darkcomet | 984ce7df6ebb527fdf397217bf2879c72dc3acca8078e64dc002b86da548efbe

Analysis

max time kernel
60s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00355.7z
Size

8.4MB
MD5

1e27240afe6f2292ebdda2f35af1379f
SHA1

f98cfd4bc31e3c07e90080df33022cb323822cf7
SHA256

984ce7df6ebb527fdf397217bf2879c72dc3acca8078e64dc002b86da548efbe
SHA512

e28ff232eb03d6e98503ec79bd1ad2d61a4b68f444cef0136c3ea104a1e25dba041334616355619e85b2279ab38b5a0650d67e917cee57d15ccc403787cec604
SSDEEP

196608:QRAB5GdPTtXNJT3khw37TBDJAUwpFbxPm9i5TZaGMbc:QRg0RT06rtttGFbxPmgTZcbc

Score

10^/10

darkcomet modiloader defense_evasion discovery evasion execution impact persistence ransomware rat trojan upx

Malware Config

Extracted

Family

darkcomet

asftp.no-ip.org:1766

Mutex

DC_MUTEX-TNB4ASC

Attributes

InstallPath
c:\Program Files\Java Runtime\Java Updater.exe
gencode
XDxYlNLNS75r
install
true
offline_keylogger
true
password
52410
persistence
false
reg_key
Java

Extracted

Path

C:\$Recycle.Bin\QSQZINPORQ-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .QSQZINPORQ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/3559b22c8b3c4d7 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGFNxSRfdSGciatpWa0agm+NfQFXdv80Au4XmNj6shS2MFxI4pIXho7bUukKvsH6xWuUAefnD7F0MeD4EuzdmkLCxZDtf930DAJoY18SgPuLuvT+c4EzUachUUrNFHnw9Crz+w5aktz5/AfPDfIZWTMmob37J96RgzfWe2wX3EKixRBMj/5yIPO0pI8yXY7YLbHTtr0pn9wZ3qahS4LjhPqw2kSqXD7mkx8WYSL4MrCChBhKxGwbRC8C0/pSvku41mskNbxgUbe+H1oZiit117L69BfaGd747iDgnBRBeINe2gl2dan7UUNNBbSDwAb/zM0Yn/R/bnckESPYevNF6iYtZTrxRirh3DkzFAv5MJAj7AEpMuEfMSbn2d6vOBDdXmarBRfW1cTtsFpB0/E5QqkbqEWLvvrf4eNsOqNrMwXr1KiLYlkns7Z/lwLfYiJ4z8FvBWEnlBiksNxRkZDzxB6dyIhFnoVCij/pRIwNfLIWJTxMrZcLK/M7Io5oNYSn/o4ZPGCZawrPL8nPmPjklZZo1rImMDhpibUcplZGcGNKqIe2gRFsDoDBsPLINmhHOYcNGlY9EBmq+NQ1YFzAp2c9l6sPPGCjp5VCi35yqQxoCNiphXI4GJ+DzzPUa7I/1Qhxu5K7i43Ly3CnIZZOZHRinsWyF4hSgn5SL5OVqROA1WrDPWc1n4Omku0GYaOFNCDrT6VcILiq4RSvPiQJXINUEdsJap23tCzT92FWYXIiXecdpRtOyDrYNzbs248Z2lKcRIYhTD91uIxON3HTmFHCYdfVQEbH7mjMNKDGumA+6BpI9tUHkh3jwzjpecrtpDXGgvcAAuFwn/g1VMYlA0Uwk6akkTCsJWry58Q3RLSqBd7Cz7SHo7E0CINKcCCs3HzPAHdnapgFB1CHYUP/SVKlJKTWQt2wtXPrRd4ADnVu8k8n4FrkC4En+E0LbN3zqR+qL0HbXu9p7hUrOAQSDRzXm8jNVNziZsyEyaFtboXnl8KyZcXA1qOfR3E9ViPj/8l3T8bdj1S4SXZ9uNdj4k24nZLFBggCsLlvFFbmlfaEYwG2uywBCsdg5KzDxGzhNE2CGFGFysNyuyPIHMYL0U00it/u96053nhEzHKuP3vMu90Xe5PkXqYujWpNh0GEoRwNXkLOXuICzcj3CQdO7CzHOugHrkUp1v8SvaqOgNIkDPJUYEU0WuxwMG11PPypm2os+lc2YiKcFu22ZO8RBZln7rWFmDHECmcJtoCanTXc3fJSSERASuERPnVWEa+HEsP8nH8jSl4oVSIHhNKsbujoF8Uwe8N44iyJj7lAz1f7go+66XTBK3lF3cL1wLuMWMS+wgWBemwur3MZAWxFusVuvJFfSwmGqQXwdwLd2JgqCGmykFrI2QPrDH6+vbgUcr/ziwaJp+HFEMSnBq0GnVYHHfM06Q4HnjaxMYlKA+Qz6m/N3HcvvWCYYhQgyO+qp3ggd+NiYCOnS3antRYpCmZcAzz5uEwo+9KGM+B5UBHXpMhchBCLZeJJm0Ro3bVgk2G4eBXYhKVvoIlgnJ8JUUYhOOvNBFjpV9GO2Kni8H82x4+XvbM1hBwHJ0A+L7stQ1nZXonOb2DLalpd3kE5p9yMHuPcyUa8L6ky/lC2O23LS28PsrN55ill0BIqeZMxyW6evrdPA2CHaaLtT9hhts6D3QYsRhqVrRlgxlwFufwVrnBIyBVLhn7KMOykFf8kfxQUN6hg1eM6ljrLc6naul9UcH5x0go422LBiH2I6l/9nVobGs0whc49lRCuw8OFBumWQZZR1RnN2QTjFTJHlQ419ta5RvWExSX/hp2xJWWUajxW56DKAFAof0z1mA5IcfyrjO4s1B1gfY36G8QiDwB8AGlN4JTWFjuBRoqkFKVoordNg4WBPEVajAfmZQIASrGd8RZDwamShfelN7ttXFSBTAjdabTZlyaP7FgnP9TEfog5CW1GZw/tX/5JbCQSannkT+GJi040c0gjdMOWcXhBAaIUNESHvuhLamNmYYvLEFpet50IjyERNxGEjOCOLGvpwRd9h3tibZ/V3QzSpIJ+AJShjqeXOCLlWx+/le8kT0QDkR1UArzVbYbByCecKTmDlcPG8wdfA+MRJ7u4mWvymoZuR0vFbF2cFfZ8f3q85yabwsu6+MWjFUsWfxM0blgEyZzES+lranhSSCZA4EMPYi952F09+I0zmeiTVUxAbSaqP0XlvmsG8NqBaKwGQfZm3/E= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZVTpRRpnYN7nJWo7feTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4LF3kU3B6eL2/2Q2E+t1GtNYPlqABnTtqRGCEd4btydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKwg7zZifpCBFJ3vDLOOar1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfB0ceMBkP3JNgn9SQ3nC26ZUErrteEilBYhMZZH9HowOP7+LRYsPy4knV/fu67POzMP9PnYTh4gzvuwKRb5tB/+FbmHWs+IUXo5eM9Q19EZhLFKM2u1g1mmDLQgzxwsJfjT5T2ECiWME ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/3559b22c8b3c4d7

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,c:\\Program Files\\Java Runtime\\Java Updater.exe"	1766.exe

Modiloader family
modiloader
Contacts a large (16404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1052-128-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2
behavioral1/memory/2988-126-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2
behavioral1/memory/1052-290-0x0000000000400000-0x0000000000416000-memory.dmp	modiloader_stage2

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
852	bcdedit.exe
2756	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1766.exe

Executes dropped EXE 18 IoCs

pid	Process
2324	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
2604	HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe
2680	Trojan-Ransom.MSIL.Trucry.a-623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
2820	install.exe
2988	IPK-1339.exe
2544	1766.exe
1052	AdobeARTM.exe
2392	Uninstall.exe
1016	Uninstall.exe
2256	Java Updater.exe
2748	Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe
2880	Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
2892	Trojan-Ransom.Win32.Ducry.i-26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe
2752	Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
2456	Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe
2824	Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe
2668	zcrypt.exe

Loads dropped DLL 18 IoCs

pid	Process
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
2820	install.exe
2820	install.exe
2820	install.exe
2820	install.exe
2820	install.exe
2988	IPK-1339.exe
2988	IPK-1339.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
2392	Uninstall.exe
2544	1766.exe
2256	Java Updater.exe
2256	Java Updater.exe
2256	Java Updater.exe
2752	Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARTM = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARTM.exe"	AdobeARTM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "c:\\Program Files\\Java Runtime\\Java Updater.exe"	1766.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt = "\"C:\\Users\\Admin\\Desktop\\00355\\Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe\" "	Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ipinfo.io

AutoIT Executable 22 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2880-402-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/2880-481-0x0000000005FF0000-0x0000000006A01000-memory.dmp	autoit_exe
behavioral1/memory/2608-501-0x0000000001210000-0x0000000001C21000-memory.dmp	autoit_exe
behavioral1/memory/2880-529-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1984-572-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1984-577-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/2608-573-0x0000000001210000-0x0000000001C21000-memory.dmp	autoit_exe
behavioral1/memory/2608-603-0x0000000001210000-0x0000000001C21000-memory.dmp	autoit_exe
behavioral1/memory/2880-714-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1984-770-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/2880-1185-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1772-1194-0x0000000001240000-0x0000000001C51000-memory.dmp	autoit_exe
behavioral1/memory/1984-1244-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1772-1283-0x0000000001240000-0x0000000001C51000-memory.dmp	autoit_exe
behavioral1/memory/2880-1282-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1772-1289-0x0000000001240000-0x0000000001C51000-memory.dmp	autoit_exe
behavioral1/memory/1772-1296-0x0000000001240000-0x0000000001C51000-memory.dmp	autoit_exe
behavioral1/memory/1984-1297-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/2704-1325-0x00000000012F0000-0x0000000001D01000-memory.dmp	autoit_exe
behavioral1/memory/2880-1326-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/1984-1327-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe
behavioral1/memory/2880-1366-0x0000000000DB0000-0x00000000017C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2876	2256	Java Updater.exe	51

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000194a3-243.dat	upx
behavioral1/memory/2880-248-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2456-266-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral1/files/0x00050000000194ef-255.dat	upx
behavioral1/memory/2456-289-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral1/memory/2604-294-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2604-297-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2604-296-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2604-295-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2604-299-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2604-300-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2880-402-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1984-462-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2608-501-0x0000000001210000-0x0000000001C21000-memory.dmp	upx
behavioral1/memory/2880-529-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1984-572-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1984-577-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2608-573-0x0000000001210000-0x0000000001C21000-memory.dmp	upx
behavioral1/memory/2608-603-0x0000000001210000-0x0000000001C21000-memory.dmp	upx
behavioral1/memory/2880-714-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1984-770-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2880-1185-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1772-1194-0x0000000001240000-0x0000000001C51000-memory.dmp	upx
behavioral1/memory/1984-1244-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1772-1283-0x0000000001240000-0x0000000001C51000-memory.dmp	upx
behavioral1/memory/2880-1282-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1772-1289-0x0000000001240000-0x0000000001C51000-memory.dmp	upx
behavioral1/memory/1772-1296-0x0000000001240000-0x0000000001C51000-memory.dmp	upx
behavioral1/memory/1984-1297-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2704-1325-0x00000000012F0000-0x0000000001D01000-memory.dmp	upx
behavioral1/memory/2880-1326-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/1984-1327-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx
behavioral1/memory/2880-1366-0x0000000000DB0000-0x00000000017C1000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\9gfx\1766.exe	install.exe
File opened for modification	C:\Program Files (x86)\9gfx\gxf2.pak	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	C:\Program Files (x86)\9gfx\gxf6.pak	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	C:\Program Files (x86)\9gfx\gxf5.pak	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	C:\Program Files (x86)\9gfx\IPK-1339.exe	install.exe
File opened for modification	C:\Program Files (x86)\9gfx\New Text Document.txt	install.exe
File created	\??\c:\Program Files\Java Runtime\Java Updater.exe	1766.exe
File opened for modification	C:\Program Files (x86)\9gfx\gxf3.pak	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	C:\Program Files (x86)\9gfx\gxf4.pak	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File created	C:\Program Files (x86)\9gfx\Uninstall.ini	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	\??\c:\Program Files\Java Runtime\Java Updater.exe	1766.exe
File opened for modification	\??\c:\Program Files\Java Runtime\	1766.exe
File opened for modification	C:\Program Files (x86)\9gfx\install.exe	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
File opened for modification	C:\Program Files (x86)\9gfx\Uninstall.exe	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARTM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IPK-1339.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2980	cmd.exe
2372	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
740	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2808	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2372	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2324	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
2604	HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
2748	Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe
2880	Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
2892	Trojan-Ransom.Win32.Ducry.i-26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe
2456	Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe
2752	Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
2824	Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1116	7zFM.exe
Token: 35	1116	7zFM.exe
Token: SeSecurityPrivilege	1116	7zFM.exe
Token: SeDebugPrivilege	2648	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	2544	1766.exe
Token: SeSecurityPrivilege	2544	1766.exe
Token: SeTakeOwnershipPrivilege	2544	1766.exe
Token: SeLoadDriverPrivilege	2544	1766.exe
Token: SeSystemProfilePrivilege	2544	1766.exe
Token: SeSystemtimePrivilege	2544	1766.exe
Token: SeProfSingleProcessPrivilege	2544	1766.exe
Token: SeIncBasePriorityPrivilege	2544	1766.exe
Token: SeCreatePagefilePrivilege	2544	1766.exe
Token: SeBackupPrivilege	2544	1766.exe
Token: SeRestorePrivilege	2544	1766.exe
Token: SeShutdownPrivilege	2544	1766.exe
Token: SeDebugPrivilege	2544	1766.exe
Token: SeSystemEnvironmentPrivilege	2544	1766.exe
Token: SeChangeNotifyPrivilege	2544	1766.exe
Token: SeRemoteShutdownPrivilege	2544	1766.exe
Token: SeUndockPrivilege	2544	1766.exe
Token: SeManageVolumePrivilege	2544	1766.exe
Token: SeImpersonatePrivilege	2544	1766.exe
Token: SeCreateGlobalPrivilege	2544	1766.exe
Token: 33	2544	1766.exe
Token: 34	2544	1766.exe
Token: 35	2544	1766.exe
Token: SeIncreaseQuotaPrivilege	2256	Java Updater.exe
Token: SeSecurityPrivilege	2256	Java Updater.exe
Token: SeTakeOwnershipPrivilege	2256	Java Updater.exe
Token: SeLoadDriverPrivilege	2256	Java Updater.exe
Token: SeSystemProfilePrivilege	2256	Java Updater.exe
Token: SeSystemtimePrivilege	2256	Java Updater.exe
Token: SeProfSingleProcessPrivilege	2256	Java Updater.exe
Token: SeIncBasePriorityPrivilege	2256	Java Updater.exe
Token: SeCreatePagefilePrivilege	2256	Java Updater.exe
Token: SeBackupPrivilege	2256	Java Updater.exe
Token: SeRestorePrivilege	2256	Java Updater.exe
Token: SeShutdownPrivilege	2256	Java Updater.exe
Token: SeDebugPrivilege	2256	Java Updater.exe
Token: SeSystemEnvironmentPrivilege	2256	Java Updater.exe
Token: SeChangeNotifyPrivilege	2256	Java Updater.exe
Token: SeRemoteShutdownPrivilege	2256	Java Updater.exe
Token: SeUndockPrivilege	2256	Java Updater.exe
Token: SeManageVolumePrivilege	2256	Java Updater.exe
Token: SeImpersonatePrivilege	2256	Java Updater.exe
Token: SeCreateGlobalPrivilege	2256	Java Updater.exe
Token: 33	2256	Java Updater.exe
Token: 34	2256	Java Updater.exe
Token: 35	2256	Java Updater.exe
Token: SeIncreaseQuotaPrivilege	2876	iexplore.exe
Token: SeSecurityPrivilege	2876	iexplore.exe
Token: SeTakeOwnershipPrivilege	2876	iexplore.exe
Token: SeLoadDriverPrivilege	2876	iexplore.exe
Token: SeSystemProfilePrivilege	2876	iexplore.exe
Token: SeSystemtimePrivilege	2876	iexplore.exe
Token: SeProfSingleProcessPrivilege	2876	iexplore.exe
Token: SeIncBasePriorityPrivilege	2876	iexplore.exe
Token: SeCreatePagefilePrivilege	2876	iexplore.exe
Token: SeBackupPrivilege	2876	iexplore.exe
Token: SeRestorePrivilege	2876	iexplore.exe
Token: SeShutdownPrivilege	2876	iexplore.exe
Token: SeDebugPrivilege	2876	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2876	iexplore.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1116	7zFM.exe
1116	7zFM.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	iexplore.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2824	Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2324	2124	cmd.exe	36
PID 2124 wrote to memory of 2324	2124	cmd.exe	36
PID 2124 wrote to memory of 2324	2124	cmd.exe	36
PID 2124 wrote to memory of 2324	2124	cmd.exe	36
PID 2124 wrote to memory of 2604	2124	cmd.exe	37
PID 2124 wrote to memory of 2604	2124	cmd.exe	37
PID 2124 wrote to memory of 2604	2124	cmd.exe	37
PID 2124 wrote to memory of 2604	2124	cmd.exe	37
PID 2124 wrote to memory of 2680	2124	cmd.exe	38
PID 2124 wrote to memory of 2680	2124	cmd.exe	38
PID 2124 wrote to memory of 2680	2124	cmd.exe	38
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 2124 wrote to memory of 1648	2124	cmd.exe	39
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 1648 wrote to memory of 2820	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	40
PID 2820 wrote to memory of 2988	2820	install.exe	41
PID 2820 wrote to memory of 2988	2820	install.exe	41
PID 2820 wrote to memory of 2988	2820	install.exe	41
PID 2820 wrote to memory of 2988	2820	install.exe	41
PID 2820 wrote to memory of 2544	2820	install.exe	42
PID 2820 wrote to memory of 2544	2820	install.exe	42
PID 2820 wrote to memory of 2544	2820	install.exe	42
PID 2820 wrote to memory of 2544	2820	install.exe	42
PID 2988 wrote to memory of 1052	2988	IPK-1339.exe	43
PID 2988 wrote to memory of 1052	2988	IPK-1339.exe	43
PID 2988 wrote to memory of 1052	2988	IPK-1339.exe	43
PID 2988 wrote to memory of 1052	2988	IPK-1339.exe	43
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 1648 wrote to memory of 2392	1648	Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe	44
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2392 wrote to memory of 1016	2392	Uninstall.exe	45
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2544 wrote to memory of 2256	2544	1766.exe	46
PID 2124 wrote to memory of 2748	2124	cmd.exe	48
PID 2124 wrote to memory of 2748	2124	cmd.exe	48
PID 2124 wrote to memory of 2748	2124	cmd.exe	48
PID 2124 wrote to memory of 2748	2124	cmd.exe	48
PID 2124 wrote to memory of 2880	2124	cmd.exe	49
PID 2124 wrote to memory of 2880	2124	cmd.exe	49

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00355.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\Desktop\00355\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
  HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2324
- C:\Users\Admin\Desktop\00355\HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe
  HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2604
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.MSIL.Trucry.a-623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88.exe
  Trojan-Ransom.MSIL.Trucry.a-623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
  Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Program Files (x86)\9gfx\install.exe
    "C:\Program Files (x86)\9gfx\install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\9gfx\IPK-1339.exe
      "C:\Program Files (x86)\9gfx\IPK-1339.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Users\Admin\AppData\Roaming\AdobeARTM.exe
        
        "C:\Users\Admin\AppData\Roaming\AdobeARTM.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1052
  - - C:\Program Files (x86)\9gfx\1766.exe
      "C:\Program Files (x86)\9gfx\1766.exe"
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Program Files\Java Runtime\Java Updater.exe
        
        "C:\Program Files\Java Runtime\Java Updater.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2876
- - C:\Program Files (x86)\9gfx\Uninstall.exe
    "C:\Program Files (x86)\9gfx\Uninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1016
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe
  Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2748
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
  Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2880
- - C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe
    C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe /nstart
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\boossds.exe
    C:\Users\Admin\AppData\Local\Temp\boossds.exe /HomeRegAccess10
    3⤵
    PID:2608
- - C:\Windows\system32\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~ffbnosu.inf
    3⤵
    PID:572
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      PID:872
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1564
- - C:\Users\Admin\AppData\Local\Temp\ubhibzs.exe
    C:\Users\Admin\AppData\Local\Temp\ubhibzs.exe /HomeRegAccess10
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\wnthvbl.exe
    C:\Users\Admin\AppData\Local\Temp\wnthvbl.exe /HomeRegAccess10
    3⤵
    PID:2704
- - C:\Windows\system32\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~sfrovsm.inf
    3⤵
    PID:2700
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      PID:1136
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:2976
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Ducry.i-26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe
  Trojan-Ransom.Win32.Ducry.i-26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2892
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe
  Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2456
- - C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe
    "C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe"
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      4⤵
      PID:620
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
  Trojan-Ransom.Win32.Zcryptor.a-bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2752
- - C:\Users\Admin\AppData\Roaming\zcrypt.exe
    C:\Users\Admin\AppData\Roaming\zcrypt.exe
    3⤵
    - Executes dropped EXE
    PID:2668
- C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe
  Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:2824
- - C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\eventvwr.exe
    "C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\eventvwr.exe"
    3⤵
    PID:2952
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:740
  - - C:\Windows\system32\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      4⤵
      PID:1908
  - - C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:852
  - - C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe"
      4⤵
      Kills process with taskkill
      PID:2808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2288

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2956

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\QSQZINPORQ-DECRYPT.txt
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\QSQZINPORQ-DECRYPT.txt

Filesize
8KB

MD5
6ef8e0508dceff979c5f3dadc6898d94

SHA1
c042cb8896436f552bf84ea8857f5263e001b614

SHA256
de300dc39cac042edcd864286074c68977e43028f15ab99b4602507f1b7703ae

SHA512
a0903a2757211a634b515f6cc906602fbb0f5229e0b74aafcca6260deb08b9df37cfe798cce9485718cb654bccc790e5e88b4a6c218c2d7569f31e35be8314d1

Download Submit
C:\Program Files (x86)\9gfx\IPK-1339.exe

Filesize
20KB

MD5
114f5299507effddf3817336a75cfcad

SHA1
6824b76a906d420c522fa5e53c16a0a1bc2b2709

SHA256
c12489f82ddbed49845b77e3306861b2239c70bed201789bb33f89fd015ecd4d

SHA512
5c481142953e346a7df4b7fc80baef89a450004e077670695f9941658d8f406f1a9c338568ea3cf6b1b947de8be767a8642a0dd35897a03135fb912345aa7abf

Download Submit
C:\Program Files (x86)\9gfx\gxf2.pak

Filesize
66KB

MD5
10f61d4b230bc99362b557c42d962269

SHA1
1bea5c592d9853b422cfdad36bd8b36bcfaddea0

SHA256
63830b4e43cd92eaa610ab587ffcda679e2d52ec625414d3e894c8192e734c11

SHA512
65942bf8a302ade4a7e01dfaba0ca368c40b61fe64ee66904c6bd0040db366f82fe93efc95c684cecc5560b2a8799d956c9af0af421a2fcabd1fe5aa53ae4fe9

Download Submit
C:\Program Files (x86)\9gfx\gxf3.pak

Filesize
66KB

MD5
6d2ededb328e601d3e4668213ad99e85

SHA1
254cffdc54da5962a727351f46943edd136dceb8

SHA256
b930b3fa9b3abfce6a3166ecfb94ab74d4ee3014d0acb964914d4edfe0b799bb

SHA512
4283aee71469e95e305d0f1be7427ba3434c01b7aabfe42d0abca7d6342b236481cecb2ec0956121e296bc2b8e523c737856b9a15537b8365ae764a20970ef31

Download Submit
C:\Program Files (x86)\9gfx\gxf4.pak

Filesize
66KB

MD5
afc6d8a608c9872866f900cf6fbd65ab

SHA1
b7ac0fb41dec2d5e1bc8d031943e473e28940d56

SHA256
b5afdbc6d451799fa14dc7d175df3b11e91d8961470e9dc33803a6b8b8e9fab4

SHA512
f6d9c58314b6ebb7245a127eb21ad648197f7352d1a88bb794cd1b39c9335bbf0b8501aa213d912dd9c0885305edd70e87e6153148aef0f3528f4d8be0d28a54

Download Submit
C:\Program Files (x86)\9gfx\gxf5.pak

Filesize
66KB

MD5
cf702cda34b44ea599039928dedd76b5

SHA1
aef89476f5421b078f0e11aa6dd8b0ef201e3f66

SHA256
67fdd4b55e03ba419d710cfc51a9dfff68f315e2d4b9c28b381ffa67d680f5e5

SHA512
36c2ac579a80c281a1f186c87f41fcdb835444c4d6734de95da08f993c8d9d9f7d9e2e429fe18248837308388331626731fcadc5217994bccb6759e002c75f3f

Download Submit
C:\Program Files (x86)\9gfx\gxf6.pak

Filesize
17KB

MD5
f5d373825a54a8d0fceea494204293b8

SHA1
40999d3d282b52705f28d9dba6f820eb4bf0d178

SHA256
f293c91ce9e24f9cce957105885a905b2b11d307135ac0e9c2fac736498f6b01

SHA512
1a66597619771f0d04f85d08926798de8e21db4e16812451c9458f9fe4d983379b2136063725950039493f092b137886952bc65589fec7ac58f07d5ad1cd1195

Download Submit
C:\Program Files (x86)\9gfx\install.exe

Filesize
117KB

MD5
358b05cc99b78c258d8bc286986bd336

SHA1
6baab32763428d9aa3a2bdb5e9c1a93cddefb9b3

SHA256
6ddeb03c865712c8f6afd66220af10f306abe49eaca96d4f647bcb2c8ff9e0cc

SHA512
83f1f7b0ec5134ba87fb8d66f833af1aa1243ea8b037ce268f13deaa1a06088521e03a4b62b518ab192badd46c1d9096cd143238180c71bcba26544bb94f4ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\1984uzdsavp

Filesize
240KB

MD5
dc267badf25f34a5d569e8be2cd192e5

SHA1
8e6746bad92e941963762f32562868748fea94c2

SHA256
3f141cfcea1b04d9f6af1dc68c91a6151e6cbdc62bb8f888b61ce1de9d29520c

SHA512
a55adf4c1bccf09c7e3e83b63bd0d6cc53bf85b06ea6e03e4f8e7f7c1cf935305255360527028f97d893446d51218b22d0312bb7a60333837bb23a3df63e4106

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstall.ini

Filesize
1KB

MD5
907526aa3161c8a82ac29f18d1a737d4

SHA1
09c5511efad4513d1cb2a3cc92f0b990046d3dfc

SHA256
017173c668059a82aafa14a54dd6fa5de439d0cea6bac3fcf09fd1f2b01a7bf1

SHA512
4213205441015cc399f4a5f7ecc474692863f193f41dccb2c56094fb48fe924a394b81d48c038f60062af4a4ffa55da7057667ead9b9c37f25f94b9669eb59f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF6AE.tmp

Filesize
44KB

MD5
e2b127908cace056a7b9f8b79f8b3274

SHA1
b074f96711de866dad0117bc4c3079375100251e

SHA256
fce2fd62027dfbe01061c5ea20399167fe7463c400a8f247816c556065d5e4aa

SHA512
0b53b703f47f3d1cff3ec4d08bfa214fe764bfbaadb945c2220640bf7a2f69da77de7295fc4b74f7776b2b49a50c1f59c2f4381c3abfb6b58294da710ad58f4e

Download Submit
C:\Users\Admin\AppData\Roaming\zcrypt.exe

Filesize
791KB

MD5
d1e75b274211a78d9c5d38c8ff2e1778

SHA1
d14954a7b9e0c778909fe8dcad99ad4120365b2e

SHA256
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f

SHA512
1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2

Download Submit
C:\Users\Admin\Desktop\00355\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd.exe

Filesize
795KB

MD5
92f8ed812a79b8037a112c6971f4970f

SHA1
19c2b1fc1d65d7c1c90f0c0811d6cb97475e46e7

SHA256
43ed182a18e109842c7850dee74a8ddecfe73f976c7c75415ab17e338c1e9dcd

SHA512
d8f5a302ac794c0f08f60bd4ab196deadf5c1549f1e5b863adce049d36e3d99ea243f16a0eee9a91b38e835f06bce2d04965a710791eac0fde9446192b7a92ff

Download Submit
C:\Users\Admin\Desktop\00355\HEUR-Trojan-Ransom.Win32.Shade.gen-2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509.exe

Filesize
1.2MB

MD5
fdcad658df089f20b1d760673045c5e0

SHA1
7ab5442ffb96cc9c60044e7a88bdb5843aa5acc9

SHA256
2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509

SHA512
de83e9aa6ff7d533cbb7db4e9dc8cbc613ec809a1578928daff2df21052478b319f4255e68d93423384b0a4e9c303c78c60e1aea23608caa08d10328b596215c

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.MSIL.Trucry.a-623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88.exe

Filesize
527KB

MD5
548bbee5bde54f123e7f3704a3a9116a

SHA1
7236dc5821b1e9fcde0a227de57f928af5f7edb5

SHA256
623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88

SHA512
bf113c90707d38fcbb6ecd0b33cbb564d0c15c37970e293ce2d1f7b8541fb823b3380e02a8c5c5064ee830ef35c9f228f9cd705e22f7651c5ad73b4b5ac3ecca

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.bmiu-1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640.exe

Filesize
467KB

MD5
65351f545b074550861b9f468f9845bc

SHA1
65391f1f99b478a5c41004ca8fb001f59913b7b2

SHA256
1f3e404ee83daa5c4344ece1cb4f9ef317822ed620af3bda636c626bf7457640

SHA512
b0303babd348cc47a0df5c9ad48b454098ffe8ae83de21727a22f859c8be35e09f48fb252c215568b2d9dc5563b60d5f7f900be662612ee1db6ecdd87494dd2f

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.jfgj-004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef.exe

Filesize
100KB

MD5
a0fed8de59e6f6ce77da7788faef5489

SHA1
96ebbf821f37dc2dcebc177fc3a6c17b3171aab3

SHA256
004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef

SHA512
e30357077ba4d61aadf9929c75f74d86898aa17564fd8f40c4f00db6103cd331c619352be4101edfbb89423d20e4f572104684637024303e914e943caee26f8b

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Blocker.lmdb-eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8.exe

Filesize
4.9MB

MD5
b4c89d785ec0c8bc3518d90a09278bcd

SHA1
9069ad79db35aefe9fc4465c945e8064181d3ea2

SHA256
eaef59857753bb4eb4773b26aa1cc4b16123bcf00a58fffc07984dd5fcd6d0f8

SHA512
3d48b0b31df0052ad983490043372b34408c5b066050867451c786dc93644a984f210084eeaed599ab95dad380f133de43e9e13e619c6f0e61e7805eb9450a0f

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Ducry.i-26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe

Filesize
138KB

MD5
410e395600c291c59d8c9b93fa82a7f3

SHA1
2e385e8b8ceb01c9e638f8a95889b571d31aef41

SHA256
26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe

SHA512
dbd819999d7eaf436ca2bd157c41232663f9cf7a551aa39d9cd319c79d7a02e2d5c803c19df5b4deb0e44cb7300b496942ecb7378b282c6aa86f0c9800883597

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.GandCrypt.hci-3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721.exe

Filesize
384KB

MD5
9aed314752d4d8f8abfca4a77b882d15

SHA1
730a83cacf7b369289e6f29e9fcdf8d4106e84ee

SHA256
3304a82bd6c7344961704f277ee66eaddbe032e09b169957ca688a8d8980d721

SHA512
1a7e748021bf768343409950fd8069d873b3fa4891580a7c51ade76430fa33be728bb0580c989bd1f8d478d360b35172dd6430bf007d1dd8cfd80b0668f9c945

Download Submit
C:\Users\Admin\Desktop\00355\Trojan-Ransom.Win32.Zerber.fyp-463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19.exe

Filesize
173KB

MD5
22423f9f8780ff7a0fd2c938490396dd

SHA1
09a64c9caa47ed342ab7b9bfd821cc849770d730

SHA256
463916ebd9d85a3f7ac0c122a30d7bb835d3e2bac25d450dcab63cf478569a19

SHA512
92920194376aed3eabc720170f8f620d2a6c24a9ba1cc6dfa44c76d10ac8e72903a8599a3cff9c4363be3c4560148669da392c1e0f32fb410a74244f00944fb4

Download Submit
C:\Users\Admin\Favorites\链接\京东商城.url

Filesize
60B

MD5
fabd754a3ed4bb8e2fe263b4d780ee89

SHA1
627f57831a6cfc7576ec92046bb1b19d09e3df84

SHA256
b46a292e886d9b6c5c937d8319c4c8b9fa2f6316134229b2d4b185aa9544c1b2

SHA512
57cb82bfaf51606e66cbae7a86c03ca7047959c9c7af131e9c59441238bcfecfdba83f2c4b4666608411dda6eec97654ff4823e952ca8bce22b778699cba0279

Download Submit
C:\Users\Admin\Favorites\链接\免费电影.url

Filesize
60B

MD5
c20c386316d7bef8ec64920735e9153d

SHA1
db26bf71fb1f2950f2c2191c98c753eac5b88b32

SHA256
f33b2d84459a923b8ee0c101bd5172b8e53655b029714282870694ac3fd409ec

SHA512
e6362df8900f16f6fd05b23c445a5ec9424eba32e9f8628dbf25123ae4e381dd162495a930717f4ad084c813f9970fbd1789639ec73417e6287dcef01d28a639

Download Submit
C:\Users\Admin\Favorites\链接\天猫精选.url

Filesize
57B

MD5
ea6f231305e505d62f414dce169ac4fa

SHA1
efddd0816f171105ca82226ad536c03bdaff1f3b

SHA256
37ccf6c48420119785997aa53e9a33d7fea78721cf5996facfca87fed63d11be

SHA512
77394449b57930e317a4e8156a69360b6d3c3886471704f90f6c8addbc61e7ce12a6594bbea19232794efd35a328db4e51b4b9c6dec3764ee4056b0b0e29e7be

Download Submit
C:\Users\Admin\Favorites\链接\小游戏.url

Filesize
61B

MD5
c1db7b8fb9b6e0f0c9d8043bfb411baf

SHA1
05ea5f4443ed2f9a886cce77995b06bd76e661ef

SHA256
4fecd55a254ebaeb8528ef95eb43620db72234fd52a9d50133d2977883ff8fdc

SHA512
2ddccce33f4332bc5811caa50e3450a93a846c8b1e2b018d3d77dfe775e87956710d662ff5458ebb9a99ed51cbc9e47170e5b54617e7e0311a82041c818ff8fa

Download Submit
C:\Users\Admin\Favorites\链接\淘宝网.url

Filesize
58B

MD5
cd26c10a577394ac5449524773dd6510

SHA1
eac3572740729ad0143649f0940f2a4276cb7142

SHA256
905bb2fee6539a0000ed7ce18d405ea97511b2e9058ce914f9cd5fa7fd1344e5

SHA512
cce9a4c691185018e447949958d14ac563f5ea700c3ab29a47c659fe50538d623d9541c787fb465f44e09d0a2c6f21cdf6f4313847bdae945e8b8d5c69314dec

Download Submit
C:\Users\Admin\Favorites\链接\游戏加速.url

Filesize
56B

MD5
53acf2abdcf2e30a8b8ba7df1a19744d

SHA1
d7bfcb1f88373dfe3f77d0a31d911ca87660b4a9

SHA256
f912693a9427fadf3062cd485ad2868f1d2567ea393bbefb32baa82fe34a4a8a

SHA512
f305d0adbe41764152d69e9a01981ef285223113a368a65e9aa4a23cf429c41e3c70998b319d0c35bd8d3cf186a6f3a3d2e35b6e74a00cdfa7c393e0d49ddf31

Download Submit
C:\Users\Admin\Favorites\链接\百度一下.url

Filesize
57B

MD5
dc12b73ccd8ad0da79868f6a7dde1f6d

SHA1
7e7645b4f540502760909fb90a2f009d4fb7c9d1

SHA256
752abcb190450138f822e667b629f7f714656ddfafbec56bb6a88554b8d7dccd

SHA512
6ff5810705c9a2e92155fc98f7a5ec100f8ed5a6a74268494dacc147d746665c2b2d97c9d9869faaf2bae9980c48f257fc796824c44c314ef0925a1bfd5fcf9f

Download Submit
C:\Users\Admin\Favorites\链接\网址导航.url

Filesize
58B

MD5
0f082c2a914de48f81a31ffd6b75fa85

SHA1
9fc01c51cb043bba09cef97227e82ec470190574

SHA256
a102eef4af0e7dfb291c205ff25c435793b4a23705348d526fb41e468a21ff3f

SHA512
51663c6d512f72f4ecba319e1dfeee296d428c44a7896d5a01b84a0c59c19da01ccef136a5ad73fee59d238bb6294fa96f7125612e4ac87e6a6e7b6f017d3243

Download Submit
C:\Users\Admin\Favorites\链接\网页游戏.url

Filesize
57B

MD5
a09d91efd8c54f9bee7e86d8e953f879

SHA1
f3c989a6649e52091e9b23f7e3ad739acd956d39

SHA256
917d66cbb186b297b25932babf72d69201e724ded9cf57785d8255acec6ff40b

SHA512
310d4f00c5260e8c111e2e7ccbfc55b0368df5005345da580f538b730770bea49a314f5f37193d56b40c29e83ac85a3c5b6194a2b4126a73b6286b3909509aa7

Download Submit
C:\Users\Admin\Favorites\链接\美女图片.url

Filesize
57B

MD5
477c06613d40a0fcbfd7a4bc2b9701a8

SHA1
c3d617abf87e33cf007bfdd21d98717a6439171d

SHA256
d5fef612bcd29c6b20b23920741e0168e3af775a822b0ee8ff9dfa105a4258f0

SHA512
30e3e557e538778de4c8e97fa19ffbf9dbf5cde53fc205b414776a92e26424e9f0be970f24c33d65b3b10d1cac014d21dfcf2bcadbb38067541c0549c17bdc0e

Download Submit
\Program Files (x86)\9gfx\1766.exe

Filesize
268KB

MD5
f1289c1d1b28a4bffb5ee6b5e3cba48e

SHA1
a8dbee6506521ff93ff9b40761aefdb8f81cb5c3

SHA256
dde37665c1c564eb768b20fba865976754ecb4b5f393bf714d058c85fea74bb5

SHA512
95a2e3bcbbc747574be95e60e25727b054cdc69f2c66a53248470403feaa0e9c9fdac399adf9626138260f6dd7aea781fa232734488759a66dc8a0ed19eda2da

Download Submit
\Program Files (x86)\9gfx\Uninstall.exe

Filesize
56KB

MD5
a733e9241c4f3cf12d646e41ef154730

SHA1
0fe254078e8ef161ad462f26d5d6c1266a9f1364

SHA256
78a219bdf1e7016896c270ca28324695d903ef2d75ad53602d24447693079426

SHA512
cb47a67152b6654f83cbf0cc602b0a351a0758cf4beb58d6a23d007cdfbc1409eba94f922eab305cdaf357826c0a295fb4d3905789732a14714151d7f39f48de

Download Submit
memory/1016-269-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1052-290-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1052-128-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1648-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1772-1296-0x0000000001240000-0x0000000001C51000-memory.dmp

Filesize
10.1MB

Download
memory/1772-1194-0x0000000001240000-0x0000000001C51000-memory.dmp

Filesize
10.1MB

Download
memory/1772-1283-0x0000000001240000-0x0000000001C51000-memory.dmp

Filesize
10.1MB

Download
memory/1772-1289-0x0000000001240000-0x0000000001C51000-memory.dmp

Filesize
10.1MB

Download
memory/1868-514-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1868-1273-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1868-287-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-1298-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1984-572-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-577-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-1297-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-770-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-1244-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-462-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/1984-1327-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2256-259-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2256-238-0x00000000008B0000-0x0000000000967000-memory.dmp

Filesize
732KB

Download
memory/2256-234-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2324-331-0x0000000000340000-0x0000000000372000-memory.dmp

Filesize
200KB

Download
memory/2324-369-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2324-136-0x0000000000F00000-0x0000000000FCE000-memory.dmp

Filesize
824KB

Download
memory/2392-141-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2456-289-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2456-266-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2544-253-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2544-118-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2544-233-0x00000000032E0000-0x0000000003397000-memory.dmp

Filesize
732KB

Download
memory/2604-295-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2604-300-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2604-294-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2604-297-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2604-296-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2604-299-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2608-501-0x0000000001210000-0x0000000001C21000-memory.dmp

Filesize
10.1MB

Download
memory/2608-603-0x0000000001210000-0x0000000001C21000-memory.dmp

Filesize
10.1MB

Download
memory/2608-573-0x0000000001210000-0x0000000001C21000-memory.dmp

Filesize
10.1MB

Download
memory/2648-22-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2648-23-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2704-1325-0x00000000012F0000-0x0000000001D01000-memory.dmp

Filesize
10.1MB

Download
memory/2820-113-0x0000000003080000-0x0000000003137000-memory.dmp

Filesize
732KB

Download
memory/2820-101-0x0000000003070000-0x0000000003086000-memory.dmp

Filesize
88KB

Download
memory/2820-100-0x0000000003070000-0x0000000003086000-memory.dmp

Filesize
88KB

Download
memory/2820-114-0x0000000003080000-0x0000000003137000-memory.dmp

Filesize
732KB

Download
memory/2820-112-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2824-292-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2824-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-1326-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1366-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-592-0x0000000005FF0000-0x0000000006A01000-memory.dmp

Filesize
10.1MB

Download
memory/2880-529-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-489-0x0000000005FF0000-0x0000000006A01000-memory.dmp

Filesize
10.1MB

Download
memory/2880-481-0x0000000005FF0000-0x0000000006A01000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1185-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-402-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1282-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-598-0x0000000005FF0000-0x0000000006A01000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1184-0x0000000008F70000-0x0000000009981000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1287-0x0000000008F70000-0x0000000009981000-memory.dmp

Filesize
10.1MB

Download
memory/2880-248-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1285-0x0000000008F70000-0x0000000009981000-memory.dmp

Filesize
10.1MB

Download
memory/2880-1136-0x0000000008F70000-0x0000000009981000-memory.dmp

Filesize
10.1MB

Download
memory/2880-714-0x0000000000DB0000-0x00000000017C1000-memory.dmp

Filesize
10.1MB

Download
memory/2952-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2988-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download