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3588 -ip 35881⤵PID:13824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3588 -ip 35881⤵PID:13820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3588 -ip 35881⤵PID:13428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3588 -ip 35881⤵PID:11624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3588 -ip 35881⤵PID:12760
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
988KB
MD5a085cc17fca8273e3434613e3651571e
SHA10031e39e8e99259b3ade6a9888524caa3594f7ab
SHA2566891871836df330b3253b49058ca643945409fd327f827715fb7d1910c8eda31
SHA512cd8bfc5d14d17dd02494ba4996f92deeccaace62fda065f1c482e0a7f29e8a56c0302ddf5300e91c34986fa5d78bc2735ab6fb1ddab238cd9be678217b48d014
-
Filesize
2.7MB
MD502128304eb1b2fe2315bd849b4110836
SHA1f7a0760f661027ec5c98397e0118fad5ff883682
SHA2561ffcd42564c7b3830d3b9cdfc293fb0a5b159cbb5b1c8abf9ddf3ae9919b9463
SHA512a547e39f40d1a5c01678576a1d0f2dc5f86681780c54a9c2e0a286b92536d6e6c606a979beb672f058182ce155c28d6c4a3a76fe0390425fc7148385c42c7d78
-
Filesize
9KB
MD55f17c38b4bca8f47d3625bdb6570b9fb
SHA16e9dffeb50ef1c26412c552dfa696f7e08bf4fa1
SHA256e5462b55275241d0e12cae14b0ce6aca7839fe6cff880522a9f380f652458bab
SHA5123c71e1c753b295e5a29a8480b11c51e3f6518e658240545efed3d75ccefb9c8049034e8e7a40d5e7ea2df62c0da8e05e5c16444c2cba27a3daa669d4cee0b83e
-
C:\Program Files\7-Zip\7z.dll.id-933A7906.[[email protected]].ROGER
Filesize2.5MB
MD595ad447ff284b1c1577e413bfba388d2
SHA1d1481d1dd7b57b662d904f497575d1d73c0b26c3
SHA25616018e5565098b1c567321458735f7777cc53538761fe6755bc63c612118bd52
SHA5123dc0451e735abe969849d3dfa43dd2dbf0f7b0aace189a10ddc119a3298b207fdcb4d407912940f828401e8816229699a19871cb6872834ca07f65381484e08c
-
Filesize
148B
MD5c672c5ffd1a94b729484cc279d2a8a93
SHA13e3ce8ad41d3ffe36d461a21ded8fead5d11e88b
SHA256087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea
SHA512969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3
-
Filesize
589B
MD5534a8234a86141271f834c349cbdc10c
SHA173177fa6b796420e48929f92fd23325df6f481d4
SHA25627fb69d5c748d1fa2c24bb7566693da63411918757c3a472b2fa1347037f9e46
SHA51220e57ed1c048ada0744d5c9152c777130121e747246f3eeea9f6608b280e4e3a99cf2dd634cdb173df8544ad514e697637bb8bafc6545f2386ac5e42ef3db323
-
Filesize
962B
MD5ac72f1df987019f25e31f605c0522daf
SHA1c1880e0bfa08b4258a7a659d2f2a2e77d7d65c6a
SHA2564aa6096dd391300ffaeac61e5cd15d2e2a59f76b26309a6d0763ba57ee56cc84
SHA51213bf55791b7e99f316e0024b2073b00a455791b8e7f28c56bd4ef84668dee964ee0b98024e393b5946a49c998e8f349c506faf6ebbcbea8991eb33f30dab3f07
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
840KB
MD524d8efd88c5a82e08faff5a19eaa0b16
SHA12c31dc8204f2d8e04e0fbefa8da0fd7bad7475ed
SHA2567fb1b5c00becda925bf1f2159527a2fa3485f907a1cd9de0d591e3f4dd66a838
SHA51262ca9358cdf491383d4f330fff43fe3836e860a7066bfbcfe4a877641c60030923fe695c475a13d470177c8d068fb5da17bc01e1e10867cab84a71e3658f468d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_09DEBA779F6D4BDFB100196D8791431E.dat
Filesize940B
MD56bc62295f2b9e906925db58066a61c15
SHA14296c403c4f4b3d32bd6ea65279923490127e210
SHA256f852cec8da5754a4e437418e6a6daedc1ec7dcf6e2d2c4bd02f0eb01c84bdbbd
SHA5127dbe89801db2fb3b222d9487e0e2e8dee7aebd1b14af0f5fdc0f629877d41d89ec8bb7d131e566aac9df7c0c1d78769cb94da1233a78067d17cb7213a8bceddf
-
Filesize
1KB
MD5a96649b68aa20820e824f34184dc2480
SHA18328876fe55703f53b5376b8536bce472c3a4987
SHA2566e28c1d271caad5708066f9210d34f1b7daafb5b7b986a8c60b91b5ef5b78806
SHA51293be3981f463cbedff48773e40cd7f7231a85d8a5f63fe37b2da714c65ba7c39b1042349860e3dca62676d43546532530217fe48e376d7632deb1ccc4ebbe9e6
-
Filesize
1KB
MD5c0ea78c9e89c7229e904597d26ca782b
SHA1c0bb0b1f424876cfc29c997598b4ad76d5fd25e4
SHA2567ec668f283e4bd5024fa0610ae94710cbe25095663d55dc2c7757e85f16be376
SHA512fea26b8b2bcf2ba8dd3f377913da65d4f2aac96e06e6bc9dbf2c4de46419ba48ee8b1f24ea993f2484c57b37fd988f78c154912881b716206d20947fd103e3a0
-
Filesize
1KB
MD544b236f13c044262a8c66ef4b387e798
SHA1032496a17200547f5e7147d5de6682bd4f9ec36e
SHA25616236a2338a0bfc3b136536629337b7f134e86db5b25b1b4af9e0e7e146608f2
SHA512d91484972acb53c02fc1324d6bd156553989c8f4c2dc21ede29228ec5691fa387f2e0b2d9676e45357917b519723cc06ee61f23cb13b9fa127738feea1e37501
-
Filesize
1KB
MD5e5938a0f95b401daeab028e4ec5e7263
SHA1d1ddd60d39111b7fc2cfd4f3ea187d00445653c8
SHA256fcc30390ab781197463dc004e33d495dbbac1f946baaf1c9312164fdd0de96f1
SHA5124b9b64b9838bcfac70e2ca73a6d37df3c376ba52db57fe3f43e646798654ac332f33004845fb388459f014d4279f92f39e1f1386e2f63646d0ab4ece5925a4c9
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-3211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232.exe
Filesize599KB
MD54b2a73798786aa1de9f275b4cd57dff8
SHA1e321aa5647c04e72608502c996acabb1391e3ea3
SHA2563211ffd5385a22a9011a8f835eced87e84cec70258067681d8af11b337e58232
SHA512506b6ef333b0a5f21ca1939c70757aa563719a7786e8a49fcc7812cc01dd8474bb52d4e2255bc674f892d83609cf8913c13d824b96b7bdfe029b08d0e1bd96a5
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Crypren.gen-15856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51.exe
Filesize1.5MB
MD50cbac409ea04d8866c7640e0b7e1dea7
SHA1329efe92c0f45eaed2332e7e1dec19aaddc18bd7
SHA25615856152e8961ae0ff0861f935cc21b930c9f1b1f5327e3d6d99dbe6902dee51
SHA51252472aef51d29d943bf9893a37e989cf2a1f6204adcc7eafc6698c5823481cd992ee236bdc4f0f0bc25909580235fb6219ac7c7d94fc369477358f587fd8b3db
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215.exe
Filesize197KB
MD51acfdefd7d823688159e6369f5f32ec4
SHA112431515b0bed686a64f27f536644c0d7b8415a8
SHA256a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215
SHA51258fdde7a44db2f789bc28beae582c49a3708b5df5f147f2f3ceebf0ae1e6003ebf68738af3d1708bfd59dc23c7e4938cb1b0495b91a8b8910b96a9db250bb3d1
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Blocker.gen-7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb.exe
Filesize654KB
MD5f1db5ff3aa47cbc8f0ac96946024d34c
SHA13d91ef651941c5a59db26937f27c8e473ae19c95
SHA2567ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb
SHA5126a3aaf9e9efb29a7f472b4753994fc789eb7c8cfa3c75ff2b1b77a60045f5820ef9175e1b20b78cd573bb0b3ca41c85f8b6dd2bf5b05eb82ad6eb35d8f391bb0
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Convagent.gen-a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c.exe
Filesize3.9MB
MD5e21ed6f6b8b03c15e38f695f3d4858ae
SHA1c69ecdc24d79907e265b69412f7dbc979c953100
SHA256a9d592579e11f43dd46c7132cede4802aeebae10bd367efd41d6c98a5f9e486c
SHA512c14249379060d90910e78ca6f61005d30f22bc6dbd81e287db9b741b14c4a61eeaed1c945eb03d947617542086be4a60e9bcb3cc61fff026a6a8205d4a57e4a5
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Cryakl.gen-2bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21.exe
Filesize1.9MB
MD50f65d009d42c33796e5abc24a4f4c3ed
SHA14bb31cb2e16a186e8a4e97235ab7efb97220aee0
SHA2562bb2343ed57adb4b139cafaa10e91ac0c82a0f66d21de32cb012b775f3fe1a21
SHA512cef3bcec8fe7a9084c21393c0464ec6567de690425baf4bf79938135148e39eea34deeebe3d0b4c2abf50ca1785a55e331a3255b1b6f25f2c7ba81103b704bbb
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Crypmod.gen-5cd3ee5cfb9241ad12e7dae0cd9c2764d91deee58e1a07bb37c544bc8eb57448.exe
Filesize185KB
MD579c61832c88cadea79f8ac2603b3d4ee
SHA1e5a67efa42b39a86aee83edee6f394f2194f6855
SHA2565cd3ee5cfb9241ad12e7dae0cd9c2764d91deee58e1a07bb37c544bc8eb57448
SHA512400784af1c9ca8a530d2175f7995b64d76698f0b34f6b59d7263bfb10dad1af52d2ccb64ddefffdb0c5edcee16d682d2486764e0e3354cbec65104b74c4befef
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f7feaeb31f6c6b7056b05a252ac0531a8fbb7488fd26791d0aec433d21c07fd.exe
Filesize250KB
MD5cb584abdfe3a4fc7341054e1440293af
SHA13ac19e036d1444ef65852783657fdfb725b1e9a4
SHA2568f7feaeb31f6c6b7056b05a252ac0531a8fbb7488fd26791d0aec433d21c07fd
SHA512eb04f6322945e91381070a353418ec7ae07c619eccde5b43123dcd11204dfdd3721dd380568d0b6d00e7c4ef3b01034242a084da64f14d1880b7fc062286de79
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Generic-81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.exe
Filesize416KB
MD521fa6ebdd397f14bbb68a4e3d012467e
SHA10ecff2f818565e7eb28d3a7b7d295459a868e920
SHA25681e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
SHA512368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Gimemo.gen-09d0890a500d3840c71451ca07f120bbce4fb6eaf293cb805dcc5ecde0c4403c.exe
Filesize1.7MB
MD5529d993c4e6f5bc22ac98160f116277e
SHA19c5980d80bcbd60158637c708015744dfc9f072c
SHA25609d0890a500d3840c71451ca07f120bbce4fb6eaf293cb805dcc5ecde0c4403c
SHA512e68d47f3c68258cd4c80cc79c24602be217e1736ded4cfb5fe3f888e8b5b83afacbd53f5f04e7d91b3c0d94729343106fb0653eec52d0197d5e5e67e07a3f3c3
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.JSWorm.gen-71cafb0417b9467a91e7d710cf6b6fc4f5017fc666de154c34e61725fb21b1c0.exe
Filesize178KB
MD503c46006f1ed895a17735b0eab056892
SHA162ad969bc2a3af15e79fecbe3847667466882f6e
SHA25671cafb0417b9467a91e7d710cf6b6fc4f5017fc666de154c34e61725fb21b1c0
SHA512a0177ac868f4560ad274de86dbd381c2c26d851187c12c98858bdb2a1490cafa9afa68920dea2dc2ea0a90ee90c85b4e52e4c7cc808f190c6c4e596c406b6161
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a9022b4592e1f45576b35b0bec7a3756b27688295a3b8386094c0613f4e14314.exe
Filesize988KB
MD500a398dc87e4b6ed25f7276b7cad6c43
SHA11f3f3aa6c5a325c29e49aa638129fd16a981d6eb
SHA256a9022b4592e1f45576b35b0bec7a3756b27688295a3b8386094c0613f4e14314
SHA51230f94f6747c8254ab1d6a1d0df2a6b675e72d2d8104fa70b3573626e5ece9e34bc12503a4fc42582bcd4fc0da0044decc7d931a4440119854d0e61e9b551894c
-
C:\Users\Admin\Desktop\00380\HEUR-Trojan-Ransom.Win32.Rack.vho-947196ecb0723f7bfe47b7f01a761a0e9bfbe55ae1f23d787eed4727d1e057b9.exe
Filesize182KB
MD50f40981a135e9c9c4d09b09257eeba9e
SHA1a10fd4321c9cc3281a12212d787a2952f4ed08bb
SHA256947196ecb0723f7bfe47b7f01a761a0e9bfbe55ae1f23d787eed4727d1e057b9
SHA512320b02834362e2e9d6104b7bb502220d1b55c75b6b82749610ea744bdfa8965a570a8056727ee60f5332fe3272a247499fda73f7d71af6efa32e8c2c8fc3143c
-
Filesize
756KB
MD50edd96ca200304bc2ad3c8da79ed9242
SHA1a41088354eb9f9b1dac93a9bd0881e1130f5337e
SHA256dd34d2e1ab15bfb4a8f1616d0ea1a87e0f194630e732ec02f4b737f1c2112d14
SHA512dbe0f08119833a54f95125181db790831798fb59fd6b4eb8a3c2a41ec823f52513cfc1ddf52f8d5b672b5517a23ceaee3e93ca85c7aa0a95c1d05fa779320d1a
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.cjtx-3917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436.exe
Filesize316KB
MD560eaea81c77422b615b2cfd50417c87e
SHA1950612793a50dac774040a1e99ead2160e63657c
SHA2563917759ae65f10aec4f9d5e5628fead573d8f3b4bba59a8f1fcd6692ec563436
SHA512175588b7362ae09a0b575663604c97bd875eacd2b40ab9e945a4fa2f24472708b85c238738c057690551d636cefe9a58e5e4f46371171678a9cd4af3b3d3b559
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.klrp-45167945141c95c5a012feeb0fcfc6667fc43e781cd9e43ab0be4bcc1b9ed6b2.exe
Filesize176KB
MD5acc02f42f2a109e71906d07f4d6f59c8
SHA1555d9c19b2a56ff085582b6a08131de0bd0a010b
SHA25645167945141c95c5a012feeb0fcfc6667fc43e781cd9e43ab0be4bcc1b9ed6b2
SHA512597e521f80ed1f402db1181b8ec34cef2664183de594992463d57ea97e4f7df998947c9d498c6e528a5bc7e6c28a693f579137f6896201fad082b3d16330f52f
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.lckf-5140c53c5f3e25069731a723d05f52dd3b7e36437ab56c2456b751f229cf1491.exe
Filesize112KB
MD57f542542826cd8de17492d0fa34cde9a
SHA1d9d517fd44b769235c85fb7d37dcdf3e7a04d57f
SHA2565140c53c5f3e25069731a723d05f52dd3b7e36437ab56c2456b751f229cf1491
SHA512d2286c1d84368bcff8d0d74c7970bb04b696475d553403a45926cfa5bead1e9b89883936a75a4293a7c7c36b8e05bcf8a98c8453e3cfa98ab90a8f22bde3a87b
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Blocker.mbhj-a7ca204632f7c62e75b02978c62be386b47d4d0741f9bd7d826986cef7ca4304.exe
Filesize262KB
MD5b9b9378e9deb3b922703660bc2b9456a
SHA1cf1c7137e479fa8de749a9d115be70f72aee1320
SHA256a7ca204632f7c62e75b02978c62be386b47d4d0741f9bd7d826986cef7ca4304
SHA512445c314409b89b3ec99c386e77529173065b55fceaaa7d797ff7efa7a1741028925002f16bd3103ced61ec981f14daacf5685003b75631a3d46e2bd4e090a278
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Cortex.i-11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73.exe
Filesize879KB
MD5bcd5275b17fa251e764cc654f27a348b
SHA1ba79b583b6a35dd38f25afd28055cce1835fffd3
SHA25611f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
SHA51228fc8eb9d3acc66e85c9c99556eaee496d60c4967a6514a42242c2c5dd10f955e1461e911fef9ac22cf8f0618eecfe4f866d383e2b86dd167a3e3b48dd5680ff
-
C:\Users\Admin\Desktop\00380\Trojan-Ransom.Win32.Crusis.drg-c12472bf9837449057268026463065fc9961ebbd3dc31d91d243392addfade9c.exe
Filesize409KB
MD5a36f6f92b7f02ef5232b5a2c22a4b45e
SHA130c19a15a1c0ec091f6f18c6434b421e35c1e4c6
SHA256c12472bf9837449057268026463065fc9961ebbd3dc31d91d243392addfade9c
SHA5122c066257d3d839aec88d33d5b6e3f636e0dcffd29fff9a1ff6d6f417587ccc56e4483e07c5a8a4f014f1d2b6dfcb085c154e8b22108ae5a0023e27342ab0ccbf
-
Filesize
14.0MB
MD52dd57d8758c2b78d11f02de5ca3ae42a
SHA1a02662bc1c33eb0eb77b65d70edf522d03a9101a
SHA256e9629fe2959e8025bea7f61070b20e27cf2af7f1b13aa54660029f7b455f7189
SHA5120b05fcb16a392c70fcba807b4d4e1c5a555bd0dd94bf2cdd249ceb5525c1f48ea3ec96478f2e18591c1e53e676ca65433710f53ef733959768db531970debf60
-
Filesize
16KB
MD5c93cf266a4a5ba59570b49a30bfbbab0
SHA12589d951e0280d658ce81fec838f4722d46028a7
SHA2561105be0c75cca0a0a2fdd8e35393b2f3856f0a5f223c56139cb1c922ad5dc11c
SHA5128855a0a6b07d96759e14ec2081a99cb37e4971977ee38ca92157152a99992f7023e0c6749f43a8f8cf5dfede97f8acfcd2e1c72f7eeaeed8d4d8ffae36603907
-
Filesize
16KB
MD5334d6c37f231fa8b9186c10c58f1c561
SHA16361b33918824f29d07262bb4e2dcd2a0eb0aee9
SHA2568fd87f3ae44cd33ece0bc2d83cb994819a9ba91b194ddfb21748046d01e72942
SHA5122680cfda54f113fcfb93eaab39a19504a0663f4689647ef7f6f07d0d6b25557917794bfe751d6d75b1364310be17f4bcbfafa853845ad33d442bc1a3bf92dd31
-
Filesize
16KB
MD5f8b6b1543ee5a0018ef745c3e27f3afa
SHA1dc8303e88599cbb4686d6b7eb60c7e3070c448db
SHA256375fe357d9628a2a9e9850577e0b3014ffff9159d7f327f4a371994f45740251
SHA512759ea66bb06d6cd2eaaf2ecf6d715d3347fd6d8475e7a62ef4a45b3556ddff18e0a7a2176991cdf526398324d63247081d5a32977e9eebb42c763e34668da88c
-
Filesize
1KB
MD5907b67d20bf50beb45dbbfd3824cefcc
SHA12c2606a5d333817a5dc4129f164cff0a7a5cc85e
SHA256abae0826431cca4dda8482cf2d2f7a26b835bdd8727ec54ec5806c3db574569e
SHA5126098d28c8cd2ee74e6ef6022596d97a816337ebd5e01f2889ce7496937e7d4e22ed0b8ac68359ecbfaa4daeae8cf0ec27585da662e86d99fc075a202a4f26c8e
-
Filesize
413B
MD5ad9a93a93a3c387f3f63a97a9d927481
SHA18891ead23e82e15cf283b37a801b44fe2f718fe5
SHA2563a678365cacdb73695b3df18c743b340c6ad801f4caee7985c06798d3894edb4
SHA512dd87fa36210b9053d4b87b7aaf35767619c50700a6e57f5316cc1659711c3ab13736b486727e9fd63be500e27528839274f2f44ec4d0df8b711ebe5bc8decc62
-
Filesize
251KB
MD5c3f2dcf697ae8530a0604b67e0881f99
SHA1bc6639da7081d4c0cfc6c139108570574a87ee51
SHA2565d232a72c509bb3d17b8a3925604790be4564004510f41eb4eaa3ae823bc84e6
SHA51294bded3ccc16826d4c704710eddccd880d1a796cf7acc2982788554c2dd341104376840e3d91a8237a685a29022f0f168e98f65c12e26c2bc26f33890f79542a
-
Filesize
8KB
MD51fdf4cc34d51031d2c60a2a2bacbe909
SHA1cc287a20b08a4d4f3aa0d83267000cb2d0a362c3
SHA256a4c86cace7d26a033230ba85ff2788586731c6d498f2a002304a4322d4f48c6f
SHA5129ee8aa61f991510b809d073fc0a34bf9a9024ce69306453c6fdcaa4bfd36416380a248113118147e859671ee9f7b5e2dfd40f7d7d4ffe12fdc95b418e4235f30
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
\??\c:\users\admin\desktop\00380\trojan-ransom.win32.crypren.agpe-4eac200afdbf3ed368074c0a544bfdbbe0b33f9366905a2b0bd0a51aa1c65477.exe
Filesize296KB
MD5b4f63dbb03d24833d78459410e8fa381
SHA15cb7fe1ba61b4d313bf3c74800b91adf7e6b7770
SHA2564eac200afdbf3ed368074c0a544bfdbbe0b33f9366905a2b0bd0a51aa1c65477
SHA51255020705a906c239d9e9a90ffec59b47486e569604320e9db9e234a75c62db29ef50db5be03bc83f23f0fe9bb6f8783298b31b3e7b45f42f1e3f392fdf087c99