Analysis
-
max time kernel
40s -
max time network
241s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00348.7z
Resource
win7-20241023-en
General
-
Target
RNSM00348.7z
-
Size
8.1MB
-
MD5
74af02587adf272cdd45bbcccd66da4a
-
SHA1
cf4703a38ea02d566a3cd5f42e8d1944ede47fab
-
SHA256
1268b4063016174364afe89680b40b35aab7b1908b72edec7a5138cd3ac69763
-
SHA512
9c4011e17862e9daaffeaf75c1e315cbeb1da5723219bd691fab4ccdb69e9ab91fd9a066c2de31122b2447f6176e5278789ab2999f73253b96427addec320d45
-
SSDEEP
196608:/oMxaBJTA6Xn8nhZl4RMb8LUszeS8JNoE+Pq5GwA8d9q:AMQbTrXnIGgUeFow59q
Malware Config
Extracted
C:\Users\Admin\Music\!HELP_SOS.hta
http://'+s.bp
http://'+s.bp+s.txp+tx
Signatures
-
Rms family
-
Contacts a large (7704) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Creates new service(s) 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00050000000199c8-190.dat acprotect behavioral1/files/0x0005000000019719-189.dat acprotect behavioral1/files/0x00050000000196c3-188.dat acprotect behavioral1/files/0x0005000000019683-187.dat acprotect -
Executes dropped EXE 6 IoCs
pid Process 1392 HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe 2696 Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2772 Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe 2760 VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe 2816 Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe -
Loads dropped DLL 3 IoCs
pid Process 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2760 VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\fluorochrome = "C:\\Users\\Admin\\AppData\\Roaming\\fluorochrome.exe" Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe -
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2620 powercfg.exe 1272 powercfg.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2036 tasklist.exe -
resource yara_rule behavioral1/memory/2816-123-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2816-122-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2816-121-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2816-124-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2816-125-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/2816-128-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/files/0x00050000000199c8-190.dat upx behavioral1/files/0x0005000000019719-189.dat upx behavioral1/files/0x00050000000196c3-188.dat upx behavioral1/files/0x0005000000019683-187.dat upx behavioral1/files/0x000500000001962f-185.dat upx behavioral1/memory/2612-1256-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral1/memory/1772-1257-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral1/memory/1776-1266-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral1/memory/1776-1268-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral1/memory/2612-1273-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral1/memory/1772-1275-0x0000000000400000-0x00000000009DC000-memory.dmp upx -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2720 sc.exe 2080 sc.exe 1520 sc.exe 484 sc.exe 1780 sc.exe 1304 sc.exe 2568 sc.exe 2940 sc.exe 620 sc.exe 840 sc.exe 2584 sc.exe 2776 sc.exe 2448 sc.exe 2736 sc.exe 928 sc.exe 2424 sc.exe 2492 sc.exe 912 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2824 PING.EXE 968 PING.EXE 3052 PING.EXE 3044 PING.EXE 2780 PING.EXE -
NSIS installer 4 IoCs
resource yara_rule behavioral1/files/0x00060000000186f4-17.dat nsis_installer_1 behavioral1/files/0x00060000000186f4-17.dat nsis_installer_2 behavioral1/files/0x00070000000193c4-25.dat nsis_installer_1 behavioral1/files/0x00070000000193c4-25.dat nsis_installer_2 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2948 ipconfig.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2096 vssadmin.exe 1664 vssadmin.exe 2188 vssadmin.exe -
Kills process with taskkill 23 IoCs
pid Process 1008 taskkill.exe 2248 taskkill.exe 1008 taskkill.exe 1752 taskkill.exe 1300 taskkill.exe 1304 taskkill.exe 1912 taskkill.exe 868 taskkill.exe 1160 taskkill.exe 3028 taskkill.exe 2964 taskkill.exe 2096 taskkill.exe 1348 taskkill.exe 2876 taskkill.exe 596 taskkill.exe 2936 taskkill.exe 2360 taskkill.exe 2976 taskkill.exe 1764 taskkill.exe 1780 taskkill.exe 2636 taskkill.exe 1296 taskkill.exe 2244 taskkill.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3048 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2824 PING.EXE 968 PING.EXE 3052 PING.EXE 3044 PING.EXE 2780 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe 3016 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
pid Process 1392 HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe 2696 Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2772 Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe 2816 Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe 2760 VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 1736 7zFM.exe Token: 35 1736 7zFM.exe Token: SeSecurityPrivilege 1736 7zFM.exe Token: SeDebugPrivilege 2932 taskmgr.exe Token: SeDebugPrivilege 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe Token: SeDebugPrivilege 2712 Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 1736 7zFM.exe 1736 7zFM.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2696 Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe 2932 taskmgr.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2816 Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2796 wrote to memory of 1392 2796 cmd.exe 36 PID 2796 wrote to memory of 1392 2796 cmd.exe 36 PID 2796 wrote to memory of 1392 2796 cmd.exe 36 PID 2796 wrote to memory of 1392 2796 cmd.exe 36 PID 2796 wrote to memory of 2696 2796 cmd.exe 37 PID 2796 wrote to memory of 2696 2796 cmd.exe 37 PID 2796 wrote to memory of 2696 2796 cmd.exe 37 PID 2796 wrote to memory of 2696 2796 cmd.exe 37 PID 2796 wrote to memory of 2712 2796 cmd.exe 38 PID 2796 wrote to memory of 2712 2796 cmd.exe 38 PID 2796 wrote to memory of 2712 2796 cmd.exe 38 PID 2796 wrote to memory of 2712 2796 cmd.exe 38 PID 2796 wrote to memory of 2772 2796 cmd.exe 39 PID 2796 wrote to memory of 2772 2796 cmd.exe 39 PID 2796 wrote to memory of 2772 2796 cmd.exe 39 PID 2796 wrote to memory of 2772 2796 cmd.exe 39 PID 2796 wrote to memory of 2816 2796 cmd.exe 40 PID 2796 wrote to memory of 2816 2796 cmd.exe 40 PID 2796 wrote to memory of 2816 2796 cmd.exe 40 PID 2796 wrote to memory of 2816 2796 cmd.exe 40 PID 2796 wrote to memory of 2760 2796 cmd.exe 41 PID 2796 wrote to memory of 2760 2796 cmd.exe 41 PID 2796 wrote to memory of 2760 2796 cmd.exe 41 PID 2796 wrote to memory of 2760 2796 cmd.exe 41 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 1956 attrib.exe 1668 attrib.exe 892 attrib.exe 2536 attrib.exe 1580 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00348.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1392 -
C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe"HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe"3⤵PID:2196
-
-
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exeTrojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:2696 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵PID:1332
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵PID:2276
-
-
-
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exeTrojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /XML "C:\ProgramData\softenza.xml" /TN "softenza" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2164
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" create "SysdService" binpath= "C:\ProgramData\WindowsDriverFoundation\mqsvcss.exe" DisplayName= "System Driver Foundation - System-Mode Driver Framework." type= own start= auto3⤵
- Launches sc.exe
PID:2584
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" C:\ProgramData\setu.vbs3⤵PID:1360
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\setu.bat" "4⤵PID:2064
-
C:\Windows\SysWOW64\attrib.exeATTRIB -S -R -H C:\ProgramData5⤵
- Views/modifies file attributes
PID:1668
-
-
C:\Windows\SysWOW64\net.exeNET STOP WPCSvc5⤵PID:1012
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP WPCSvc6⤵PID:1520
-
-
-
C:\Windows\SysWOW64\net.exeNET STOP MpsSvc5⤵PID:1064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MpsSvc6⤵PID:2244
-
-
-
C:\Windows\SysWOW64\net.exeNET STOP wscsvc5⤵PID:2372
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP wscsvc6⤵PID:1604
-
-
-
C:\Windows\SysWOW64\net.exeNET STOP WinDefend5⤵PID:1484
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP WinDefend6⤵PID:1736
-
-
-
C:\Windows\SysWOW64\net.exeNET STOP "WerSvc"5⤵PID:1648
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "WerSvc"6⤵PID:288
-
-
-
C:\Windows\SysWOW64\net.exeNET STOP "SharedAccess"5⤵PID:2720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "SharedAccess"6⤵PID:2808
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mcupdate.exe5⤵
- Kills process with taskkill
PID:2964
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM aswidsagenta.exe5⤵
- Kills process with taskkill
PID:1300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AvastSvc.exe5⤵
- Kills process with taskkill
PID:1304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM wsc_proxy.exe5⤵
- Kills process with taskkill
PID:1912
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM AvastUI.exe5⤵
- Kills process with taskkill
PID:2096
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM firewall.exe5⤵
- Kills process with taskkill
PID:1348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM MSASCui.exe5⤵
- Kills process with taskkill
PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM defense.exe5⤵
- Kills process with taskkill
PID:2976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM nod32krn.exe5⤵
- Kills process with taskkill
PID:1008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM nod32.exe5⤵
- Kills process with taskkill
PID:868
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM nod32kui.exe5⤵
- Kills process with taskkill
PID:1764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mcafee.exe5⤵
- Kills process with taskkill
PID:1160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mghtml.exe5⤵
- Kills process with taskkill
PID:1780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM guard.exe5⤵
- Kills process with taskkill
PID:596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM guarddog.exe5⤵
- Kills process with taskkill
PID:2636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM drweb32.exe5⤵
- Kills process with taskkill
PID:2936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dvp95.exe5⤵
- Kills process with taskkill
PID:2360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM dvp95_0.exe5⤵
- Kills process with taskkill
PID:2248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM rvlkl.exe5⤵
- Kills process with taskkill
PID:3028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM rutserv.exe5⤵
- Kills process with taskkill
PID:1008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM rfusclient.exe5⤵
- Kills process with taskkill
PID:1296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mqsvcss.exe5⤵
- Kills process with taskkill
PID:2244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM mqssclient.exe5⤵
- Kills process with taskkill
PID:1752
-
-
C:\Windows\SysWOW64\net.exenet users5⤵PID:2176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users6⤵PID:2360
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks5⤵PID:1488
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:2036
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\send.vbs5⤵PID:2420
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\ProgramData\se.reg6⤵
- Runs .reg file with regedit
PID:3048
-
-
-
C:\Windows\SysWOW64\sc.exesc config "wuauserv" start= disabled5⤵
- Launches sc.exe
PID:2080
-
-
C:\Windows\SysWOW64\sc.exesc config "WPCSvc" start= disabled5⤵
- Launches sc.exe
PID:2424
-
-
C:\Windows\SysWOW64\sc.exesc config "MpsSvc" start= disabled5⤵
- Launches sc.exe
PID:1304
-
-
C:\Windows\SysWOW64\sc.exesc config "wscsvc" start= disabled5⤵
- Launches sc.exe
PID:2568
-
-
C:\Windows\SysWOW64\sc.exesc config "WinDefend" start= disabled5⤵
- Launches sc.exe
PID:2940
-
-
C:\Windows\SysWOW64\sc.exesc config "WerSvc" start= disabled5⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\SysWOW64\sc.exesc config "AdobeFlashPlayerUpdateSvc" start= disabled5⤵
- Launches sc.exe
PID:484
-
-
C:\Windows\SysWOW64\sc.exesc config "SkypeUpdate" start= disabled5⤵
- Launches sc.exe
PID:1780
-
-
C:\Windows\SysWOW64\sc.exesc config "idsvc" start= disabled5⤵
- Launches sc.exe
PID:2776
-
-
C:\Windows\SysWOW64\sc.exesc config "CscService" start= disabled5⤵
- Launches sc.exe
PID:2448
-
-
C:\Windows\SysWOW64\sc.exesc config "Spooler" start= disabled5⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\SysWOW64\sc.exesc config "gupdate" start= disabled5⤵
- Launches sc.exe
PID:620
-
-
C:\Windows\SysWOW64\sc.exesc config "gupdatem" start= disabled5⤵
- Launches sc.exe
PID:840
-
-
C:\Windows\SysWOW64\sc.exesc config "SCardSvr" start= disabled5⤵
- Launches sc.exe
PID:2492
-
-
C:\Windows\SysWOW64\sc.exesc config "BITS" start= disabled5⤵
- Launches sc.exe
PID:912
-
-
C:\Windows\SysWOW64\sc.exesc config "PlugPlay" start= auto5⤵
- Launches sc.exe
PID:2736
-
-
C:\Windows\SysWOW64\powercfg.exePOWERCFG -Change -standby-timeout-ac 05⤵
- Power Settings
PID:2620
-
-
C:\Windows\SysWOW64\powercfg.exePOWERCFG -Change -monitor-timeout-ac 05⤵
- Power Settings
PID:1272
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /t Reg_sz /v SmartScreenEnabled /d off /f5⤵PID:2936
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /t Reg_sz /v SmartScreenEnabled /d off /f5⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v EnableLUA /d 0 /f5⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v EnableLUA /d 0 /f5⤵PID:2208
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /t Reg_dword /v DisableCMD /d 0 /f5⤵PID:1988
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisableRegistryTools /d 0 /f5⤵PID:580
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v Start /t REG_DWORD /d 0 /f5⤵PID:2896
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵PID:2628
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v Start /t REG_DWORD /d 0 /f5⤵PID:2732
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵PID:1752
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 2 /f5⤵PID:2192
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v AntiVirusDisableNotify /t REG_DWORD /d 1 /f5⤵PID:2228
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v AntiVirusOverride /t REG_DWORD /d 4 /f5⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v FirewallDisableNotify /t REG_DWORD /d 1 /f5⤵PID:544
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v FirewallOverride /t REG_DWORD /d 1 /f5⤵PID:2848
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v FirstRunDisabled /t REG_DWORD /d 1 /f5⤵PID:2360
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\security center" /v UpdatesDisableNotify /t REG_DWORD /d 1 /f5⤵PID:2984
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f5⤵PID:1992
-
-
C:\Windows\SysWOW64\sc.exesc start SysdService5⤵
- Launches sc.exe
PID:928
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\del.bat""3⤵PID:2576
-
C:\Windows\SysWOW64\attrib.exeattrib +H +S /S /D "C:\ProgramData\WindowsDriverFoundation\*.*"4⤵
- Views/modifies file attributes
PID:1956
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +S C:\ProgramData\WindowsDriverFoundation4⤵
- Views/modifies file attributes
PID:892
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +S C:\ProgramData\softenza.bat4⤵
- Views/modifies file attributes
PID:2536
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +S C:\ProgramData4⤵
- Views/modifies file attributes
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4-selfdel.bat" "3⤵PID:2636
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "3⤵PID:2416
-
C:\Windows\SysWOW64\PING.EXEping -n 2 -w 1000 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
-
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exeTrojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2772 -
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe"C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe" g3⤵PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:3016
-
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"3⤵PID:2384
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g4⤵PID:2704
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2096
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1664
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2188
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"4⤵PID:3048
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"4⤵PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"3⤵PID:1032
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3044
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
-
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exeTrojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of UnmapMainImage
PID:2816
-
-
C:\Users\Admin\Desktop\00348\VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exeVHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2760 -
C:\Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe"C:\Program Files\ShnSoft\ACR122Uд¿¨Èí¼þT\ICtool.exe"3⤵PID:1496
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1924
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"1⤵PID:836
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1512
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c01⤵PID:1784
-
C:\ProgramData\WindowsDriverFoundation\mqsvcss.exeC:\ProgramData\WindowsDriverFoundation\mqsvcss.exe1⤵PID:956
-
C:\ProgramData\WindowsDriverFoundation\mqssclient.exeC:\ProgramData\WindowsDriverFoundation\mqssclient.exe2⤵PID:2612
-
C:\ProgramData\WindowsDriverFoundation\mqssclient.exeC:\ProgramData\WindowsDriverFoundation\mqssclient.exe /tray3⤵PID:1776
-
-
-
C:\ProgramData\WindowsDriverFoundation\mqssclient.exeC:\ProgramData\WindowsDriverFoundation\mqssclient.exe /tray2⤵PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
1Discovery
Network Service Discovery
2Network Share Discovery
1Process Discovery
1Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898B
MD55be20268ebc06471686a5abfe66d3e8c
SHA163f1df1ac1e52b549eaf3d1237680aadd8b06fd9
SHA25654d4c53c29830a2808d00e4dc53b7fec5e642cecf2ab489e69f7775dfc0960f9
SHA51244f14bf5c6c0781905dd3fbecfed275adf695f9b6852b68789a7a8f04781701d989c4ef9a2801f46bc5db0794a2625d2e58eec3f75b05c379fc17887aa6fd6f8
-
Filesize
1.5MB
MD57e5ba2b7f032c4957e43a6d4a3e0c6ec
SHA10ce6248a944df911881bd0e77127a9dda26fb948
SHA256bf0e8543d2edaa5782991ce70f83b87eb4f69fe8f5ee55603973e5d5e32ebb15
SHA5120e2dbdbd4ed9828f891292f60d439c6694e04c19d0cd919ff44bb2f1c12fa3cf1924913cc431f0f6bcfd0a04d7499321d71a2edc9204dd54612911730a21111b
-
Filesize
6.1MB
MD549ec0a4c7f464caabe8f898a2f700a3a
SHA1efa5e2a786d59a4071db204655cc3127c9187593
SHA2562e2f4f7aa23daadd0996406ab7f98cc78b36f2714436e845d737b7b2ec2a05a4
SHA512142104c598aa33d4ae564c805e817bb7775f39ebd01d6c679e0003984132cf7ace73cac456a9b3d2a980a31ab17f996949b84a53af31f48157e7de9bd9437ed9
-
Filesize
155KB
MD50af6ecf8be943a10a75af3ff8f5bc798
SHA16b419023634c0e3ac33c761c1a3898f1512edb13
SHA2566a11ff964b8cac59166a0da326dde38c16482710a25871419b25aa03c82888ee
SHA5124d89d8372d27d4c9a5882848f1541b16930c8db1e2ee3e420b9f40f7277adc1abae304a95d2e7db641b69e30ce9fe83519d3238610bd4931ff364380bda80e12
-
Filesize
593KB
MD56fec7b74e3dd5e34d51a285c553ea75d
SHA126d51c65211ee4a2a7be2c18234a20e33cc0817e
SHA256ece149241d87c2a6fb82065cb2dec2de9e2aef9081783f3073ca525073a4a75b
SHA5120eba03c7d38cd415473c7754dd76c3375f4bf9b2ccd722762b3a50d87e276acc2a2e7d938afeb23f17b14b90a2458360420d291ad287ee016ff5f7d4b902010c
-
Filesize
169KB
MD5d66f9c95b6d748b918756b92ebb11a57
SHA10208e2bb85b5aa0427318d107abcaa49e19fbf64
SHA256b07eb51e4ae89fe1b9e49dd359288d92207aa00de92c8e26af09c9e4b7fa7863
SHA512ec6c02ff1efc5d639b12da9229edd4f24fbcec3068df2a2d03aa33ac7082618905d4eb0aae6641d16d36f877a28e9066dbce6551ca820928029c61e3ed421a2c
-
Filesize
258KB
MD5b8910d83b950769824b5ce02d1b8185b
SHA101a81dba23502ab21eece0a59401532a8c2d33a9
SHA256fd9a3ab60efe87693e1491280acb2e98bb81d2b1cb013ebef92204bba7c6f3a7
SHA51270d4d73f245ad5ba25ade385368e24c5168b3d6b2929cf4d3fe759bc607dd417d14119ffdcaf71075544ad39a8fb6e522074e7ac6b832c4bace92cfee62697d0
-
Filesize
212B
MD536943d266fd34ba1d44c30137f327ada
SHA1689e681b6409621a023591f488fc3b3bfa69420f
SHA25641d739d407b25ca82050dea877b8166ad7d18b38097f3b9987165b74aa68b8ac
SHA512d1052ca5f795a145d7adc59d82c2e744bce5c6c0fdc4dc823fc60720bea7bfac03878361e596ee4774cf26ef97abf3ef3ee2648b90c496559c905ec3c79e1235
-
Filesize
340B
MD547abf04d5f9d010f7444b742edaf4cce
SHA1b9519d1aa633d4e965b57bbf74ec7a5a901156b3
SHA2563ef25214a811673f657333f26454cd3ba510cf3843533a6b8cf95379414fd0c0
SHA51251feba699a87e1da83ce9f15a72e884b7c693b9c3ccd6f60c79b0f4794940b427f467ae485a3f7a12ed7b30aeef665f0ece55e6a65df86d7083bbafea4c48e7e
-
Filesize
7KB
MD53865177f99b6a4f6b1e0bd8a52ed6856
SHA190f8f08c00b90fec8e095ad0a3672bfd4afa8178
SHA256aff433546164fe04b2783ffcaa410ab7930c2a6e2a906f1891c7398af57bacd6
SHA512937075bb1860b88f1ba7b2ee1eecfa796e09053df76ae5e59b2340b08dc47f2d0cefa99476e2e2b02c5c47c60ce00de257f72636980b32084693ef9bd7d0b9b6
-
Filesize
32KB
MD59613f45c1f227d785c889dadcfe054fe
SHA1d7f9cde47ee0a634be9b0506f2211f48791e0d48
SHA256326c424d1df5cf1ee9316d7e557a04f438dad6af19048709f39fbf1303f70d44
SHA5124f5c574b8651f95d4e47401c9235134eadbe66eb860e0bbee9e125fa896a5472cf1c0791d392cd500ba9b78a52f8b262c7c7b969bf758a73bc805848a21ffe5e
-
Filesize
32KB
MD57d4ac22607ed1242460566697f3955c7
SHA13443c88710720b9500d3224f38968581d0a6818b
SHA2563d2d707d0afd9d4ebe0aee2a5ed78fa9c36017973494fa54f9516aa9b9a2602d
SHA51284832e677485454a52e30fcb928d61c135a25ad97c0a5e1f2eecf0e958d94b283cd3db6b5e78a2d21d9771848d312a0841cb6746e35ab172af2d5c3fc0b9c9b0
-
Filesize
1KB
MD50a1802235751f97a0ee0df17fc26adae
SHA1319384158fd8394131ab338011cd970f2b7eb37e
SHA256507475ae8853b6cf3b06c7234c9376e17de2c87c463d3d9f5dbf604c49553e52
SHA512f3ca0c5549b92a35a76bf33880cbe6ec5b7ef73b76ba905750a09e959f4ac7665f9b82a1b9a8ee73585b9fca6d9d3274fb6ce052fbec785e435701e28c8d67c9
-
Filesize
7KB
MD5aa6094f6ea64aca03fcce732ddc721ad
SHA1ee1accd858a7930e03d1159173b394ae40fb0369
SHA25604085e91b33f28dd6153ac1e8ab186e4197835ef96f0f63aa3bc50f67bd8bc2b
SHA512818bb9c6be370c86a803abe940377da4575756d2bffb4753de912a404bd0398f9d1c0f73781d5dfd68ac05baeff1838d5a687e89d637cd67721251946f7f7ad4
-
Filesize
135B
MD5aed49ba2c01ec6ab7e87a012a83fc7cf
SHA1f58ed447a7df083f471630042c181988b2cdc6cc
SHA256fc9af83c2a8277cec18b4a4cdc728426f4fed0893b68421d84d679933c66d6c5
SHA512ab90f81fd66a2882870304aac5abf6278e67db8091fd5fc7cadcc755b3da8009bf2f26878694b034fada6e8912de991654dc52a3923a7014f17c897b9979238a
-
Filesize
1KB
MD5e44e6d2cadb22f25ee76829dfd1c003b
SHA1ab0d1f20781ebc4ef7e9a10d62f56dcdaf3c8eec
SHA256b0b88f4191e967d34880ba89e54a2589571b8d2a004ce432f1decc657b7e2216
SHA512fc782e1b9303788eeecbf103210e7f451784e7e1263acd19b87f4b021f654207c19db6c94e2deb167689c96353d1423aba28879e124dd91d2358a45b9c4ea1d1
-
Filesize
3KB
MD546e0f832ffbf2c76e701581d49e471ef
SHA10b8b369bb9d1f498063a2a7b13096d45eb6e4ff3
SHA2561d08200ecd6ba843f31ded8773cf85b19b426ab9b30c7c5e26c0494c9c3e69ce
SHA512b99ed64b182074a9d58b6c7ba93636a2aa541e7df7bac1a5b8eb946f9a3d3cee26c6444ed2c342b1cfa493d9fa87589f8c7f03306ac7c0ed861ffcf3e0ea36e3
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4-selfdel.bat
Filesize569B
MD5104046e03660eae2dfa243bb2ed55ae3
SHA1a4f83cbd9e4ff0f4c2b5b77239bcb8a240dc6d2a
SHA256c31ca3f961361604f892128e0adecdf76f370bbdce01796a92afa3a3cb2a22bf
SHA5122c5b89e720763016666e658e67ec45552a7b41847a8201e1e41e4854042a59a5cca98c3f42c90d78bd302326fbc42c8563fa36760329f96b4e57fe49fcde70f1
-
Filesize
212B
MD5136e65ad31b849f780603e0267199dfd
SHA137b3a94e3d9f389af772290db72349152af25a68
SHA2563817845ef870b431f84cf97af68426f4ab11b6fc9380e046d30a745dd7ec4e2b
SHA5125b0d4f54bf8d07e25df1e4b50affa8f99a37a3eb6a5616bee7cc2014df44728ab5f25da8f86e796afeee8404245790e13a0de8539e6cb8a3fe2bff8f7a386bb1
-
Filesize
200B
MD5ea190ef9b139757a890cd48bdd44b0ee
SHA195c684e41bf7919408816aafab881621fface202
SHA2569131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4
SHA51222802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad
-
Filesize
3KB
MD537219fd2d09abee4189a1ae33de93e2d
SHA15e4cc26e169b6bd16843bcc86806556dac372c57
SHA2562a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274
SHA512626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069
-
Filesize
662B
MD5cc116571a3dffffe37ea9f7047bfa1a5
SHA1f8f08dfbd0670a45bce80483d713497f8965d880
SHA25667a65cd448d002cddcb2aacedb3850b9ae9748a1744c0a61639cff799b097f8d
SHA512d7b99650094be2b555d62efa9d3a164395d027dc8213132b373167a58b1d34792288419f0fdeeaa5dfcb550375b643422f89e334a6d553e396017463fddb06d5
-
Filesize
654B
MD5cc45b5d987b6b1d1bcfd5e83c4b56238
SHA1996e56c2a5822325cb491ea22aae599c6deb4471
SHA2561ea54c11f78525d1d9f1c601aacd7abec72aba4ad5277e277c6b1e2e85200b6a
SHA5120c401826a7505c7da0886246e73deb5e18f27cdd13b10b9a524442d915cf1b7c53982cdd6076f3b6252d70ba0cb71b5cdf1bb34d182fd41cda624bce53f63841
-
Filesize
72B
MD58d33c0eda9d01f6d0d9305be334a7ba1
SHA1b7788d572156b0bfa90f5d9348eeba4a1bc9d544
SHA256e0a8545fe6e9a6929dcf5979d1d9804e32535e0293ee97c3c2ada7bec63f35db
SHA5120c43184b0ee25305e52e2354ec56088ab142278b62ac01e0bd535bd8846640a35d5b56e0fdf0f657ef719eee589c5cd916dedb523dfff4db4f9a08e3d87502a2
-
C:\Users\Admin\Desktop\00348\HEUR-Trojan-Ransom.MSIL.Blocker.gen-4cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d.exe
Filesize873KB
MD54fa07d7070e5cf3176adf32eecc1af08
SHA197e1e83496436d6b4db39f8901dce2cc51401b80
SHA2564cb453717b2f4fabf2a37e0be4e4ad351294683d04481d7109f00353b5d1db3d
SHA51201e7b280cc7b5c15a28c336782cd4324d199ac5666c3799622d21ea4b95913fe3f86e2675208abfeaef5462f532761208fb10c944f5a0b166085cbb35414d034
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lccc-86ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398.exe
Filesize770KB
MD58a8e44cb168a1355b12e69e3ee43d1e5
SHA168ea66b8e444e794d736c56b86452305fbd6c1b7
SHA25686ee350ba2156b1064c54f90e36aeebdb45bec95966dca716daf7aa6ff5ea398
SHA5127d20f8552c46650d2b60abf737dca3a0ac85f2c9a8153110e413ca6b546a072104ad2c3cce34c47d56eeff3370d4637e2c6115467c92650d2e84238c1ebeb1d2
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Blocker.lise-3e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4.exe
Filesize4.7MB
MD5fca6c913de2fda6567e91669acb0ea1c
SHA1f4776afe9e701c02c1f064a630b8db8ff74d9404
SHA2563e900ee08033135cd072715760304e7596fd52ee1a48e13a582a1bb04ae488f4
SHA512360d5d8301b4daaa609dc2741b25de4e5815512c9230c37bfd0f2b97cb739ed308af7bb936fe7e69f18e467fba9870e10f74adf171fae29f6140b066a801a51c
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.SageCrypt.bfp-1f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11.exe
Filesize528KB
MD5205624a325e4efa9f0ce68ff56a91829
SHA117cdede8600d4a60f69636695183db5199e433be
SHA2561f1d632a3baecaea7fefcfdf6af7191bbb18a4cd983ebf51a6b37c602971ee11
SHA512fb71b2147609af0d4bdf79c7992e3eba4ea3baab1eb7cb626e1a307f3f786b9c31d11bd055fdfdd774133d5023e0508f3db91c28da67a86f33944bd696db53de
-
C:\Users\Admin\Desktop\00348\Trojan-Ransom.Win32.Shade.pem-f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd.exe
Filesize1.3MB
MD5229105085e3e712e4ae282033ca7c4c8
SHA12ce7085f17329d57b4737af14246971f94fb4d6d
SHA256f312f5fea266a224e31e24dd5d09bab69bf225eea8e9daef954aa8b5078ad3cd
SHA512264993b120e0376f676db865d899a0bd37ebcec3cd565a1b44add5ceb22d259a46412b31418076173024c6487f1929598a174eb6c8176c44bd85c9c5e79b3ca5
-
C:\Users\Admin\Desktop\00348\VHO-Trojan-Ransom.Win32.Convagent.gen-de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb.exe
Filesize1.2MB
MD564607deb537fb6a9a8baffaae609d161
SHA11cf684a77949c02da3e2613726ec4119523890d2
SHA256de5aefd24ae1f5a39593f316e8cc39817d6bf67a6c0d7d9a25d26d4aa7927feb
SHA5124e74a7c5a2329d31f7da76b658959d092223ab60cd37c537613be4ad1c30666ca9ad73ef327747c6c166d718c47e29cf84bfe3bb7e73c981960c47a0babaece7
-
Filesize
70KB
MD59bdfd9db25447195a6f7bee39ad4149c
SHA107cdb030b89029ae399ec04ffb329c394fdb2884
SHA25639c4fe033fec756bf44621ed64e7b6db366480f85dd810757696c95c54206898
SHA5125f233fd964af82ee0c7941204aae76733ffe86c65d904625a78026b5f701252c3458200dc713269951650281935cab040562545fcdf09336f655b95a92bae262
-
Filesize
1.2MB
MD5d0e497727b3322d213c13be623ff5772
SHA10524e8f70334de423900ec593a96dabbdf09b6f4
SHA2569694184629138ad59822b4bcc9539c608e64d01f85d1335c92e1f6c057a14ce4
SHA51261f9e932ac3bb711f857124096d4fc5eada5ac9dc0dfc88a4800c7a0962d3c3ba73c5431f4d9a6530c254bbd1472fe6243c9644b5ee02a4e29bedd69f70bb9ce
-
Filesize
82KB
MD5312baf7c498338603c16d7893e1eece8
SHA159e4bb59a25bc07568041cdd753a8b66bc198e42
SHA256f21223a04f82aecc256fbbeb5945e79096bb1008984c5a42eea19f1a34b3165a
SHA512e4f02216bd85d064d2ee90b1bbaecdce603ed42047344ab12ce557102ee479c2a1b086a0d8e6ca98d44373a53af1c8e674ebe2974741932db0722aeff37dd7bf
-
Filesize
20KB
MD5d3f8c0334c19198a109e44d074dac5fd
SHA1167716989a62b25e9fcf8e20d78e390a52e12077
SHA256005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA5129c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51
-
Filesize
60KB
MD56ce814fd1ad7ae07a9e462c26b3a0f69
SHA115f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA25654c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e