Analysis
-
max time kernel
239s -
max time network
238s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 19:37
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00354.7z
Resource
win7-20240903-en
General
-
Target
RNSM00354.7z
-
Size
6.8MB
-
MD5
00d2c7493d9c514fe2a9c0d8b87d1484
-
SHA1
f6b63772a282555c675fca567f6af3a83f2d4df6
-
SHA256
2d0d54a8f9c47e533b57d6ef8abe888a55d9640864bf1177be681681fd5b7201
-
SHA512
45aa77f6e9ab24711d3445c97729174d0f364f79a505a4f5d5aed7153a39c1d36504acc7fd9228e284572440b6768dd3280ddbd26864568ede316a0e0554c4a0
-
SSDEEP
196608:euIhlBI9Bcp/mHqCMUcQnBkLie+ca5Xs621X0BrWMmP10J0wiJ9PdQbp:tIHG9BcuqRUciB6dV621oDm10JJIVQl
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
MEGworld.,
Extracted
C:\$Recycle.Bin\SGTSNWVI-DECRYPT.txt
http://gandcrabmfe6mnef.onion/eac637f08eba8546
Extracted
njrat
0.7d
HacKed
mrz.myvnc.com:1177
f7d73a561f889dd49782785d2334f155
-
reg_key
f7d73a561f889dd49782785d2334f155
-
splitter
|'|'|
Signatures
-
Formbook family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Hawkeye family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\jPwlD0RFI9aszUVN\\BPmKH1MbIXJ6.exe\",explorer.exe" Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\jPwlD0RFI9aszUVN\\ogonOs6VvoZV.exe\",explorer.exe" nvtray86.exe -
Njrat family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe -
Renames multiple (271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XJOLJXXXXZCL = "C:\\Program Files (x86)\\Pmv1lgp\\helpyvntivh0.exe" NETSTAT.EXE -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 31 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1004 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\locksys\ImagePath = "\\??\\C:\\Program Files\\Common Files\\System\\uiprotect.sys" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8eba82ab8eba854b11.lock HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7d73a561f889dd49782785d2334f155.exe nvtray86.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7d73a561f889dd49782785d2334f155.exe nvtray86.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 34 IoCs
pid Process 2836 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 2852 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2824 HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 1268 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 2704 Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe 2452 Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe 2644 Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe 2964 Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe 1132 38B42D9B3E8345F487893.exe 832 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 1480 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 860 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 1584 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 1228 nvtray86.exe 988 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 1512 nvtray86.exe 1144 nvtray86.exe 760 Windows Update.exe 2336 Windows Update.exe 2960 sysmodes.exe 2604 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 3216 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 3860 sysmodes.exe 1476 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 1676 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 2568 helpyvntivh0.exe 544 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 564 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 3704 sysmodes.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe -
Loads dropped DLL 44 IoCs
pid Process 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 2672 explorer.exe 292 explorer.exe 1860 explorer.exe 1848 explorer.exe 860 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 2708 explorer.exe 2284 explorer.exe 1584 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 760 Windows Update.exe 760 Windows Update.exe 760 Windows Update.exe 2020 explorer.exe 1788 explorer.exe 1420 explorer.exe 1072 explorer.exe 1992 explorer.exe 760 Windows Update.exe 2336 Windows Update.exe 2336 Windows Update.exe 2336 Windows Update.exe 2788 explorer.exe 2764 explorer.exe 2508 explorer.exe 3020 explorer.exe 1364 explorer.exe 2424 explorer.exe 1472 explorer.exe 1736 explorer.exe 2748 explorer.exe 1148 explorer.exe 2216 explorer.exe 3016 explorer.exe 2388 explorer.exe 2600 explorer.exe 1888 explorer.exe 1552 explorer.exe 1600 explorer.exe 2008 explorer.exe 600 explorer.exe 2664 explorer.exe 1224 cmd.exe 3048 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom = "C:\\Users\\Admin\\Desktop\\00354\\Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe" Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\38B42D9B3E8345F487893\\38B42D9B3E8345F487893.exe" HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefenderSecurityUpdate.exe = "\"C:\\Users\\Admin\\Desktop\\00354\\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe\" .." HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DefenderSecurityUpdate.exe = "\"C:\\Users\\Admin\\Desktop\\00354\\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe\" .." HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\f7d73a561f889dd49782785d2334f155 = "\"C:\\Users\\Admin\\AppData\\Roaming\\nvtray86.exe\" .." nvtray86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f7d73a561f889dd49782785d2334f155 = "\"C:\\Users\\Admin\\AppData\\Roaming\\nvtray86.exe\" .." nvtray86.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\syshon = "C:\\Users\\Admin\\AppData\\Local\\sysmodes.exe -boot" sysmodes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\A: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 whatismyipaddress.com 14 whatismyipaddress.com 15 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2644 Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 1128 set thread context of 860 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 60 PID 1268 set thread context of 1584 1268 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 70 PID 2792 set thread context of 988 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 73 PID 1228 set thread context of 1144 1228 nvtray86.exe 82 PID 760 set thread context of 2336 760 Windows Update.exe 89 PID 2336 set thread context of 2952 2336 Windows Update.exe 102 PID 2336 set thread context of 2192 2336 Windows Update.exe 111 PID 2604 set thread context of 3216 2604 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 129 PID 2960 set thread context of 3860 2960 sysmodes.exe 137 PID 3860 set thread context of 2664 3860 sysmodes.exe 117 PID 3860 set thread context of 2664 3860 sysmodes.exe 117 PID 3084 set thread context of 2664 3084 NETSTAT.EXE 117 PID 1476 set thread context of 1676 1476 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 143 PID 544 set thread context of 564 544 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 158 -
resource yara_rule behavioral1/memory/1736-46-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2964-70-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2964-72-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2964-74-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2964-83-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1132-86-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/files/0x00050000000193af-85.dat upx behavioral1/memory/2964-71-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2964-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-156-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-155-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-157-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-158-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-923-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2824-921-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN nvtray86.exe File opened (read-only) \??\VBoxMiniRdrDN Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\SendUnpublish.xhtml HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\SetTest.pub HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\JoinEdit.3g2 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\8eba82ab8eba854b11.lock HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\CloseProtect.xlsb HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\ResumeConvertTo.M2T HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\UnprotectInstall.csv HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File created C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe explorer.exe File opened for modification C:\Program Files\ConvertSubmit.hta HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\MergeStart.vsdx HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\RemoveSet.3gp HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files (x86)\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe NETSTAT.EXE File opened for modification C:\Program Files\LimitUnlock.php HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\SubmitTrace.mpv2 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\8eba82ab8eba854b11.lock HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\LockBlock.ppsx HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\UninstallOpen.aifc HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\Common Files\System\safe.dat Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File created C:\Program Files\Common Files\System\ado\uiprotect.dat explorer.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\Common Files\System\ado\hehe.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\iminute.ini Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe File created C:\Program Files\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\Common Files\System\config.dat Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\8eba82ab8eba854b11.lock HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\MountDeny.ppsm HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File created C:\Program Files\Common Files\System\uiprotect.sys explorer.exe File opened for modification C:\Program Files\CloseWait.wav HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\WaitUnpublish.vb HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SGTSNWVI-DECRYPT.txt HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\ConfirmClose.wdp HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\WriteEnable.jpg HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files (x86)\8eba82ab8eba854b11.lock HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\ConvertFromUninstall.raw HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\ExitGroup.edrwx HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\SendDisable.dwfx HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File created C:\Program Files\Common Files\System\safemonn64.dll Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe File opened for modification C:\Program Files\BackupRestore.ram HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\SwitchRestore.mpv2 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe File opened for modification C:\Program Files\Common Files\System\safemon.dat explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvtray86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvtray86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38B42D9B3E8345F487893.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmodes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmodes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sort.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language helpyvntivh0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 988 PING.EXE -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3084 NETSTAT.EXE -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" 38B42D9B3E8345F487893.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" 38B42D9B3E8345F487893.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" 38B42D9B3E8345F487893.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Key created \Registry\User\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0 = 52003100000000006959c99c122041707044617461003c0008000400efbe2359a8296959c99c2a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\0\1 = 58003100000000006959a89c10203133323133307e310000400008000400efbe2359ac2c6959a89c2a000000525c0000000003000000000000000000000000000000310033003200310033003000310032003400000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\0\0 = 5a003100000000006959c79c10203638393341357e310000420008000400efbe6959c79c6959c79c2a000000fa9301000000050000000000000000000000000000003600380039003300410035004400380039003700000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0\0\0\3 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f4225481e03947bc34db131e946b44c8dd50000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 988 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1040 schtasks.exe 3812 schtasks.exe 3324 schtasks.exe 3568 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 13 IoCs
pid Process 2836 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe 2852 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2824 HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe 1268 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 2452 Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe 2704 Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe 2644 Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe 2964 Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 2852 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe 2852 HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe 2352 HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2980 7zFM.exe 888 taskmgr.exe 2664 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2664 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3860 sysmodes.exe 3860 sysmodes.exe 3860 sysmodes.exe 3860 sysmodes.exe 3084 NETSTAT.EXE 3084 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2980 7zFM.exe Token: 35 2980 7zFM.exe Token: SeSecurityPrivilege 2980 7zFM.exe Token: SeSecurityPrivilege 2980 7zFM.exe Token: SeDebugPrivilege 888 taskmgr.exe Token: SeDebugPrivilege 2836 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe Token: 33 2836 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe Token: SeIncBasePriorityPrivilege 2836 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe Token: SeDebugPrivilege 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Token: 33 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Token: SeIncBasePriorityPrivilege 2792 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe Token: SeDebugPrivilege 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Token: 33 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Token: SeIncBasePriorityPrivilege 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Token: SeDebugPrivilege 1128 Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 292 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeIncreaseQuotaPrivilege 2240 wmic.exe Token: SeSecurityPrivilege 2240 wmic.exe Token: SeTakeOwnershipPrivilege 2240 wmic.exe Token: SeLoadDriverPrivilege 2240 wmic.exe Token: SeSystemProfilePrivilege 2240 wmic.exe Token: SeSystemtimePrivilege 2240 wmic.exe Token: SeProfSingleProcessPrivilege 2240 wmic.exe Token: SeIncBasePriorityPrivilege 2240 wmic.exe Token: SeCreatePagefilePrivilege 2240 wmic.exe Token: SeBackupPrivilege 2240 wmic.exe Token: SeRestorePrivilege 2240 wmic.exe Token: SeShutdownPrivilege 2240 wmic.exe Token: SeDebugPrivilege 2240 wmic.exe Token: SeSystemEnvironmentPrivilege 2240 wmic.exe Token: SeRemoteShutdownPrivilege 2240 wmic.exe Token: SeUndockPrivilege 2240 wmic.exe Token: SeManageVolumePrivilege 2240 wmic.exe Token: 33 2240 wmic.exe Token: 34 2240 wmic.exe Token: 35 2240 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2980 7zFM.exe 2980 7zFM.exe 2980 7zFM.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 2672 explorer.exe 2672 explorer.exe 888 taskmgr.exe 888 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 2672 explorer.exe 888 taskmgr.exe 2672 explorer.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe 888 taskmgr.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1268 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 760 Windows Update.exe 2336 Windows Update.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe 2664 explorer.exe -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 2964 Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe 2824 HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe 2452 Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe 1584 Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe 2336 Windows Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2836 1280 cmd.exe 37 PID 1280 wrote to memory of 2836 1280 cmd.exe 37 PID 1280 wrote to memory of 2836 1280 cmd.exe 37 PID 1280 wrote to memory of 2836 1280 cmd.exe 37 PID 1280 wrote to memory of 2792 1280 cmd.exe 38 PID 1280 wrote to memory of 2792 1280 cmd.exe 38 PID 1280 wrote to memory of 2792 1280 cmd.exe 38 PID 1280 wrote to memory of 2792 1280 cmd.exe 38 PID 1280 wrote to memory of 2852 1280 cmd.exe 39 PID 1280 wrote to memory of 2852 1280 cmd.exe 39 PID 1280 wrote to memory of 2852 1280 cmd.exe 39 PID 1280 wrote to memory of 2852 1280 cmd.exe 39 PID 1280 wrote to memory of 1736 1280 cmd.exe 40 PID 1280 wrote to memory of 1736 1280 cmd.exe 40 PID 1280 wrote to memory of 1736 1280 cmd.exe 40 PID 1280 wrote to memory of 1736 1280 cmd.exe 40 PID 1280 wrote to memory of 2352 1280 cmd.exe 41 PID 1280 wrote to memory of 2352 1280 cmd.exe 41 PID 1280 wrote to memory of 2352 1280 cmd.exe 41 PID 1280 wrote to memory of 2352 1280 cmd.exe 41 PID 1280 wrote to memory of 2824 1280 cmd.exe 42 PID 1280 wrote to memory of 2824 1280 cmd.exe 42 PID 1280 wrote to memory of 2824 1280 cmd.exe 42 PID 1280 wrote to memory of 2824 1280 cmd.exe 42 PID 1280 wrote to memory of 2816 1280 cmd.exe 43 PID 1280 wrote to memory of 2816 1280 cmd.exe 43 PID 1280 wrote to memory of 2816 1280 cmd.exe 43 PID 1280 wrote to memory of 2816 1280 cmd.exe 43 PID 1280 wrote to memory of 1128 1280 cmd.exe 44 PID 1280 wrote to memory of 1128 1280 cmd.exe 44 PID 1280 wrote to memory of 1128 1280 cmd.exe 44 PID 1280 wrote to memory of 1128 1280 cmd.exe 44 PID 1280 wrote to memory of 1268 1280 cmd.exe 45 PID 1280 wrote to memory of 1268 1280 cmd.exe 45 PID 1280 wrote to memory of 1268 1280 cmd.exe 45 PID 1280 wrote to memory of 1268 1280 cmd.exe 45 PID 1280 wrote to memory of 2452 1280 cmd.exe 46 PID 1280 wrote to memory of 2452 1280 cmd.exe 46 PID 1280 wrote to memory of 2452 1280 cmd.exe 46 PID 1280 wrote to memory of 2452 1280 cmd.exe 46 PID 1280 wrote to memory of 2704 1280 cmd.exe 47 PID 1280 wrote to memory of 2704 1280 cmd.exe 47 PID 1280 wrote to memory of 2704 1280 cmd.exe 47 PID 1280 wrote to memory of 2704 1280 cmd.exe 47 PID 1280 wrote to memory of 2644 1280 cmd.exe 48 PID 1280 wrote to memory of 2644 1280 cmd.exe 48 PID 1280 wrote to memory of 2644 1280 cmd.exe 48 PID 1280 wrote to memory of 2644 1280 cmd.exe 48 PID 1280 wrote to memory of 2964 1280 cmd.exe 49 PID 1280 wrote to memory of 2964 1280 cmd.exe 49 PID 1280 wrote to memory of 2964 1280 cmd.exe 49 PID 1280 wrote to memory of 2964 1280 cmd.exe 49 PID 1736 wrote to memory of 1132 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 50 PID 1736 wrote to memory of 1132 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 50 PID 1736 wrote to memory of 1132 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 50 PID 1736 wrote to memory of 1132 1736 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe 50 PID 2816 wrote to memory of 2672 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 52 PID 2816 wrote to memory of 2672 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 52 PID 2816 wrote to memory of 2672 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 52 PID 2816 wrote to memory of 2672 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 52 PID 2816 wrote to memory of 2828 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 53 PID 2816 wrote to memory of 2828 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 53 PID 2816 wrote to memory of 2828 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 53 PID 2816 wrote to memory of 2828 2816 Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00354.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2980
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:888
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe" "C:\Users\Admin\AppData\Local\sysmodes.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sysmodes.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Users\Admin\AppData\Local\sysmodes.exe"C:\Users\Admin\AppData\Local\sysmodes.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Users\Admin\AppData\Local\sysmodes.exe"C:\Users\Admin\AppData\Local\sysmodes.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3860
-
-
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 14⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1040
-
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe2⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\38B42D9B3E8345F487893\38B42D9B3E8345F487893.exe"C:\Users\Admin\AppData\Roaming\38B42D9B3E8345F487893\38B42D9B3E8345F487893.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:1132
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exeHEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exeHEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of UnmapMainImage
PID:2824
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exeTrojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\windows\explorer.exe"C:\windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\Desktop\00354\unit.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\PING.EXEping -n 0.5 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:988
-
-
C:\Windows\SysWOW64\net.exenet user administrator /active:yes4⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user administrator /active:yes5⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
-
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exeTrojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"3⤵
- Executes dropped EXE
PID:832
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"3⤵
- Executes dropped EXE
PID:1480
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:860 -
C:\Users\Admin\AppData\Roaming\nvtray86.exe"C:\Users\Admin\AppData\Roaming\nvtray86.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Users\Admin\AppData\Roaming\nvtray86.exe"C:\Users\Admin\AppData\Roaming\nvtray86.exe"5⤵
- Executes dropped EXE
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\nvtray86.exe"C:\Users\Admin\AppData\Roaming\nvtray86.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\nvtray86.exe" "nvtray86.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1004
-
-
-
-
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exeTrojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exerojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1584 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
-
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exeTrojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of UnmapMainImage
PID:2452 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:576
-
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exeTrojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2704
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exeTrojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2644
-
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exeTrojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of UnmapMainImage
PID:2964
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:292
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:1848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2752
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:2708
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2284
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:2020
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:1788
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1420
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1072
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1992
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2788
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2764 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SGTSNWVI-DECRYPT.txt2⤵PID:2236
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:2508
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:3020
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:1364
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:2424
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1472
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1736
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:2748
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1148
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:2216
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
PID:3016
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2388
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:2600
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:1888
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
PID:1552
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1600
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2008 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:1476
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:600
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Program Files\Windows Sidebar\sidebar.exe"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets2⤵PID:2532
-
-
C:\Windows\SysWOW64\sort.exeC:\Windows\SysWOW64\sort.exe2⤵
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\SGTSNWVI-DECRYPT.txt2⤵PID:4052
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:3084 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\sysmodes.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:3596
-
-
C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe"C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe" "C:\Users\Admin\AppData\Local\sysmodes.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sysmodes.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\sysmodes.exe"C:\Users\Admin\AppData\Local\sysmodes.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {71AE53FA-7CBF-49D3-9F60-4D985392A4F0} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵PID:2176
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exeC:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
- System Location Discovery: System Language Discovery
PID:3780
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 14⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3812
-
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exeC:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
- System Location Discovery: System Language Discovery
PID:4012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 14⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3324
-
-
-
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exeC:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:544 -
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 14⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3568
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2884
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Modify Registry
9Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
2Query Registry
8Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD529e135c9253f36bdfbf470486c3aa1ab
SHA12a034928f1af253fb29771fac990972f17fa998a
SHA256c2e7388540f0a445e87d39c42112c9affec1b10df54206798ec7a772933ce2f2
SHA5120e1b51eb230c9c6070dd015026fa80ae16e141b80c1cc3c61011c7d4dac2a045706f0b146a47c74dfdef0e0ddca546b9c345e6d57a3c5c448c0a7aa6d9eec661
-
Filesize
631KB
MD53240d73d8fbcd35eaf18e86adacd24e0
SHA16a36a22652aa17a2fc9e47a97ebb15187695215c
SHA2569666bc0693c13514a763f8dccc854facef07154e28e64f5711b84e92ee1546c9
SHA512004a703632e46abfe722c64d72d1f3c8fb83ce3b08b296a4eed7a51db71bb8f6f1cd54d3090b57c6272e0d0e0ab5b5e9fcce62e2c5165381f09d4d2a07ff8a8a
-
Filesize
207KB
MD584ce62cc88285d109c3ae0f4a12f04ed
SHA17aeef48a71a179a37d449642b0dae8c006e0054e
SHA25668996c046372147c1e05869fc5478c391b41b243dd0beca564c863153371459b
SHA512107974d9a500bdda4bfd17dbd44430c1d72f4f965b08874dceeefc66cc23f654d6e36f2920f4a47110edc4886cca6fa2aebc1f2e5fa125ad9e1f411f856ea4d7
-
Filesize
1KB
MD5448279ebaf402d8cb8f466fdef5312f7
SHA154760754cf2bc536a106354afd1eea35259a6d09
SHA256c38513e8e6d5506913478c828f8ed1d82df18bd99ae5d9028249340ad1436215
SHA512c08993870d96dc36ce10b1008b8e475005ef5b2f03e233ca3f495d4235eab6b5393ce76788616e9d733743397b928625df37cdda198b4e959b94416f6b023e39
-
Filesize
1KB
MD53be8a455432a097a1c049f1c16c28728
SHA1fc286eb20b95b456ac4162e84d51d218253dc298
SHA256c09cb831866be7ffe22f7434fab9b0256127203a48aff10d34ff37c9a63191df
SHA51289cf46b9e45089ff24268bc0680b3b33af18d5df4424fff32decdb5244282d1e310aaa5023bc7ac82f2c67971c50100dd8e3d4f1ab1a69a0cfe2aecccc6a2634
-
Filesize
111KB
MD53500951d4982a805493be99d69ddfa09
SHA1a7bb9526a43e85cb93e1231f8c9b478f966c2dc1
SHA2563c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a
SHA512fd0555fde958849ac0af795c7d0aef7c544dea619a770a2625b19bf800b34f2f3202e1fd15cad1314d2dbc0d1995770534b5c7292e605bdf2a1f3a8c4e6da19f
-
Filesize
6KB
MD524fdf0dd36c2a2a85d580c4acc4cff8e
SHA1fe010123dad40a8c267d1e29d7ec27c6e05ce23d
SHA256c912807e382af4c54b483232d58c2beeb7254f94604c3008894388f26fe55562
SHA512d3a7d7ffd8b7b29e4c8d73f5732c3e7625ff0729e8eb46cb615c4b9f8b23a246dd7287ae59a04c94a76874ab9188a29bffdcb53e6f32db61dabbd145ba8cb34c
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe
Filesize399KB
MD5ae26c83889f494cc28d7064a549cb767
SHA1364520aec2321908734853bc3f786f71c8e52f39
SHA2568e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2
SHA5127941e3514059b58f7dfa191d467b07a8ba664961b9dc6b81d66fdd9b38df48414f907992fbed5d812dfe4853563dd56f89e26d97b68453f9b80df66f83ef2c44
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
Filesize361KB
MD58d6ef3dea0b0db7bd8fca84b5f9115fb
SHA1636b919f08ff5fef787dd680b1c3a501af9575ff
SHA256a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af
SHA5128d7ccde2372d912505c81ffc7d358b6660e4f63c5ac78b786a06ab2a0e022f71088fcd8306a1e81d9b2d14b82cb6948ae03e1ea709d6a7c276ed3225b62b6a93
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe
Filesize97KB
MD5fc686bacdc788d5e5bb4798de6ad928c
SHA152a98a1e741efffabebc926a8261c510faee360c
SHA25605f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae
SHA5128b92981ede59a717aaab5068cdd8b6c76445c176521ce7c79c316dec509a593338a9dcdeb82105e63301be55e7ccd140e932ee5cdbe7adf83654de3516922e8c
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe
Filesize204KB
MD5fdb11d8d57469c9d39fa937e0575bcb6
SHA14e55b85e68488eb30e1904757a7297e7c47016f0
SHA256a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1
SHA512676694e85bafe25e3dbad1f3c879a97eb57d2adea62b1007a96ee338d62907d8208fe198c806d454c995421ec8b79817bda80e5acf870ec52c8c9b8a6b4e0d68
-
C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe
Filesize1.1MB
MD5b8636a7e4e306e86e7de2aee7656dc26
SHA14f515fa184cb43e5253b244efb6ecfe03c5f2423
SHA256748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b
SHA51257ba9baf21589c13bff610f8cd20df5100221ed9ab5e796fded85512780d8b78c76c7d811b1e8d83f9c27d65692b651dbd0d35bd03d1c029b4fc2a31296e7209
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe
Filesize1.7MB
MD519eeb09249b44d9671dd829266df912b
SHA189ca0183f09b2313a0896dd0d10fa876056c1304
SHA256b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119
SHA512f995240c16838a0f97f8957e5aa6041edf4c83d33c22b29667197f169a967e67514bc17fbee1c41ebf2dd171f48752fae1004f91210dd66329e94359ba5da650
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
Filesize696KB
MD54e7ed4c55b73cbca330efbc3e1ddf109
SHA12fb12e06419b6afed90b53e0de5cbd47a1268f20
SHA25678df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097
SHA51253205b41f575384e12924f4e4b255146f0852819a72b32e7789dd217c80d07cee5b47425282fe1735db0685eb6069587c94e65484e72dea8e937bca7212680e3
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe
Filesize950KB
MD51efe7c7b4dd5297289ac9a87c6f23a3f
SHA15485297304d6a914f809228c9edb3ae626fd7476
SHA256bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c
SHA512bc6e34063018a89866bdf940c822710c242c06dfc358e08792a683c0a1040cbb5beeb9a31591c94fdc32cc5a853d86547155f5c5330b0a0b58d6e69175e180fe
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe
Filesize1.2MB
MD526321aa5e0b8bc9642a12f4be4d7884f
SHA12478b68d5d7c70514cccd5dab962326e9a387671
SHA256c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826
SHA512c86bfaff413a30f477d4217adfad5642a7ccbda4b5c29bcef360487e302b555555710db4883e6cbeae613c053ef096c9f3aa4fee35ea1411d3c8743a8d50d146
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe
Filesize622KB
MD59e7c12683e96306a33d083c6b7204665
SHA10ec9ef4a1bd676f11c5d8c5bde7599ecce62ba80
SHA256e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f
SHA5124515c508c46933e9700b66f58dad6717fa5f216ac09954219afb1cb4be2bb98e703a16b6278f385fddfb65249d1949d416dbf5f34bc2aa507eb433cb9774ae70
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe
Filesize942KB
MD5e6585150371edfcc67f233dfb7c9255b
SHA1de4d8774b6db30a5733fd7a0c2c672cbcf6439eb
SHA25667e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41
SHA512695907bf3ba9fa52b64c8dcff398a0d8dab45d07843f78b5bf2025bc463145230557f584b653742aca8729e7bca31a59c7778d644d30dc9c0ee1e6add1582e3f
-
C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe
Filesize1.5MB
MD51e287a45c732a13d06d635e1989b8cb0
SHA16787c99908639ee40c29aae2047ddae75fb51550
SHA2568dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6
SHA51242c01c15fac390356031e1afb47e99de2b53172e2ffc25012a0309921421d7f748962bff3946782ca1e04b408d10c1d2d659357ea8b07d5d8aa3779de7e38460
-
Filesize
211B
MD55008167e7d7b55deedb3702b59200955
SHA1c113ef5be30871962c682c428f82b4ca7896a100
SHA25670049e90a5dd653892b0500e23b19246feef56bc415edd9f511ad33e11844a2f
SHA512ea30fbc2451607f783a15bb175a9ec1dbdb160a8848ca8366901980edae8a002238594299e7f36de564b2ac222194b8d382d6f840cbd9a987b72b7e72f87173d
-
Filesize
432KB
MD538d322503903ddf1db2e6f1767f36a13
SHA1ec52ee420458168d4beff8042b07cbc24b0be137
SHA256b90b5da465fab401ee69acc3d415dd581d2325a9e7553f1655a19c6014a697c7
SHA5124d5b366dab051268edaf6a3a0bcf6ecc760a8118115d9cd6b49f05715d02e0222bb803ed3db95fa0980bca32c7cb4750b5625da7a366b219982f34b5208b6de6
-
Filesize
609KB
MD536d18faf22f006622228da8ef1eebc99
SHA17521c81a12b478e6e22b1b7a4d05576e1a62fa23
SHA2566391ac8a276d3f37b775cebafb79e420fab55309e3ecdbfc41c993a3efd3b6ed
SHA512e00b385e48978aecd7873816e026814b9eb316bd9db513b17d8286960ab75806911000959a1a339e4b809c574357ae728de88fa002ac516c5b0562b11eb4544d
-
Filesize
736KB
MD5be934f32cf6fa8b2a67d5bd5767155a2
SHA18ac74d0a5d81758e693685fc6776e3a642ff5ffa
SHA256faa2f94fee743ad67c35fd0ed26aba506764a101754983c6e0ad4066b6c9fa4c
SHA5124404c197ec2986907bff809d0f0f7a2f040cb4c86fc2aa5de94e9e9eed78a9ea143388c5271e55233559e6e5a39199d3672d5836ad586ee790a300cc6e40962f
-
Filesize
406KB
MD5ba2150f0e87d8c9266c31cbdc9267956
SHA1fb7e013643064fabe83f1f60a6658d9e17c6491a
SHA2562770524523f868af6931a8454769bc055e96e6a0f94c0cb41c558ac0050e94df
SHA5126953214bbb75e22bd59a968fdd3d141c3960f76aabd734e084222f5f2940cb2e323c31edc13520199c2e70fbae3870044ee9d2727924485a44457744f1980359
-
Filesize
660KB
MD504c51061e1be05a78b271cbe57365b03
SHA19c225c18dd035fdf428e8dbabd0ffb8005d21d52
SHA256f7d99f211e79e79498563c44475b9d2da175f554dd85cc5cf0012bfdba9641f4
SHA512bd348c24996307df5207dcd86d81a72dc068a5912af36ab4164f818d29094a55ba5c8a0198c262b507348940490f4a3e0a7fedc0908cf511bc4bb22d3abc3513
-
Filesize
482KB
MD5f235a4f6c0cc10969c3ef480d5ccefcc
SHA1bc9a8683da6205960f256d1b6a4f8b197aecbdb5
SHA2568e6bb52e1998b29ee0f76cb88378e1b7d20618810eeeca8509f46967d6a381a5
SHA512249eb9830cbe013949a9563f89b489753a41b9e02d1912e93ca797025546c252f7a771e2035d05974acfb9c4bd5587f8e9f1bec9be0710168b44960d3d5d55a3
-
Filesize
457KB
MD56966c10ac1f76e1fff87df0d30603789
SHA12565b89e2cf7b7a8309cfa08898cbda2ebdce550
SHA256ba2e7460042ac55733e1657b2114c1e5aff1b744be37af16195e1348b811a7ad
SHA51262dcc7f708de5a2fade034a18b319f0921ee61b5fcc9402bd446b134c0be25791b4a815c430ba26c2f520d93132f5f1a2a4868a8b56d1d68d7231d72d3db32f6
-
Filesize
635KB
MD580c2a87f7fb98abd00c0bed86c72bbf2
SHA1faa23a3219f03585bb437c7ca251bca586b8d692
SHA256836258b8b3d085082eecb27c71bc064b371f696dfdd2fbf6965bf5df567aabe0
SHA5126b2fc045bc7878efb7775b904fa0ad1641fc2e0fb3f465f6ecc8da14f67740e3335570d3542ba7a5617f389fb2bda5a68ffbc563f2631e9b1c824259fdaa2821
-
Filesize
355KB
MD55618d121406c21e130f40d67e78df009
SHA1b7fbe0efe713e6aa9a35b18d405175ebed003503
SHA256f11942ac0c4a80736a625b79b53ceaa3ab0a9d65b70827b5b672e08af73fcb39
SHA512ef8050835a31dc2865b6a28861fb9bcf1bec86c1bb690d0878b6ad58cea0260b93373d82bb61d0de3dcfeb673ad72754bfb06b75a23670c411230d5596f53d80
-
Filesize
13KB
MD5c2cdab47d15985c80992fba9dd4e6e9d
SHA13d9494a3f16a2c676b765380623d471ee77c769b
SHA256b1c7217a7a047293789b26a547a0fa1541792e7dc4ac0c071dc4fd574201683c
SHA51293e67ebc44b397b4630b2f6e2afb17945a7c4d6627d836e6318feff48481ee98aaa9b8de2b1905c25e4cd16e9f7539003284ffda2716bf5c229c91498b562fcb
-
Filesize
13KB
MD5bb623f24299b94865938c657786cb7c5
SHA119cb130873dc5079c04aa602cdbd68efab7d55f4
SHA25649fda10c8ef3f90e220e670aa071cc152f627f086f932059196766bd243b3787
SHA51237e052cfa775251fbf09a0e7c3cb80a31c3d46252c5cab6fcc6e571da8530ed013b93a855ae857ac704aa673e13dff5f3f176aedc4c8a9b67b3bba716f309916
-
Filesize
584KB
MD50f51dcd2c1b715bac519b1f3d8cba329
SHA1a51bec511b34f4f82a8f767d600dba16ced21bde
SHA2562f365b5338ad998f18076924af50739a3b6900958b15e5d1a3da938862c0d2c6
SHA5123e4458e2d618dd2ee6b7422a4cad7293f3205ae771e5b8ecbc9aef31915ce748534842c2343579e7b77eb9bfa5c5f8b0beb7da80a94f9f85600fb2f118ecd689
-
Filesize
762KB
MD5e5121f99a9ecd2830d23bb3e4b033b8e
SHA13eda08c24e7a9cb016e9949c316596e7eebd5520
SHA256678d9752840b89e4f93725d82ec3cb67ab4931ea0f999fa7f4db43545b93d183
SHA512a05df979ab5311e9eef9fb8478513ea28b0dd2f5d1b5aca826e885fc065b5d3c527c77d512fb50b2e97743f96c3aca79338765c7b62e797549258af88233d8eb
-
Filesize
559KB
MD589b81fb8062aec7939de1d9f7c3bf06b
SHA1045973a98eaf82daa42036a66265db27c94fd2b5
SHA2565d25df7b42f2c413af297eb40897e1a3b5d10043d84736437b765496fa429c1d
SHA512634df76a70c5234a3d8f4b4a424fa75fee9e9d1e03ac056cbeacb0531b9b014236b69cd3a14365a436f74400ed6f39484024194a5f660d3b707f35d0e55e4d58
-
Filesize
1.1MB
MD535c3596d4e55d06dfa9a905682dc798c
SHA12ac7188320bbfe5e19c690ba17af0a7a1aee9b51
SHA256fb9b83ac6db6d0be0c790fca1b6d2c425a131904f5ecfe954ff3489fa51d2335
SHA51256d79c32aff4d7215e841d5a72219a038c4251a6f41394dd7c0a378aebced30b8737af6c78637f7ea43279bba2e3171ef8a920a77a8b2abfad2d06ee76a1fbd8
-
Filesize
686KB
MD573fe0867db3e236e03617c6641bfc3f5
SHA1b460661a8db684644bbfe7031bb24fe970f6f075
SHA2561f4b2434a6e9c8d82b4f0b811a6fc84e503bda0860672f8a336e83b443038574
SHA51214baf159a57c52aa956b14db8ef052cfeb44a55d2ea0481ba9147aaae5be888119d2788a504a77e421c2fa980c1bb5d6c29f0bb836e79d2beb479d15fdaee787
-
Filesize
533KB
MD57a47e9efbb97aba6eeaf807df6cbcdf9
SHA1e67b723e4684230b0640de52faf53107bf548105
SHA25672be0b5cc345007d554f3d3a3fae1f2fe0374f041f86129dff8db29dce590877
SHA5124927108858b37fd7ab191c1dd4ba2b505ca6e222237750e78a966319b5da246cb87736e6b9d6cb54bc2aca3f77b6471d687c47a2f93dfa4102299216f9a17c39
-
Filesize
381KB
MD504fa9e1959fa3402ef7debfe8818b513
SHA14b3d80f42cf7315f7f3316ffcbac46c0f9132c3d
SHA2563cffcbec8ff6be5440f34ca0bb2d5abcfe4f16042ac54698ebb6e78191f9e2aa
SHA512445414380ddcfb53ddf12dc167a14b13d946ee350a2f7288b6e571dc5d0dbaae9c5c8353df36e845c8a7204d00be0c7d08597f270c2a491e28e4c4cb4f2f219e
-
Filesize
305KB
MD5f62860e84279edc32138a34ff7efbac8
SHA1194c8d0caf236e6ebe9b3e849b940e9a3962da84
SHA2560401afca1fa22cef4017f4b4232f0b55eb58d44af9f2db98133a2bc1b77a1183
SHA51208cf5fa2228b5b37b7977d102fd45a85f92dfa198f226b0e967594d9757f293e81f2edcc1ebc3beb4e0fa8fa1b1981d7820eb655405ded9c7ccfc2cf8bc2c377
-
Filesize
508KB
MD593aea99cbd40bd293d35fca8b083a34a
SHA14e83f2751339e00748a8b3af3a1531fe203c2d26
SHA2560eb6fd8178ec1610e3a5a39e7ec945903404554dd474de5c4fc7b0cfb765394b
SHA512103a73f187a867ee51c6da325ffbbd5775b621f5b7bcd41c784ed370d17746091ff2723bfc6cbbcfa50d9f265ec7ce628325174d70d1ed35170241d73794d758
-
Filesize
711KB
MD51c89365a2b9f2a9c016c35dcc106e34f
SHA11ba3100ce9421d3ec0e83abde40bd088ab556a91
SHA256a5c4be767c5464849dcd5a166dc101c386902c5eca3fd68233e996be2a21378c
SHA51275f45de5a39c0b00db1ee1a814c09464d119cb525a2947a2ad8b09eff0fa44656fd49175dcf435841db3e4b3385c811c2bfcebbf1d75c8093dc50dd5916f2890
-
Filesize
207KB
MD517d94533420151d4f1af7ca6e9652df6
SHA1af511753b6082a04aded94d1ba1aca037559f698
SHA256e7553b6931998d2d4359162bae14054830f8f69be9d2de3f445158d5caa113b9
SHA5128d4d4d0c71a432c326305a20cb6b9362815f6cd7cc7328ac632ecdc233f335d1119039b1cadef78d10ae40ebc1ab75c8e93b45cb34265a1ab53f3efdc775ce76