Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00351.7z
Resource
win7-20240903-en
General
-
Target
RNSM00351.7z
-
Size
9.5MB
-
MD5
4bb3a829f62c6cdabb5e5b7621291793
-
SHA1
51535044c807e9b47bfb858e28b607f4fb34b62e
-
SHA256
2ff8698b92e09af84ae40c9896b024b9404b26c6836e7ae80acb2d20858cf286
-
SHA512
9dfe58f110e4cfeaf129e2feaa460de6e751c1b28f61905a3c5312754aaa28cdc33bfe9eac621544743cc7e280ad17c157a7125a6f6184a0b663be49a18d6397
-
SSDEEP
196608:FPJOrUgKAr501BlA1Np/sKMWD9rjWO4UxiE:FPWJ6lATpsj29ryO4Ux
Malware Config
Extracted
C:\Users\Admin\Desktop\!HELP_SOS.hta
http://'+s.bp
http://'+s.bp+s.txp+tx
Extracted
azorult
http://uspool.softopia.site/vvv/index.php
Extracted
F:\XK\KWNLVP-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2c76df95dab1943c
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (397) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (8653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/memory/1972-173-0x0000000180000000-0x000000018002B000-memory.dmp mimikatz -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File created C:\Windows\System32\drivers\etc\hosts Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Executes dropped EXE 39 IoCs
pid Process 2528 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe 1576 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe 2492 Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 1848 Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe 668 teiod.exe 2796 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 1324 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 592 shell.exe 1972 teikv.exe 1916 _abp.exe 2416 Rj3fNWF3.exe 2484 nhgqubm.exe 1756 Rj3fNWF3.exe 2720 xk.exe 1648 IExplorer.exe 1604 WINLOGON.EXE 2848 CSRSS.EXE 2136 SERVICES.EXE 2360 LSASS.EXE 1856 SMSS.EXE 2660 gonbqig.exe 1788 puashkr.exe 1912 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe 2240 xk.exe 1824 IExplorer.exe 636 WINLOGON.EXE 1720 CSRSS.EXE 3028 SERVICES.EXE 1972 LSASS.EXE 2936 SMSS.EXE 2588 shell.exe 1972 Shell.exe 2092 Shell.exe -
Loads dropped DLL 54 IoCs
pid Process 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2416 Rj3fNWF3.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 1108 RegAsm.exe 1108 RegAsm.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe -
Modifies system executable filetype association 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 31 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCEEX Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe" Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCEEX Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dvdplayer = "C:\\Users\\Admin\\Desktop\\00351\\Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe" Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Drops desktop.ini file(s) 42 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened for modification F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Videos\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Links\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Music\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Documents\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\Users\Admin\Music\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Rj3fNWF3.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\Q: RegAsm.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\x: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\p: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\R: Rj3fNWF3.exe File opened (read-only) \??\S: Rj3fNWF3.exe File opened (read-only) \??\W: Rj3fNWF3.exe File opened (read-only) \??\A: RegAsm.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\V: RegAsm.exe File opened (read-only) \??\g: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\n: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\J: Rj3fNWF3.exe File opened (read-only) \??\Y: Rj3fNWF3.exe File opened (read-only) \??\Z: Rj3fNWF3.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\z: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\L: Rj3fNWF3.exe File opened (read-only) \??\U: Rj3fNWF3.exe File opened (read-only) \??\H: RegAsm.exe File opened (read-only) \??\X: RegAsm.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\M: RegAsm.exe File opened (read-only) \??\i: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\r: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\T: Rj3fNWF3.exe File opened (read-only) \??\V: Rj3fNWF3.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\s: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\m: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\H: Rj3fNWF3.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\E: RegAsm.exe File opened (read-only) \??\L: RegAsm.exe File opened (read-only) \??\T: RegAsm.exe File opened (read-only) \??\W: RegAsm.exe File opened (read-only) \??\a: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\b: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\I: Rj3fNWF3.exe File opened (read-only) \??\O: Rj3fNWF3.exe File opened (read-only) \??\P: Rj3fNWF3.exe File opened (read-only) \??\O: RegAsm.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\J: RegAsm.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\N: RegAsm.exe File opened (read-only) \??\R: RegAsm.exe File opened (read-only) \??\E: Rj3fNWF3.exe File opened (read-only) \??\M: Rj3fNWF3.exe File opened (read-only) \??\Q: Rj3fNWF3.exe File opened (read-only) \??\X: Rj3fNWF3.exe File opened (read-only) \??\u: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\y: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\K: Rj3fNWF3.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened (read-only) \??\G: RegAsm.exe File opened (read-only) \??\Y: RegAsm.exe File opened (read-only) \??\v: Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Installs/modifies Browser Helper Object 2 TTPs 13 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\BROWSER HELPER OBJECTS Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BROWSER HELPER OBJECTS Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2556-63-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2484-277-0x0000000000C90000-0x00000000016A1000-memory.dmp autoit_exe behavioral1/memory/2796-580-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2556-579-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2556-581-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2484-774-0x0000000000C90000-0x00000000016A1000-memory.dmp autoit_exe behavioral1/memory/2660-914-0x0000000000B20000-0x0000000001531000-memory.dmp autoit_exe behavioral1/memory/2660-999-0x0000000000B20000-0x0000000001531000-memory.dmp autoit_exe behavioral1/memory/2556-1866-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/1788-2463-0x0000000000D30000-0x0000000001741000-memory.dmp autoit_exe behavioral1/memory/2556-2510-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2796-2527-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2556-3650-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2796-12454-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe behavioral1/memory/2556-20383-0x0000000000D00000-0x0000000001711000-memory.dmp autoit_exe -
Drops file in System32 directory 41 IoCs
description ioc Process File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\wbem\mofcomp .exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe shell.exe File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File created C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt .exe shell.exe File created C:\Windows\SysWOW64\wbem\wmic.exe" shadowcopy .exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE .exe shell.exe File created C:\Windows\SysWOW64\wbem\WmiPrvSE .exe shell.exe File created C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File opened for modification C:\Windows\System32\CatRoot2\dberr.txt HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC .exe shell.exe File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\wbem\wmic.exe" shadowcopy dele shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll shell.exe File created C:\Windows\SysWOW64\wbem\WinMgmt .exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP .exe shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\wbem\WMIC .exe shell.exe File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\msvbvm60.dll shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe shell.exe File created C:\Windows\SysWOW64\wbem\WMIADAP .exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe shell.exe File created C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp .exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe shell.exe File opened for modification C:\Windows\SysWOW64\wbem\wmic.exe" shadowcopy .exe shell.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper Rj3fNWF3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DDx.bmp" Rj3fNWF3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2528 set thread context of 1912 2528 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe 94 PID 1576 set thread context of 1108 1576 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe 98 -
resource yara_rule behavioral1/memory/2556-63-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/files/0x000700000001686c-38.dat upx behavioral1/memory/2796-107-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/1848-110-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1848-114-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1848-118-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1848-119-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1848-113-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1848-112-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2484-277-0x0000000000C90000-0x00000000016A1000-memory.dmp upx behavioral1/memory/2796-580-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2556-579-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2556-581-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2484-774-0x0000000000C90000-0x00000000016A1000-memory.dmp upx behavioral1/memory/2660-914-0x0000000000B20000-0x0000000001531000-memory.dmp upx behavioral1/memory/2660-999-0x0000000000B20000-0x0000000001531000-memory.dmp upx behavioral1/memory/2556-1866-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/1788-2463-0x0000000000D30000-0x0000000001741000-memory.dmp upx behavioral1/memory/2556-2510-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2796-2527-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/1848-3602-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2556-3650-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2796-12454-0x0000000000D00000-0x0000000001711000-memory.dmp upx behavioral1/memory/2556-20383-0x0000000000D00000-0x0000000001711000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONMAIN.DLL Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART9.BDR Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\RECOVER-FILES.html Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXC Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\7-Zip\License.txt Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Moncton Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ProjectStatusReport.potx Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dab193d1dab1943111.lock RegAsm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_shmem.dll Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\RECOVER-FILES.html Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00916_.WMF Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\RECOVER-FILES.html Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\RECOVER-FILES.html Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\msvbvm60.dll shell.exe File created C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe File created C:\Windows\msvbvm60.dll shell.exe File opened for modification C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2220 2588 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language puashkr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUTLOOK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rj3fNWF3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rj3fNWF3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gonbqig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhgqubm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _abp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegAsm.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1616 vssadmin.exe 3068 vssadmin.exe 592 vssadmin.exe -
Modifies Control Panel 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop Rj3fNWF3.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.135958.com/?31109" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT Rj3fNWF3.exe Key created \REGISTRY\USER\S-1-5-19 Rj3fNWF3.exe Key created \REGISTRY\USER\S-1-5-20 Rj3fNWF3.exe Key created \REGISTRY\USER\S-1-5-18 Rj3fNWF3.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ = "_OlkSenderPhoto" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ = "OlkCheckBoxEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ = "_RuleAction" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\sage.notice\FriendlyTypeName\ = "encrypted by SAGE" Rj3fNWF3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ = "Actions" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82} Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ = "OlkSenderPhotoEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ = "_FormRegion" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ = "OlkCommandButtonEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ = "OlkTextBoxEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1692 OUTLOOK.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 2528 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe 1576 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe 2492 Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 1848 Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 2756 taskmgr.exe 2756 taskmgr.exe 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 1848 Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe 1848 Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe 2756 taskmgr.exe 2796 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2796 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 2796 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 1972 teikv.exe 1972 teikv.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2124 7zFM.exe 2756 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeRestorePrivilege 2124 7zFM.exe Token: 35 2124 7zFM.exe Token: SeSecurityPrivilege 2124 7zFM.exe Token: SeDebugPrivilege 2756 taskmgr.exe Token: SeIncreaseQuotaPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeSecurityPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeTakeOwnershipPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeLoadDriverPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeSystemProfilePrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeSystemtimePrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeProfSingleProcessPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeIncBasePriorityPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeCreatePagefilePrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeBackupPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeRestorePrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeShutdownPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeDebugPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeSystemEnvironmentPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeRemoteShutdownPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeUndockPrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeManageVolumePrivilege 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: 33 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: 34 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: 35 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe Token: SeDebugPrivilege 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Token: SeDebugPrivilege 2528 HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe Token: SeDebugPrivilege 2796 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Token: SeDebugPrivilege 1972 teikv.exe Token: SeShutdownPrivilege 1916 _abp.exe Token: SeDebugPrivilege 2492 Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe Token: SeDebugPrivilege 2484 nhgqubm.exe Token: SeDebugPrivilege 1576 HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe Token: SeRestorePrivilege 2484 nhgqubm.exe Token: SeTakeOwnershipPrivilege 2484 nhgqubm.exe Token: SeDebugPrivilege 2484 nhgqubm.exe Token: SeSecurityPrivilege 2484 nhgqubm.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeRestorePrivilege 2204 Rundll32.exe Token: SeDebugPrivilege 2660 gonbqig.exe Token: SeRestorePrivilege 2660 gonbqig.exe Token: SeTakeOwnershipPrivilege 2660 gonbqig.exe Token: SeDebugPrivilege 2660 gonbqig.exe Token: SeSecurityPrivilege 2660 gonbqig.exe Token: SeDebugPrivilege 1788 puashkr.exe Token: SeRestorePrivilege 1788 puashkr.exe Token: SeTakeOwnershipPrivilege 1788 puashkr.exe Token: SeDebugPrivilege 1788 puashkr.exe Token: SeSecurityPrivilege 1788 puashkr.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe Token: SeRestorePrivilege 2368 Rundll32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2124 7zFM.exe 2124 7zFM.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2756 taskmgr.exe 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2524 Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe 592 shell.exe 2492 Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe 2492 Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe 2720 xk.exe 1648 IExplorer.exe 1604 WINLOGON.EXE 2848 CSRSS.EXE 2136 SERVICES.EXE 2360 LSASS.EXE 1856 SMSS.EXE 1692 OUTLOOK.EXE 2240 xk.exe 1824 IExplorer.exe 636 WINLOGON.EXE 1720 CSRSS.EXE 3028 SERVICES.EXE 1972 LSASS.EXE 2936 SMSS.EXE 2588 shell.exe 1972 Shell.exe 2092 Shell.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1848 Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2528 2504 cmd.exe 35 PID 2504 wrote to memory of 2528 2504 cmd.exe 35 PID 2504 wrote to memory of 2528 2504 cmd.exe 35 PID 2504 wrote to memory of 2528 2504 cmd.exe 35 PID 2504 wrote to memory of 1576 2504 cmd.exe 36 PID 2504 wrote to memory of 1576 2504 cmd.exe 36 PID 2504 wrote to memory of 1576 2504 cmd.exe 36 PID 2504 wrote to memory of 1576 2504 cmd.exe 36 PID 2504 wrote to memory of 2492 2504 cmd.exe 37 PID 2504 wrote to memory of 2492 2504 cmd.exe 37 PID 2504 wrote to memory of 2492 2504 cmd.exe 37 PID 2504 wrote to memory of 2492 2504 cmd.exe 37 PID 2504 wrote to memory of 2524 2504 cmd.exe 38 PID 2504 wrote to memory of 2524 2504 cmd.exe 38 PID 2504 wrote to memory of 2524 2504 cmd.exe 38 PID 2504 wrote to memory of 2524 2504 cmd.exe 38 PID 2504 wrote to memory of 2556 2504 cmd.exe 39 PID 2504 wrote to memory of 2556 2504 cmd.exe 39 PID 2504 wrote to memory of 2556 2504 cmd.exe 39 PID 2504 wrote to memory of 2556 2504 cmd.exe 39 PID 2504 wrote to memory of 2392 2504 cmd.exe 40 PID 2504 wrote to memory of 2392 2504 cmd.exe 40 PID 2504 wrote to memory of 2392 2504 cmd.exe 40 PID 2504 wrote to memory of 2392 2504 cmd.exe 40 PID 2504 wrote to memory of 3024 2504 cmd.exe 41 PID 2504 wrote to memory of 3024 2504 cmd.exe 41 PID 2504 wrote to memory of 3024 2504 cmd.exe 41 PID 2504 wrote to memory of 3024 2504 cmd.exe 41 PID 2504 wrote to memory of 2152 2504 cmd.exe 42 PID 2504 wrote to memory of 2152 2504 cmd.exe 42 PID 2504 wrote to memory of 2152 2504 cmd.exe 42 PID 2504 wrote to memory of 2152 2504 cmd.exe 42 PID 2504 wrote to memory of 2976 2504 cmd.exe 43 PID 2504 wrote to memory of 2976 2504 cmd.exe 43 PID 2504 wrote to memory of 2976 2504 cmd.exe 43 PID 2504 wrote to memory of 2976 2504 cmd.exe 43 PID 2504 wrote to memory of 1848 2504 cmd.exe 44 PID 2504 wrote to memory of 1848 2504 cmd.exe 44 PID 2504 wrote to memory of 1848 2504 cmd.exe 44 PID 2504 wrote to memory of 1848 2504 cmd.exe 44 PID 2152 wrote to memory of 1696 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 45 PID 2152 wrote to memory of 1696 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 45 PID 2152 wrote to memory of 1696 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 45 PID 2152 wrote to memory of 1696 2152 Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe 45 PID 2392 wrote to memory of 2788 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 48 PID 2392 wrote to memory of 2788 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 48 PID 2392 wrote to memory of 2788 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 48 PID 2392 wrote to memory of 2788 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 48 PID 3024 wrote to memory of 668 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 47 PID 3024 wrote to memory of 668 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 47 PID 3024 wrote to memory of 668 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 47 PID 3024 wrote to memory of 668 3024 Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe 47 PID 2392 wrote to memory of 352 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 49 PID 2392 wrote to memory of 352 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 49 PID 2392 wrote to memory of 352 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 49 PID 2392 wrote to memory of 352 2392 Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe 49 PID 2556 wrote to memory of 2796 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 50 PID 2556 wrote to memory of 2796 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 50 PID 2556 wrote to memory of 2796 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 50 PID 2556 wrote to memory of 2796 2556 Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe 50 PID 2976 wrote to memory of 1324 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 51 PID 2976 wrote to memory of 1324 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 51 PID 2976 wrote to memory of 1324 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 51 PID 2976 wrote to memory of 1324 2976 Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe 51 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon = "0" Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00351.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe"HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:1108 -
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2565⤵
- Loads dropped DLL
- Program crash
PID:2220 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
-
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exeTrojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exeTrojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2524 -
C:\Windows\xk.exeC:\Windows\xk.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\xk.exeC:\Windows\xk.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exeTrojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe2⤵
- UAC bypass
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exeC:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe /nstart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\nhgqubm.exeC:\Users\Admin\AppData\Local\Temp\nhgqubm.exe /HomeRegAccess103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\system32\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~ugdhcvr.inf3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\gonbqig.exeC:\Users\Admin\AppData\Local\Temp\gonbqig.exe /HomeRegAccess103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\puashkr.exeC:\Users\Admin\AppData\Local\Temp\puashkr.exe /HomeRegAccess103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\system32\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~chtpbqp.inf3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
PID:2276
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pLhO8GB.bat3⤵PID:1520
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iLSpLtV.bat3⤵PID:2292
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exeTrojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392 -
C:\Windows\explorer.exeC:\Windows/explorer.exe3⤵PID:2788
-
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows/system32/taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
PID:352
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exeTrojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\teiod.exe123 \\.\pipe\E86A104A-9366-4921-856A-6C2B3065C1843⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668
-
-
C:\Users\Admin\AppData\Local\Temp\teikv.exe123 \\.\pipe\0E8EBAA4-E8E1-4A42-8075-A1DAE7FA26EF3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\_abp.exe"C:\Users\Admin\AppData\Local\Temp\_abp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet4⤵PID:1776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System4⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security4⤵PID:1516
-
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exeTrojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\__t7427.tmp.bat3⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\__t1E2C.tmp.bat3⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmp1E3C.tmp.bat3⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exeTrojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe"C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe" g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:592
-
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2416 -
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3068
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:592
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1616
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1452
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /DELETE /TN /F "N0mFUQoa"4⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f16184093.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exeTrojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1848
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:1192
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Browser Extensions
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
13Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD519e999a5a8ebf5fa012bbd555017f37a
SHA1586e8650b4a3250e75cebeae332fea3af4489d76
SHA2561d2cc5f00db6837e086d394762d6a1ea345856a6f84e168e383a90fbfa518bea
SHA512d7ea9c6eb985d63a33c2a92dd1b406ebbfc9de142fab3ef2d2353a57ebd4acc371d9c66ab4903eb65b90ae16ce20cf960983b088ee322cca7e5dba0df1f6a4ab
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize27KB
MD5045e4a7ba3ac20222576eb2b08dbcbab
SHA100ef15925fea3dae1efe2f3a04a837a2a42bf895
SHA256c2cfb1faef8c03bfc854a63b0650cf55b467b0d69e015817c1c4a5cdcd573baf
SHA512c7c608fe9d871fa68f6d8e3f02b31f93eafc4bf809a3606a0219d416a67b0555ba00fbb0b733e5eaac7f3bf464edf0514744bab4cc6a17a68d45c82c35edee37
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif
Filesize6KB
MD5b2e86b1d107d1bbad0422b73f34d6e90
SHA1dd19b1a242ef62c184b09beb25aae38228164d89
SHA25690eb00f28550c381219a5b81405937dba56c4d6ad54b7ac19bf7f3c877f869c8
SHA512e22e40d1637d6f4a458ad088f0528a1f3b1aa7571a6c2ff49b5c6eaea6901b511c839d48edf571592d92771975c5d6d25e1658abba2dfa0788196d867281cb09
-
Filesize
26KB
MD59f3a244103af4873bd2546a501510ef5
SHA1b192805f674152fcf542b9768682e54f14fd9694
SHA256dc06c38b376b0fc4ff363e145dacb8c6e6d0233149cb8762a146a11db13bb7df
SHA512b38950913e221a1776d51d03d3fea237ada29ece723a0cb9745543678ed4c91d03e645bd610630eece9f35d47aa1325eb931f15f6b8f6f3b01815c06d1c0fd3e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF
Filesize24KB
MD5b6e6024843f843fa0eeadb960c7568ee
SHA172ad4e61ada3a77d8a3e9c51d1346d0098925abb
SHA25691d16bee1a923bd48de87eea5c7022552ae69dc7e2d2d15f0f7010310c50f46c
SHA512c0c71f0be5468f8fd89d0799693fa5fd80ff3d4e422c15b22910eff3e98a7e11c9d72183d0bc1eeb29b1dff1e26b2834918e789e9ac99c9706537693fd00fc0c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg
Filesize7KB
MD534aaea3aff49eb1caa83392e02060af1
SHA15252823cf0b5d96c5767aaaccaa2630607ee170d
SHA256f683ede42f9a86f3bc95a073f5e079e675c8d858f127373ab1bebdf1b2b152d6
SHA512bf483cd4e2d2fc297427740126ddbdef9f5c5c6231cb088fe8e548f51ad5daa52dbbb2486926c9ee6eaa52319decbaee054e80a67acf25f8024a02cf47329a84
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg
Filesize5KB
MD545da053d69e7cc99f17bee9a4978f645
SHA17c4e74ce599fadaa77a54c02ea81a69f4b07a497
SHA2562b087965af44c65b9894fb09b637e8ff438924c2c8a26657f7e006e64105ab89
SHA5129bfd5d45e09ebad6e2e14fd05c2406b3c58588ae1c79d5ee793d1bdf27a1bb169b223d76f0bcba7e0983426a26d9a4c3a936dd325491e9acaf31a7cc547db086
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif
Filesize5KB
MD5a357856e93f748b59bd69710e5a26c3a
SHA1629fab605dd8ee36c58794e6007fcc13256f8a2c
SHA25604ff4facc4b1d1a7448c0e7ce77b46ee8dd789a3c73c321b2a61f1b16837bdc9
SHA512e544b5ce237ae88b6287b64edbf07fb9d96c38ae69f9f235d0b38f74144468906a43ca106180e2ec907b38ce221b0a38a8b68c90a35261fc2fbf192bf3423b1e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif
Filesize31KB
MD5d67fe5c2287ebcfd2f493dfb81f3415d
SHA1ad77d68079c186993fd6a7080ef07744e50a6e75
SHA256d6d25daae18f5d9ae2108b622e5609a2fbe3d0c494fc1e620e98a2b6c2695c9f
SHA512fbe53e9443c22bc1b4656014bc95bc117f8d133610a31ff6e130f3d6be3012a2e024d44c64e3e90583b26e288be0773e1fcb7dbe5328674c3a36b7a8b41221e4
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif
Filesize4KB
MD54abeb2bfd1babab9f1ccbd7669b26a51
SHA1e1692a7af981d3d4cbe18793afba8488f5878e0e
SHA2568593a71c727d065a091ccf50f6e12d8e3422bd8482c987d55c69f965f47704b5
SHA512e4386e114e6c06cfc6a5cd87e74eab49daf05c2ccb3ff8e67c88b74c1d032fd0d2f16a017aefa93400361e86733680e707b74064723bf0fdf9d7780797b604ab
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif
Filesize19KB
MD580dd35cdaf8d5288afe750a7c81cab95
SHA16aa4c2f4725f6529e2e94491701e35f507999683
SHA256a10ca1f6a4638c86599614f78796f0d19daaf6c0d067818f4380fc7e9bc3fbc3
SHA5125368ba868ec371f794f6506b114ed6fd52695042d5f8dce6b68148307eadc536fac3eed8e022c6dd3a610a9ee51d38339d798d9a1ab201222a0bc932db30d1a2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif
Filesize21KB
MD5306409d4c2502cb7daf296094f248019
SHA15f7bf343cbb4be7ae25ef4430838f893271ec62d
SHA256a7b5aaf02f83431c932813e13b632411949c1cb1b43855da48041faa721ceedd
SHA51223c1e02c574bc0c3104555637793fdddc83996ba90f2013bf419e67598c6109330befbfb860ce9443bc1949c1d793e444d73eb48e8ccf8fe1b64a0b1548358d2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif
Filesize8KB
MD58f334c5edadd299b8f668928585dbdf4
SHA179c72e8f2494afffe0c019c540aeed72693c2733
SHA2562c5d6c044aa3971edfaea58cdb11d1ad97424846b5078a3a3b659472ec012988
SHA5128452b64545f451116c9bdd1cb8841df8eadfc078ea185a6f8d476aefbe68b878f6abe91e33fff16271eee3a5ffa42b35bf62542952ff2d34060fe6243e1eb092
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif
Filesize15KB
MD5a04c9e5f50f03edb59a997efa3a3d7ee
SHA13db5fafafb70b0093b46bdb5479ec999a57e85bd
SHA256aa8bb5c389e95131b7a8f7a3583d5abcec3872ce23cf9ccb169457c690746086
SHA51297c8b6c7421aa4271e151682531e2312e146aab81aab5fae5215b6a67c320e14cf4c20e41d29b4301eaa314a4fbc7ab526d6a92abf8138e5bce3797a9190cf7f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif
Filesize6KB
MD5950f66bfa8a8620e46ef7dbe035a2760
SHA18ca2584eb8baa9ef0c76509037680b981bc5e65e
SHA256f736714bd1817ec67cc3673c905e484a6b05a2f45da6f6995b0bc620c4b813ac
SHA512a1cf1e9f06423db54c66384ec3d185148eede3eea43a4d7eedd3db0b039cf9412670436a7b55cc619fbb726c2eb087d1cdaae66d7c428cbf529d265e2baec08e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif
Filesize20KB
MD56e98393a66e758c7c60e9cdc8e107a9d
SHA14f531b327d9b95b8ad69f1d904066c9312ad3bdb
SHA256d03a74778f24be3392ecad9d327baf74d345be07870208ba1a0915bd7a191387
SHA51227f4fbb68b6a01587906bd5a296d39fe99fb3631984a33bfad399b3818659fc88ca1747bddb88e4d031bcab71f92f3b5d45e464dd33d0365413160939c1f91ae
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif
Filesize6KB
MD528bd5f44f00db6f4f7f3ab6d611bf218
SHA18e9e9dbc19569e7130ab99b66edf7cff5d81c007
SHA256195caa8a45a2508604dcb691f8a44e16995c844b5fe17ab7a6952a386a59c4e1
SHA5128e34afca638f67818cec3d78043ae3bed5dba66e71908d78e6dcd54b605b61f15f2c486f770b5f7d801d53e3079d2a257f496181b9306e2c541ea6e8a45e000e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif
Filesize15KB
MD51d3578e44821bd6622f2384d27a96a89
SHA125e164801f77ddb707560184c4fc876897c4488f
SHA256eeec4c224076224180a692af4c21247e776a5c2f6ca2fa332a3fdac81b21d044
SHA5123d2e2a0e06bb597c75956a5e4e8c919f45b0133a626cedb64ec88eb53884b053f7473104fa2965d220bfd68b870b359f26086377dcf8569ddf05620dc7286bc3
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml
Filesize247KB
MD5dc400b7cee75f5c8fd9561a732d474d3
SHA1db7063448759c5cdd1371a870b4149bbac2fc2f5
SHA2562e65dc65c85097ba4d562dfedbdb967358d6ff5b5d503069c5f21ed080e9968d
SHA512692d21e16b99c935401dfc781d3a4f8e6aa325b968862eb2231c35e62267f6d33306be4843d99a9870db336c4d53a3b18415241c00a5f51c0475b03ebe674940
-
Filesize
109KB
MD5bb13b30c0a78449be80c4f6131bf6568
SHA1cdd1aee1e708de337281e8dee387e2cee243cad5
SHA256c99abe82ca5c0d3ec12bb736dd630885d289705cb3c2cc0c6d2b95390ea897b1
SHA512aaf8d9eafb62d5950b7879f96822e0445e466c05e3115e0550cf2740083f48c11850c3919ff98a7db4f6df2571cac796114de90683667de2c35b36817b6cde8d
-
Filesize
173KB
MD57c89ba7772aeb40dfc3e3b232de653b3
SHA1b602b4004ca940089277122fc333d6ff71cbfef5
SHA256a46234178c1a446eb5f6e94152e8867703a83f9c08e1d7463dd77f847a0943d5
SHA512cf84ed9f4d33fbae8ddd071b8b13bed62fe0189990deb56c2207f79c4c7d4dbb21cb8efc254c8dea4bd07e3736b28d31dc6be479bcee5796c0d5e69ec46010c4
-
Filesize
810KB
MD5885ce1d422a09f5d1b4aedf8a9a75a92
SHA1e5ac638811376792871bc2d6602827154d3b146b
SHA25608fee4a2494f60cfbeb69875a65d734c34379b371cc8f0d4487368585d08f5be
SHA512650eb07aa8a57150f1f5293e9c3001edfaf882dba06d9e89b63e6bea64630e57a9a6e03624f0636bef4f86e91d47bcb1d2d65ec5c0dffa2f6064641217a955fa
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize7KB
MD5f23292d63b2de82817ae866a2b958142
SHA1c347c2bcec493c2fa4f6e2900a4c7dc0392416c7
SHA25636fa262ce0ce9e297e0e6f15c87c9009b3d45a71b92cac5b562f006d0d254c1c
SHA512093ab5702a1e3a784c9d32fd81827bdf4a5443afd9660909921305c958092ff0136dd6ea9c8658eeecf23d56443e5416b8ee62cdd1066ee3488a3107c208de41
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD54db013ee2fd002b2e410e89fad043383
SHA123b95ab96c5d01121e1bd34de9bbcc22137577c5
SHA25698e87b32d95611a6a26ffce18e9779ffc5df136df960fdc14b560743750e0df2
SHA51251ed224975aa96e8cd0fc09a0a83a36a7fe48b29eb3e7e866424223a8ac868021460f27eac0caddf892841d924f5a292a495c67e91baee5a3f59af0907664c93
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize7KB
MD5d93b8b4d17a5597e7d5b407477e0faa9
SHA141769f4483c3c8014a83f55a54ae234b49969773
SHA2566062fcf0fe2c30fbe6e4b080453d52a19be1de580d8007ac33d2e355cadd6fc9
SHA51252955d8e1c02a3afbb18394d4c05da5b301335db57f77754ed855ee5aef15131c939add1c9e436e216b5b24baeedd7983cb73981f03718dd0a95f6af3b52a562
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html
Filesize12KB
MD57fbaf56b7a668c7e9d2d6f2ebfbe6556
SHA13bd1d0d7c039c76534cacf2569c051966fbacc09
SHA256d953d7d98bb5c57caef944cc4f03e147a98fd50ff27f68a0873fd6ecc7e27009
SHA5129538bbca02cb705b1609f3a0fda0e48ed13905608a7d5b8bed7f7f02bb3b936b386b376a2ffa87f44577c7be5e17c2f514780e43aac01a6cba22d30cdf730e4a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html
Filesize8KB
MD59b0e98050719a89de81f366bb55697ab
SHA109e2eeb263ffa097e1fa413eac1f5326a9562f82
SHA256e295099f54098b4ea8e3e75ff9009ddbddc68889e02c79104ee656b1f9e0f10b
SHA51278f0954413c36ec8d0875c63aea30741d6cf53c3eaf76c81efc9d931dc1de241dc08a8d20a69684fb1a30412dfe24e50b29f648ee475dcc364a05985764ac10a
-
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize148KB
MD5205c1530c5dae9b448b8c8c7a17efaca
SHA1d6418901428a0703f7503d96bede66d84de65846
SHA2567f3f63f413b9fc1d42913442de4fe0f2c37225ed65df0e8df87f376ca87df591
SHA512c86624fcf2970328a8b0a897d62edf69090b8fdbe5d20a2c7d448597a838c1cb82fd4165a2efc1d8aea28f6bc28be273dc096f59262e0f65cdfb57dc532b16a1
-
Filesize
120KB
MD5fb73795f4e9b22f4d95ff48479ab70cb
SHA19ca3680a2c45060e46f2920a21393ea9ec2f84fd
SHA256acdfdc552039fa4b0c9db53b671c5645ed201f9f97bb3b2adb30bf6639379126
SHA51282546aeefe83e224ec0bb407a31cfa02a970e2dc194efe2b65c7a8bc2ee119c31f84e4b58d35b5905d451adce0ceb36a7da4390135b5c0de6766554f33d3e40f
-
Filesize
240KB
MD5aa41ebdb2f246d6b6a7561928dc0f8d2
SHA16a99c8461d339ecc450a703b5ca2ab9f394453f2
SHA256cfc58e3ac4189ea60a3cdce2ef125d99e179687d12dd6dbd81e293fef10d5536
SHA512d436e46384a9478400d326f03c21b2bb7cf76fd837103ecb3d45dae5105560a333b4d3ea8577ce8e14871bed98c123e95572ffeb04e77479a63c2ba2aee025d6
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
221KB
MD56458a93628a22a308c61d8aafa260922
SHA1b10cc706b7063809b876d9000bb35e34aa83f3b8
SHA2560a9a6dcd92ea82a9b6a5c4338676c24ffded15636c8427ba673a702954494fb9
SHA512bddac4b723e4a28f79b67c13646187dee9bc64f035508d48bc086c1ef6a36bd8e6342482eb62be6bc6e507307ca77dc0c7060975548ab6aaeaa3cbfd0a7205d4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
445B
MD532d8f7a3d0c796cee45f64b63c1cca38
SHA1d58466430a2bba8641bd92c880557379e25b140c
SHA2561a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
SHA512288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698
-
Filesize
43KB
MD56835491cda09b26ad7098a4d13da97de
SHA189d2bcb55eb452b3a0abf3f08aee8640e91df47d
SHA25662f835061c53ed4b0fe384c84c56d67f7d683e94430ffcca1fc3a2def1fc1d49
SHA512f4a67839f7de646c502d53fa67ae6e34bc2fdf1b25c648d0f27c86871ee9c078abdbd5d4c6d83be5776a4325c6277bac9f7e76094c93fb5f520f419fd224cedd
-
Filesize
668B
MD595a7bba664ed9a0977187e9a9ce24e14
SHA1adb039fb787b357db3eeaa315095acc59fdeec65
SHA256e2e408d8cff36387afe7d10ca25d728461e99a967f20817b0519714f740153b3
SHA512f0ea4dce8b2a4b9b111d15a0609eb395d6efe8f7f81ebbe749ca22807b004b9f4e991e18f696c4edc51bd76be8bae1891a83cca5ceddf748ad9f06a6dd84e0df
-
Filesize
761B
MD5c6b266dd0054e23ea4427baefefd762d
SHA1cc264765453179cb4c5626bd7d1de83b64e57f98
SHA25633226f6746bc0aebab86f0dc6dfacd4c0607f52dbaabb9d5bd838ad490b17ded
SHA51220c4331af41d9c98a947f4ebdb3a5addab3a205f60b3e958ede63f9d34f40dcc42fd0360b31a0e39a907864cf5f40d076fda32d0b7aedd341110a67673044986
-
Filesize
405B
MD552c7d4f16467e3c621fbdf10455fe4c2
SHA1b014f1a8d53423d04d242f1b1d7c61cb0d385555
SHA25695e4fff2a552bc229fc7b6f7276c934a239463cdd37c371b2c8451153312f2e7
SHA51253fbeb0cfc91639557e6f39dc9ff4fd8bdabb149a4131b8c402b3b092ed8d2c59bae6f576175ace8692465c3d563d1c7e896dc67fb2c8a5093d0db5928308de0
-
Filesize
751KB
MD54f43f03783f9789f804dcf9b9474fa6d
SHA1492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA25619ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d
-
Filesize
351B
MD53cc1d316d6e45fa8831eb3b3836bebb5
SHA186d4a75b3099aa6b614e60f31a8a52089d8701c5
SHA256e0a78789bb6c2d58a2bf5900981894afe4ddb284d81428ca538b3b969887869d
SHA512785d4c4d7760cbeafcc65b4f5cae8ad693ddaec62aec3f23b06588a7c6830f8f45933a6cb30da0908ef97681afef03377a7219063a48562b42637f3c4003e6b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
Filesize87B
MD5b2d6dfebf17bd825f5b31fca23a7548e
SHA15305a4abf9af0252fecd9b767139b744e188d861
SHA256246010b68ee68ef3d435522f2e62ce03e5515d52868621f3d2f41d1f669021fb
SHA512afbc19ff0e9f5da3a90081cea0e131057f8ddafe85507a14e410969b893192d6dadfb7ec59498c1c1cc6a58d4f2f9779937811c57c3203d1d0b69a7be2cadd2c
-
Filesize
72B
MD594600cac1843d2494ca5b2cc3aaeb653
SHA1f11d7a5d92e7fe4d15f8b69d44325559964d4e5c
SHA256786c98975ce7dca5ad19e6e72918df020ec2c4501f7fae0c03999d4230d5d8dc
SHA512082e34e5f526e26c3125beb8764ff59e9cd4d96a5232df54fff3679410fc85d677fa72d3b34e1d036774f81289528f56097456b59be16a19c6a8861824e2bd4a
-
Filesize
99KB
MD5d6d08d6e86278ba2600c725877e1421f
SHA1368f66df52857324399c7f396647d247a0346aa7
SHA2560aa0cb7bae5f345c0e09d66dba46c937133479d6b83e39e96d3d5df253beb992
SHA512d893a44846a2bc8c95f51a228876b8a0c187a3da5861a5bcde6c3249edcfb8b4c396d793282d244be4972eb061c17c666e209af3f2155d9a864dbe52cebe6e24
-
C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe
Filesize1.0MB
MD5a6bc42736184b6bed03412a0e4bd9887
SHA1ef66c8da6c57973b95089e784090f5b796bba0fd
SHA2568b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa
SHA512ad0d0afc9da22894ded208906052d78e73fb47c176a42b2a0d46885d2ecdfda0b98741ed524c54e3dd3a2cc86ab8f92e32fc82a4273b53c101e545ffc73dcc65
-
C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe
Filesize1.1MB
MD53b68419edc75a61123052b0fdcc6ee91
SHA11ea34642c76f12515cb793a4a568b3e6513d7102
SHA256f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c
SHA5121fd09061730993bc088535d8dfe4a013b892b1901a0ed7d8443436051f4ebcca48a8f1e1a7e03f0a6a29d7482448401b40aa601d248525804c7d79968e49d6fa
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe
Filesize286KB
MD56b23411b04cca289eb80cce4bebceab3
SHA133b91645de1472a11cf002fc908f7239dc5f41df
SHA25638f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c
SHA5123cbb6f1de4d69d455c8a51de0d6ebbd409965f3a44a33a2446e01d90d44b94fd8779c7df5aeebb796b8b339f7d1a88a36cbeedf120e4157798badd93413812a8
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe
Filesize272KB
MD5a0129992151a3b73686b303e29a76c45
SHA1b55075f0c8b9480c920a9776094402e43d18115f
SHA2569071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816
SHA512f954f5ca901d831ae3e354592826e54ac9bd262132e854ea74eaf481b88f03935cec9c9a5c5a74158d90c52db4e3142eb9b194049b5cb04eb13a9b057ea5bd28
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe
Filesize4.9MB
MD5f92b82654eca13a854b8ab20d66a5bff
SHA14549a655205d63e02b564cae35d20b03c3c6a6fb
SHA256d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647
SHA512d43db57d2c90a2137f75e3341a85bb84c92b0b83d18000aa0caae3b49944b6ad1adfd04951bb58c77f0f6762b8034ff7a357654b4d2ce8cd08c980ccc88cf127
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe
Filesize843KB
MD5cd68b02b75b54c1b001652aee976ea9c
SHA182c1541a91c4459f14d2f34e6277c799f794a5c6
SHA2568d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217
SHA51239a1adecd58221a6f4e35616894990a3de0e7bac9603b71b8277615fe231bf51cb8aebae0f48c94de8c080ad0e9a3606eb3e11b72d9cec212da7ad9a517f744a
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe
Filesize1.8MB
MD5104ecbc2746702fa6ecd4562a867e7fb
SHA105cf385b36cf22f10c0cd758d71cdcb228cca2a4
SHA256a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39
SHA51202698abb7cbfb0c4596d8b487d9808c3a0746606999892d49d5250412cb96f971b33b8f233e7a1e465b08ddef47fa011ac463085f5247a9ecf5cda9b3c18002f
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe
Filesize113KB
MD5783170ccbea4de7bc971ce4cf7922c0d
SHA1b8bdbbcfb89ab7816aa5066c1ddde64192936fc5
SHA256713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22
SHA512686f223ca866be2c35bdad4fd933d53b23f761eb43c2160ce91336c424e78aeb40b28cfca018ffe47459598c1a668f5b0744f85da6e7acabe530276023060be1
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe
Filesize556KB
MD5840b42c45e9b428243726b6ccf0e7a03
SHA1a4cfd15123d07fcf2c8c4c4deb2cf632deb1e3e2
SHA256b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c
SHA5125bf2f1c268f0ccbe2f79764adbc79974ffc176f997850030232d310b1660f63c298e62919c2d1327087fdb7b1166128ef8301c7e79de579bf650ce6a474483b6
-
C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe
Filesize1.4MB
MD54c6f64715df65201b347a48ac66d3daa
SHA12c4ff72e0f17af6dad7146a2f9de06e1187e0b69
SHA256414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2
SHA51264b3b78a5a22eac66ad73954870e8beb620815735b6c3554c65965c913679d0d78fdc9d5403038101ed1f8a6934cff8377ade62985c839d3ff980a15d1392e6d
-
Filesize
99KB
MD5d9c45af171af1ab4c7a8d311edb2ee15
SHA184ce41a16a004afcdcd701b9ae00967b0d2ef743
SHA256a2c258011afd79770283e16d869cd013118e911eef172f1d5bd19c762df21de4
SHA5123d702db4c4754d87e968407c68bbc2cd162e3b5f1a077016165a7d963cc9e74d7cf02d7ab241d64a7dc3a7f58d98cb01e6602a6fd88c3bc71b8f837928557943
-
Filesize
60B
MD545ee65160e3cb47f0311f4b7e849707f
SHA19e6d82d867e253608a4c28a514fafe546af9717a
SHA256ba0da86a2e60927d69a122e197d294e6f68229d464a2ded7ee625c80b8d9bf7f
SHA51280ea9d88269e1d50a3aed817677981623e4af6de1b806243fd8963a44ec54af7251f248cbba888e0d65950a7ba000527b138a52597ec980a97ff2e121e27f3c0
-
Filesize
60B
MD5312596150fc107fca559ff953658d085
SHA1d3dc4a642cb6106fa513a3b09f7a3547c0e9af9c
SHA2566616a6455cfc6364e1c5183c216189b678e8fc250ebed8b7e7ca76a0ca05c63f
SHA5122aeeadb9ef19b1979acd546b2e2f95afbac183f0f30ef5e239f4f8a844cd7c2da6298a60d10a4441adaf08f5daa892c0f3a03fb2c2bb1f7c006efff4b4b2d65d
-
Filesize
57B
MD528352960bc51bf67ae42318a41f8d854
SHA1fe3ef5c1ec01cd4dfe0006bfd5eb92710975c206
SHA25673be7f6e83d889b4dfe020edffbe27fb0450a9691a9897dbf619eeb3528e2534
SHA512f705474054dcb8b28579c390447abf0beea2d63e70015954b355cfb96ae8c4f3f9cf1900f0bbcf77ff7752ff7738e510a3b41464cc98bcb7cd79484bfa7665c1
-
Filesize
61B
MD5f6dc30bef9346c8c58dec7c0d27610dc
SHA14b2909e22c63959c1e002517e5703d405e159c1d
SHA256f6a741f1fbd0c65c2aca8d8cb9f4263ea48273b564ccf70bf81b1aa27a568113
SHA5120d2bda2e9b20813a7e07b95f99afd0ea5d4f318d9ff9c977bb53f4b9039c1579d4f20b55f4ece72e3cddb95c5a3bf8f8831bf385a05d675319d6e33f77b1c84c
-
Filesize
58B
MD516b4228b1a50537d01a0edfffae09640
SHA16a1d8b3aa543b08665a2626961b08446d73ce340
SHA256f3a4c30bc18df166c10d7f6ab0cd95876f51ef2c78fa636611731b0a3af1694a
SHA5120ecb5bda952e50a90fb89ef501febe55841079911272cc721acea9acea8d914e866358e06266ea4ec0ad50de910c935c0a5be1d4af21003d97be3419c45cfd8e
-
Filesize
56B
MD584cfdc8c3d828ea1827caba7a0460e26
SHA1424922a9e79e00aea3fee2f7f25a70f261ff216d
SHA256fdfb073210de5f026a8b8e518d21e7fc7812d4220f2872881e897bf9e078676a
SHA5126456e91a084b700ca5b3bbf52c8752cae7cde3cb7a6876b2406e3e6bb60de31f8dbe56737d229cb43af21b721839dd0d2be23a4ee6c154c0f04319a7ff2e2a45
-
Filesize
57B
MD5cf907c6ebbd5f94e5d8ca7b5bb172e0f
SHA1197a1fedb77c52d427fc05a33a8cdff2e2a4ce6b
SHA256a4ff88dfa1448c5871457c3be919e17465309c62e607236affe21ff26bbe01ea
SHA5122450765f916e3908d5ce8b08ea415857c26e5dfff6c140b4c47ba5f0841ccbdd74bc2eab9b1047c3a82c9ccf845549d92d8d312a88c882225d5ffb5c3ef5d7cc
-
Filesize
58B
MD5960845b82ee1674aea14a7bf196aa4e3
SHA13a2b25494524c7dd468475f000bab8922f2727e0
SHA2566b6117940fd0827097807d8f0480769d3327db00e7d84418eeb64c2d2fdd1a9e
SHA512abfe32b34c3c6274ac6e809d95ce71b9c22b3e1c91fde72f01d834b1b6cde1bed813c81c9d2a952583e1c820b61333b93b356ae4267a8b14ddf74d2b4b819d6a
-
Filesize
57B
MD5b1ebe7a844ad9d3f4979f7da9bb8dc0d
SHA1a2ce3e605320d09ca241f6717f8aae7f9fdd07bf
SHA25645f857aaad0ccd8e0b89191c88ebeae04d2db04c99a6542c965f0259b8fa71de
SHA512a43f410614096dc144b6701d610d7f626a3ba93908caf0cf3b96fe88436c5aa71a835e89fc49e09c18bfcd68ea322cd8a87084171055ffe33f03676fe209235f
-
Filesize
57B
MD546ec266f223b77a33d3b4af4169a0268
SHA1405bff4f2a2fca0cb15c1719cb596bb38c47ab27
SHA256dca0c42850a48a165ca80e69a851dfff0480154c392f011a549d37765922cfa7
SHA5123763c958a37c75c5b83b647c8fa29754d2cfedccd9bfe939df333295833e368eea39321dee2d68aba8b7add3e89ddee80f5c74ede59bc69a025b9a377b7faef8
-
Filesize
4KB
MD57ff4b8f3a04b8761f4aab8f442d7d96b
SHA169e9ce5b8907c9b3c8414c633531a451fdfdaa28
SHA25680f3764412cf53b59abf3765b0530978cc8e6d557b8d75b47412b2d443608a8b
SHA51276c4ce04f19eba57f90505b5573a1b71503245d9b6f05b9fd4e2564fe07f06acfae4dcca8b70f7a01d9c5c53991a68b558a4dda5f6af04246884385ca59f1f8a
-
Filesize
272KB
MD509369cda8bf691f4231e000aa0ef6955
SHA189b2415a1d0b34870f4313c2a0c56985962ccb84
SHA2561613ca737eeb6a19b47967b65fc80f2a10bec326fec0a363566369dc5fcaf16b
SHA512a8b9f1a5122df444dba35b0fb42e535487beb3682898ca06a3bbd115dc69a7c168322667cbc4a0c02067d99f22c0d8180b07c1ebab2a048806f658d8fb6d28d7
-
Filesize
272KB
MD599c09ec87502d3a02f842fbba0e2469d
SHA17dcd6b6d8d719961c38b6d044aacc7cd0c0ce272
SHA256828c8f9731ae687d5ab47efd15ec09adc0688a2f95fa89a0722f83b1d184efc9
SHA512a9f0ad86419b2fa0f3ca7b4243372448594889eca00fbe981f954c9c345eec1b3eda99e018834962c61a6d02a07253936fffa0483d0b126f54e584b83576a302
-
Filesize
272KB
MD5615983470bc5dc68996ef9369052a145
SHA1d017c3715da952850274d59948482371f8f93eb1
SHA256a0582f7a6302eebeca3120414fa30f54499307e66bee119112d83f49633626e7
SHA512902ba55ba4d6cc0e8d3fae379ae3394f7db9edad2042b4232e0583aabf2f4c03c58658256d68347b1a1f02afab2bd9e13b690fe3403bc426c875f25e9465b578
-
Filesize
8KB
MD56cc4c6acfc8fb3cf5e68b3d6da790b97
SHA1e90fdca1187426fda0f66e90ae27e284cbf0b7e2
SHA256e71ebbf4e8e320a34b4215b51d669581dfc37cb4b52646bf67ceb75e114223aa
SHA512acd9204793be1efedd9fdd78db9fa5d24f1fff6c4b4ba4b5dc306238c07a86e7756c7b1fd2d1bc2f9d5f925f846f1e77e5d83e809e0e6ead13b4b5678b6483d2
-
Filesize
36KB
MD53c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
Filesize
277KB
MD5d9c37b937ffde812ae15de885913e101
SHA1ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877
-
Filesize
272KB
MD5398b48de06a92b8dbb6044b3db357a7b
SHA14cc113f84891c2c0f9f005efc6843e61f037490d
SHA2564e3ffe4cb0793d5d4d608caccc60b3d7ac12ad3e062b1077c25cdbf2f2ccd734
SHA512772a5757dc580eb25c89f3a6afc840db46e0d4ca554508c4b8684f361ca60e296722422e4966626a984a9ac888e6dd3cda982edf8576646e298372584f4abe61