Overview

overview

10

Static

static

1

RNSM00341.7z

windows7-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00341.7z

  • Size

    4.7MB

  • MD5

    89d6fd75828e74fc7447e9a0c5c88fd8

  • SHA1

    2a50e26fa610d0782d88cd932dea6a75d680fc16

  • SHA256

    d65ee752bb8afda85bf33265285ea298d1ed91ac0b863a34c1dda243dfb52762

  • SHA512

    3668a93ba0186d8f9b9afa894652417a81117f1cc53b88ad1b1f353293d4e63770cf5b5df1e16756366c995d648291ecb428e2203c6ffd25154b8cd4c0639bfd

  • SSDEEP

    98304:35Vodvxpy8/z2MeKGsWrj6ovnuW++kaWYKjOkzVjeBP8CEWlt:pVodvH/z2AGsWf6suraXfkZj6Pa2

Score
10/10
gandcrabtroldeshbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\SPYBQEEUUQ-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SPYBQEEUUQ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fd44af66fa291bc9 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAACaUSO+9L5NPCI6eD4SUG78Bw3EuF2wK+ul74ncX/XFccT5HhWIuDYmwNlrXz6rh2+kvpBhdYVPB/52xLbr625xg+efBwmwdfltKwllXmpCup4Z8LMGabUkqXQ75kz/8Aa6Gzu+6Km76huBcUKqQRDsfsUYbPWcRpD9r8iwVX6UTlmubIgMP5uA4rrzQFv/VnCnPrUPDUNYI/IPnd7csZrWC7QG3cJo9lCU9xdpUOyGFL1RQwD8CUZ1wSa6KxTeorunlYKtSz3p5hVrQ1omVoNjkDJvReCIvJH1CQ18WQLH/gw1G3KgrwsnWH8swu6rmWANVZqu0+1r3wI/GZh3ekccVW9a4IwHPmyWdHEfaev5aeD73SDBup/cbx/ymOvEdqOsV5/6fagcWPcy75NeA1+qOFLZcaIGimPXLXoXNFPqRYoASRsLphaTL1bZbcZp7+7hu7/m78u82fdbmPKxrR+lZ1f64B1b47Y0VyCV2QppYzcUkapsxi2V1D2nvtUhHHVDVQSh5oJO1Z+F483Kt7HzAXckkRAh5wlhRltXpXUIOJowqQSHIpZw7aROmdjEcAq1vi3WfhjUKriyFMJIiOsEw773F7doDVMuDuKUqtEHuLBcjftT2/yvJa7xaADQd3LIHVA1/oTzBfUJC3v2uBlrc5Lx5UxEe1IZPiOjqrDSg9wfgqrvv4c9j0dBjIGpMvvQm4BpNoRp0/GZXJh1Kfxr9cN/k/ozJ4bpFT0jXEmUMd3ey09CpBvkyrThAlCtgcOULuhDFkXknK1mHCzELJPzWLM9OMY6hXXq7V46B8wCdK1W20CxjNzj9KhFJUt2C5asrDctK8jm8bnnkB2bURhr+plPNdqLX3CrKyqcKw2CwiNF83sioGDQgU+i/+NTrWrlZdzGofQsZwCb0Ny7yQF6sIX4LS20IhXsgsrTcJ37VYJVAntN7X7L5y95CcRaYyANPc+oyxc2leYaegHUaT/46H0kIm0Ws+UchkTVP7DNBF+qe2I/ZLcgCy1xJXZ56CN+UtmmDQ7VAUiiCFcZfgSQTixCrY8H1WCjM8h6dayxFRxYwsmdQr2NwRVcklgb3SQCTN7RU7Eqb1kqvD1txD8+vnVUVKaAyMv9CAHbaHIULJUIWBJ5c0CWgilVZxKJG+vsL/GBbf+m43hat9CLcQFNq110vGH8L/Iup+9NwkOSeue7noFsViH5e44+aK/cfUYIxJOKQQ9OlmiffKIu13ACSO89mUdi3h9G2tT21gVgMFan3xzBy5sdJ2ODxNwG7J9a6ti5dNKdCZGtmDiGqHfS8y989Q287n1tU3mg2Vko7gwwWKm55Zaj4NHDg0dOK1M/CLve7TEmKFkabDh5abYQMmwQoMY6BB5eIVuEkaI0kYOmL3xNEzD6HSyziUdbSCbIpxI8zshvqgA+aSmqjKLHuc5MmmnJT6jssvUe9idAZpILn8AT4Z+FRzVMaE4joSvl4ReAi5KutUgfaXZ/0I6j2NDOTZEi9/XDLO20rH5WP2Rrv5f4vzM2olxFtPyOwPuCcN+tnWY9HG9sDbJeSIXkXT6yFWVtBFv1mMr1woeyYmlM3bSMNSyljugAUlWZqlpf4+slQUs8h7IGGAN65CaC3lDZynN1DKtTlY27ckjar0jrWPIxft/i+1UHigCZgkqilJT3Iw3GjXfBFiMlBrEo3pGBwxjeBe7XwGTNdwQYsLipUyjqXIN0rkkZBqjNiEEpXp0wC+hVSUWFwPVHFdBDsJ2bJy4tzLOsLPSf0rS3NZcber1PksS9MoiQSRlG7aTucoBnF6uFEHRcw6UqIfXuGE5qryUTMCF9CHFHvrYsbPPjy67ChS7sIVX4b0QbAa2VU0VgyICBa2BnQ+6zlBJrf+qCHdXsn/j4lbkwZWQuWucDr85gYJY80GLgr57+V2tQrKmDSGvF6i6Uf3Dk4oLAG++aE8o7sabih53IN3M/LiYCmW2O14DO9JGzbjlX5fBgbDz+OXh2dNA2Vg9kFjF11nj/Grv6C6SrAPejo299qEamhIgynKVZ4nePSYu8Lgno8Vp5KF1W1UN1G5KtLdRGCVi2V8v2KOhOtoOPn7PPlh6QVuqB5Qa/EUGMBUzOtnQ9KzdQoLYXSOogY4fs32xa9Xzze+pZRkM0YJ8NySc4SOfPWsS9tPZg+IU8eO4WkRsUsQifu10Mfr6r/vlrGOddVzwiRt5mIIx4+uNAMgNnUE/xCNik7/JbZuLsH0giqp2CABc0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZUTpRRtHYd7m5WsbfSTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BitbEmkUzB5OL1/zA2F+sgGo1YPVqBBi7trBGEEYobqCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72ZifpChFN3vTLOOas1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8HpwOar+NRZwP9okRV/rusrPFzMH9OHYCh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/fd44af66fa291bc9

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Renames multiple (126) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (299) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Executes dropped EXE 17 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 43 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 27 IoCs
  • Drops file in Program Files directory 44 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 25 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Interacts with shadow copies
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    PID:1176
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1200
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00341.7z"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2088
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2640
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.MSIL.Blocker.gen-42d92da9f3df8b070b0e792d82e245be7e30f6366c7e3ea154c739f1092d1f5d.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-42d92da9f3df8b070b0e792d82e245be7e30f6366c7e3ea154c739f1092d1f5d.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-42d92da9f3df8b070b0e792d82e245be7e30f6366c7e3ea154c739f1092d1f5d.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2120
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c, "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          PID:268
          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe
            "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe"
            5⤵
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:2108
            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe
              "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\exams.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:876
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 244
                7⤵
                • Program crash
                PID:696
      • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a73489b49d87f2fd363880d5b99915041a722349ca30638a6ccf3f53f7094aad.exe
        HEUR-Trojan-Ransom.MSIL.Encoder.gen-a73489b49d87f2fd363880d5b99915041a722349ca30638a6ccf3f53f7094aad.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.Win32.Generic-bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386.exe
        HEUR-Trojan-Ransom.Win32.Generic-bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.Win32.Generic-bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386.exe
          HEUR-Trojan-Ransom.Win32.Generic-bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Users\Admin\AppData\Roaming\Ymmy\ugpod.exe
            "C:\Users\Admin\AppData\Roaming\Ymmy\ugpod.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Users\Admin\AppData\Roaming\Ymmy\ugpod.exe
              "C:\Users\Admin\AppData\Roaming\Ymmy\ugpod.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              PID:1764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_9ae6a79b.bat"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1972
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Blocker.lfbh-8faa8c691599fe22403b0b06cfb86aa61630a1ba9b762cd932d22775f5d41831.exe
        Trojan-Ransom.Win32.Blocker.lfbh-8faa8c691599fe22403b0b06cfb86aa61630a1ba9b762cd932d22775f5d41831.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3032
        • C:\Users\Admin\AppData\Roaming\WindowsUpdates\win32updates.exe
          C:\Users\Admin\AppData\Roaming\WindowsUpdates\win32updates.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:880
          • C:\Users\Admin\AppData\Roaming\win32driverhost.exe
            C:\Users\Admin\AppData\Roaming\win32driverhost.exe
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            PID:2896
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Crypmodadv.xtv-050f0393c3b3f92d62e3837d2dd188d881290cfb707eb1f63254eaf36e4965d6.exe
        Trojan-Ransom.Win32.Crypmodadv.xtv-050f0393c3b3f92d62e3837d2dd188d881290cfb707eb1f63254eaf36e4965d6.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\4A1A.tmp\4A1B.tmp\4A1C.ps1
          4⤵
          • Blocklisted process makes network request
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Suspicious use of SetThreadContext
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 1 True
            5⤵
            • Adds Run key to start application
            PID:956
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Foreign.obed-d505f8b01c409452254802b4c7c6befd9a212de833ed8d5a343adef7230b97c4.exe
        Trojan-Ransom.Win32.Foreign.obed-d505f8b01c409452254802b4c7c6befd9a212de833ed8d5a343adef7230b97c4.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.GandCrypt.fxv-6fee46e22d88db8fd4469d5feb9b0a10023593b64dcde48393d7e80327530480.exe
        Trojan-Ransom.Win32.GandCrypt.fxv-6fee46e22d88db8fd4469d5feb9b0a10023593b64dcde48393d7e80327530480.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1148
        • C:\Windows\SysWOW64\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:212
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Gimemo.bngv-c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492.exe
        Trojan-Ransom.Win32.Gimemo.bngv-c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        PID:1840
        • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Gimemo.bngv-c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492.exe
          C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Gimemo.bngv-c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
          • C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\0ae2362c.exe
            C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\0ae2362c.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:272
            • C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\0ae2362c.exe
              C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\0ae2362c.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2380
              • C:\Windows\Explorer.exe
                C:\Windows\Explorer.exe
                7⤵
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:2928
      • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Shade.oxd-752b85039f28591e42f08fd08d35cfd1e76e2ea9bb5ab0ca2f5056b3f3ea4241.exe
        Trojan-Ransom.Win32.Shade.oxd-752b85039f28591e42f08fd08d35cfd1e76e2ea9bb5ab0ca2f5056b3f3ea4241.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2500
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:636
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-11179074872299015987624013-884344237307023812925822271-2078359812-84222960"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:868
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-863964503-55797419931773024532050371194300208814757589051148936782-1517326982"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:1740
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-634316178-1484118348-946646680-1840647516-1138321551-1318821632-784902574160051659"
    1⤵
      PID:3064
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-343900497-337310557-21362000791333043165-2418550252014663739-18256498171889327"
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "325761201-1747967195-377319163-1650461729765773795-242418822-1562993738904735827"
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:228
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2748
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-822970246304328631112613377485395100912245255611912290083-1895964723648234932"
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2664
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1256
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2628
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1256
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:344
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1268
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2016
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1164
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2712
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      1⤵
      • Adds Run key to start application
      PID:2436

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Direct Volume Access

    1
    T1006

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    6
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\SPYBQEEUUQ-DECRYPT.txt
      Filesize

      8KB

      MD5

      4696a5e42bac88e2732da157029eaf79

      SHA1

      cee26849fa52039fb551db7e7d187b3f5d16a8ba

      SHA256

      bee99a63b8ed396b1dded022df90702e3c176ed2c91cecbb8bccac46d2858fe3

      SHA512

      b945780d2e79e61fbbf3ef3cb0a6de0a5d505ba6364843116064192711c3223abd34e4bf6f686e58e1920032bfec951dc8f737b541383212869086a5e7181d97

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5631e1f0854e4cf017a0a1aea87d7b80

      SHA1

      a8879d9b6a02dc2eac07d865f6d873c3660092c9

      SHA256

      4de90fddcbdf3e6e0fe7887015c5bf360fd6fb8a292400ef6008466f4b60540f

      SHA512

      a1bb0f5f468a0e296b8b40f3bf3c9ce9f4d336a8e87171a5e204f078be2ec3a272218f2439fc6a1a689550f4092caaec802e961d58e35d444e46a8005824ba13

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      eafe6bf53b383f37984bb14acc77fb31

      SHA1

      02915b379be93bc60bb72dff795362da3c15e58e

      SHA256

      636efa5d8e150f6e32c1957e8ca6f651647d73aad525d5e60126badd79623c8f

      SHA512

      584ca8dca4a5a3f430d59f381f72981716476ccb0ed5a9a1b892dfe135d56cb3e4f6287b3076d8cd0a609077936294a1fb71b3479aa7cfe679d5373f63c8fbd0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      02b58ebac63c68016240b7fa85af0193

      SHA1

      1f9c250f64a6aed1979644dd4645f68c25a771a3

      SHA256

      c9bdf49d7f5c638380f053da48180f6e81ddd6584a86a878e376915cf6463006

      SHA512

      ee56b73037cc40439246c7cd5cfb54ec15a14ff9842458c7b9c7345e75acd86c0c3f8d9a6e865f4666eaf32d3c4fdc09f630c6752116f7251a322d488e4e799a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4A1A.tmp\4A1B.tmp\4A1C.ps1
      Filesize

      3KB

      MD5

      acb8d1fff8e8329f154a5c6a82d5f627

      SHA1

      c4a44210f765d22066696753c67307f9b43f8676

      SHA256

      90d0ddac4283919099a6313c028fa6d17f877349387cf3674e45c9fbd82b0d3d

      SHA512

      2830fc830628c3bc44264956309ab08468747b5003c718f3bc03b746db702ba4f569ed5a25063ad63b27aba1ee5ed6e367daf5dc7c750f305ab45e3e7f529066

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab6338.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar6434.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_9ae6a79b.bat
      Filesize

      364B

      MD5

      d370205bdb0daeaa32c1ac3796fca2d9

      SHA1

      0acfc1350adfbdf9dfd2be43b0cbe49a9419db6f

      SHA256

      a79cde669f0d8c8ae7a9ad8f876199d18dff2c54f3d1186e645b78d9aac71f48

      SHA512

      95b1ad109e53f38201603e05240b2ace8e8e33122b30a2574e7f27687ea7033384c58b326e55b4ba361ea462e6db26eda3f4c565c56ca32ec90554f2f0c56255

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\0008869b.bin
      Filesize

      3KB

      MD5

      2e1880d992e6227c11fe94650604a206

      SHA1

      467c8f4b1283b14db869eb6db157522f5c42140b

      SHA256

      28e01c3eeac9532c0abaa39c629fa92696302d2aceb41f67c075d9864e8456f4

      SHA512

      99cab591eda310f2e58a00a02f728a6efce1fd73a15752d1086c4d9095a4b77466b9a97e2149a05a782cb5a1b62e1190608301a18f2213b693a2acfa4b195f44

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7351170fbca2af9a6b59f3a77351170f\67db2ec8.dll
      Filesize

      64KB

      MD5

      6bda12553c794efc54e1c4ffb8e02652

      SHA1

      014310e7d898beed4b463b91c15c7fbfb16cc190

      SHA256

      7ead10c3c6c0c9f2b95018aa978a348933e9da16dcc3941cd7a9ce3100f37a5e

      SHA512

      d0ca7666ae18ceaf65ac741bcfb2eb5a57250a4485ca7c34c3134c65939a3bce612c634099ca429ac4f1a4317425fbb620d51b44d54a262430bec78b95b3280d

      Download Submit

    • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.MSIL.Blocker.gen-42d92da9f3df8b070b0e792d82e245be7e30f6366c7e3ea154c739f1092d1f5d.exe
      Filesize

      1.2MB

      MD5

      7ff6f8d8ccec3b911f1a349c5eb3bb4d

      SHA1

      3a16a269bd1a578344559d702a44363d9a239e85

      SHA256

      42d92da9f3df8b070b0e792d82e245be7e30f6366c7e3ea154c739f1092d1f5d

      SHA512

      7f12151936134116b02d1b6d7aeb7179cae61c7214c5298b69c9ab85acfb242a15c70f5660d766606aab15a0eafe2de02654e9f3382426e6136fdc3ad54a9fbc

      Download Submit

    • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a73489b49d87f2fd363880d5b99915041a722349ca30638a6ccf3f53f7094aad.exe
      Filesize

      371KB

      MD5

      7a2524dfebc686de239c5f734e6bf828

      SHA1

      a530c71496618bb16a94e5d5a13602200481f0af

      SHA256

      a73489b49d87f2fd363880d5b99915041a722349ca30638a6ccf3f53f7094aad

      SHA512

      79f61ca43e1edf44bbd9c4207d70244ba2a1435fbb7add167320870eca0ef52c2db6b7f6331434a524816d2b72df9d9096458b261131efed3de861e58c49e39a

      Download Submit

    • C:\Users\Admin\Desktop\00341\HEUR-Trojan-Ransom.Win32.Generic-bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386.exe
      Filesize

      184KB

      MD5

      ebf08d86df7e87eccb41dfc660766af7

      SHA1

      3788870f35e296b17b0ec300360f66d7727393d6

      SHA256

      bdf12db8bfb22d71a02668c02f497d40ebd8d5bdd0f4001e3e9a989659786386

      SHA512

      1dc07375476740cfb5ec352016d7863d13923d4514099ae461b02da5721220870409083a0053969cc682ca80ada4ed4b9c2db7358a55984dfb2ff318813e75de

      Download Submit

    • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Blocker.lfbh-8faa8c691599fe22403b0b06cfb86aa61630a1ba9b762cd932d22775f5d41831.exe
      Filesize

      2.1MB

      MD5

      6f9ba3a8b4906e0bd89fd8885f0d0f56

      SHA1

      345e198acfc3187b9d60c84c87b7e8d8cfce6a4a

      SHA256

      8faa8c691599fe22403b0b06cfb86aa61630a1ba9b762cd932d22775f5d41831

      SHA512

      2d612cf39317f85da9c87ffbf5390b594194b0a00fad430e8ab97cc4d7b13541375b2a29857435720ddbfdb98c280c1b80609a09c9f86674c58df9c2882a9556

      Download Submit

    • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Foreign.obed-d505f8b01c409452254802b4c7c6befd9a212de833ed8d5a343adef7230b97c4.exe
      Filesize

      938KB

      MD5

      52146218a9e6def1f30cd0164810a235

      SHA1

      478e7e51fd83b4e7356c20386ca9d0208349125a

      SHA256

      d505f8b01c409452254802b4c7c6befd9a212de833ed8d5a343adef7230b97c4

      SHA512

      132e5538f6b396d672c8dba1f46b34127fcbeb56aaa388f6c3bdd0468283905a95cf256831a7ec7893620be13e5081a38c8e9a70554cc1acd94d367a0e673c5f

      Download Submit

    • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.GandCrypt.fxv-6fee46e22d88db8fd4469d5feb9b0a10023593b64dcde48393d7e80327530480.exe
      Filesize

      512KB

      MD5

      0d2f1559a0072f355e993601d3982074

      SHA1

      c5b0461fd80eb561d0b1d186dbcea6accb480b5d

      SHA256

      6fee46e22d88db8fd4469d5feb9b0a10023593b64dcde48393d7e80327530480

      SHA512

      27aa524c8e816f1048058106e9fbd056dcce55f518329a0da307a466a732e3127ddfa9317fe1f74bd8328cd4def40fc1796bf860a0c5735e409f3f891e89578b

      Download Submit

    • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Gimemo.bngv-c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492.exe
      Filesize

      196KB

      MD5

      2ab314031f20a46e3ef108f761145fcc

      SHA1

      ae0f321aa37f89bae6dff7adbe5c9c9edbeba99c

      SHA256

      c4caff51ceb0d0b61b2652e7a7aa179bb797637755d3b492f066db0ca3982492

      SHA512

      45463189ef98aff9456507c73dae60b5121d915c7ab0f9ea9089ea8096da112caca582996a51da7fac81a48107d912104d77bf72459601b1742f2f31a9599399

      Download Submit

    • C:\Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Shade.oxd-752b85039f28591e42f08fd08d35cfd1e76e2ea9bb5ab0ca2f5056b3f3ea4241.exe
      Filesize

      1.3MB

      MD5

      67b35232fb3890d44f02ebfa7a8878f8

      SHA1

      669abb1edc11743e190921378e2c517f1c5f5ad2

      SHA256

      752b85039f28591e42f08fd08d35cfd1e76e2ea9bb5ab0ca2f5056b3f3ea4241

      SHA512

      c61aabff0f7c9bed2fdfd90d3457e2084d6db8961c0ae00bfb808e82ab3695e20c8b0e73a2a5dfdc326c7635d98bceba58c79bdb9e91bb3e89126c99d879c0c3

      Download Submit

    • C:\Users\Admin\Desktop\ConvertToStep.jpg
      Filesize

      1003KB

      MD5

      af022d75c45b509801c6611a0314a91f

      SHA1

      8ea660c78b9349aec41ec41946d6401b0dc355ad

      SHA256

      93512294c0c93bac3b42f4e54baa3da313e1401248ce9796cd6b252de514dc9e

      SHA512

      0f24a2b8e4cebceef23c9b5d708a5be829c2d64236dc546de7617ed3460f07024a451ff8ca91096b20e881d66a11d10930ae4b64e48ef194ce2eb48626b7e215

      Download Submit

    • C:\Users\Admin\Desktop\JoinCheckpoint.mhtml.spybqeeuuq
      Filesize

      839KB

      MD5

      0e2380c7b5a22226df3ff20dcb437529

      SHA1

      9990fbe42f7ec57307329ac7b6c4aedee173431e

      SHA256

      92c1ec34488082eaaf7a14779989c43656c386fc8adb957f74d209925ee6cd51

      SHA512

      0d9d381572b285aa6d8f923ddf7b8bafbfd45e15a4bf5878146853097dc5e88b5f5ac8e24effd6a21129a8057085cc6f5dbe5b11456627226a6c47550491cc1e

      Download Submit

    • C:\Users\Admin\Desktop\LimitLock.png
      Filesize

      510KB

      MD5

      4fd964fe41570f6dd2b2c9e79f511ef1

      SHA1

      c00cf89bdaf15c67aab3b74c7d7d05977f18e01c

      SHA256

      af6f23466cca95010d27d8dcd7b65175b4ca05385129cb3f4247e068f31d40d5

      SHA512

      77ad60dba72dce93001ec62acad86e4825ca6a7f366c756881fc6ba1a8f21ab73ba89c298c2755fc712f42702f41ec566e737069bb3c8b9cafc45dbf1a2a8e2e

      Download Submit

    • C:\Users\Admin\Desktop\LimitLock.png.spybqeeuuq
      Filesize

      510KB

      MD5

      801c589f8269a1204f889d35674ee738

      SHA1

      54a39bbf12b210b10778877dc44a78dc589b1f35

      SHA256

      c579fbc903bbbb06dd32716c49dda45d5b575a8e932a4a3325d15cdf601007fb

      SHA512

      b1acecd48a45653c34e111f681242056789e8385b784f87a1e68719423d42af1f5197bfc5bc01046aaf65a581fa37b18efdeba900c0eae9a7b6e33a5716a114f

      Download Submit

    • C:\Users\Admin\Desktop\MoveExport.dwfx.spybqeeuuq
      Filesize

      1.0MB

      MD5

      76d9c7519340e301e3ceebb04d2ff841

      SHA1

      40fc58be43be176a765a3ba3c34967b02d5ef36e

      SHA256

      3ed9e3296d4d6c9b31388b9ea675e568d32eab3917a9472b5abebe83d21a33b1

      SHA512

      de8c6ec8361d9bf0f59d27f54f897beb7b4660fbf228bf912adb79a8c8649bc20968e98a6ff7457d1e3a89dcde0f6d5c320779e4d8873b01a0ffd726fce62e4b

      Download Submit

    • C:\Users\Admin\Desktop\OpenSend.emz.spybqeeuuq
      Filesize

      411KB

      MD5

      6447b28e202e6b55d604a8e26f8747f1

      SHA1

      2544d4e38240cb8a5f9f437f2dbe8023fb0e690f

      SHA256

      d931c8e8f0e0fd8739951839dca09d512099fce4dad33b0c9af5981469c759e5

      SHA512

      156fc7002ae55a5202d90c392ea3f7fb958925bb5c9e18c852c108699d0b824126681e86b215cd79d84e64338424a7a53515c3d04f1e50b034bf310d6128eeb1

      Download Submit

    • C:\Users\Admin\Desktop\OutClose.ex_.spybqeeuuq
      Filesize

      971KB

      MD5

      4e85f5ed7312fa988a280a8b56d7719d

      SHA1

      7cded39dfb5332126179c6d0bd91be94e300947e

      SHA256

      1da096548046712583822560f90a2ae16abcbfe8d3cc5dcd4f84e996a958a5f0

      SHA512

      0d1012a4be55b7762a8c854baa15ee21ddf4740fc1a5da153693a63326dd74cbd01a37b4957796aa2d6cf5b50041de612baf4efabf136b4b48f318a19c819363

      Download Submit

    • C:\Users\Admin\Desktop\PublishInitialize.midi.spybqeeuuq
      Filesize

      378KB

      MD5

      4aad7c1163ce1043d63d97c2ee689b15

      SHA1

      96166834e9eb936bb351eef0f4c357666bc794f6

      SHA256

      05502ef981ede986410cf2c05321a2be637a8e87f21df93a0e054124b61f441c

      SHA512

      6a0ac3f7da7f54cef4e028bbba3daf76db5982c3967d89c6e4abae615a855f10f22683f2402879404ee362618fb5996fab240192143da8ed5f2bae7e9e0761c3

      Download Submit

    • C:\Users\Admin\Desktop\PushBlock.hta.spybqeeuuq
      Filesize

      444KB

      MD5

      4859e773d239d5ba93f87d2b834cf893

      SHA1

      9b0aec4b2345716efe168614a73c6971a1fd533c

      SHA256

      bd10107f4ddc2dc694d3beeca298804d174171245ed4ac5490b64ebe54907837

      SHA512

      9f4c6e76c5b11210bd52171dbe2d28a02dd0ac5fc1e7ddd1a8d580299986c8df52698f1f12fe0b39e14e2583ac837625afed92d222abf1fe323bf9c4a34d0187

      Download Submit

    • C:\Users\Admin\Desktop\SearchRestart.wmv.spybqeeuuq
      Filesize

      740KB

      MD5

      64687ebaf6d75441fd89307a3ff1578e

      SHA1

      a684beba2683ede89ed308a990ce7544f9d401ed

      SHA256

      f2aa83246a03798364f46796e49163a38b6e5f31ad8288c9a9cabc05eef93fc2

      SHA512

      999b3454ef3e33582569f11cc13d3f99cfc3cd98d97d48395ac58f50033ff81d45122634d42e0690ac013b4f68edcfef3ab99c564fab82b9ab298edcef4b7256

      Download Submit

    • C:\Users\Admin\Desktop\SendWrite.odt.spybqeeuuq
      Filesize

      905KB

      MD5

      0defbf73274e3f4d536029e9ecbea9b9

      SHA1

      4df26cf76f6c2380db3a313f16e54e5d538006f9

      SHA256

      f497bfb0c0b3f155883fbe31b58a6e3d8acfa1719f2ec37c7ae0052737026810

      SHA512

      ca1dce0fcf95076efe429c7deb06afc3d9761c591e05fc005fb6e01b247460ce85294c523f9883f5aaeba37d2f4e1688ebfd6b1e72a4cf4db2f1466fbcd09ac1

      Download Submit

    • C:\Users\Admin\Desktop\ShowStep.docx
      Filesize

      15KB

      MD5

      7666426e66fce8fcbffa5f447846ad79

      SHA1

      6e9f6ca818169c4367490129190391451bb2542e

      SHA256

      c1a9bdccb37882c7f410c0c968f1ebd0a06569e23957e253a746695cbb70061b

      SHA512

      1b10a5f331f8c256f5e1803eaa12fbe4bc9827b0e381423aea03e25e95cbaee4369e68b6415bc0507926868ce5a6e93c897a292a684ea67378b9601dba5c8c5d

      Download Submit

    • C:\Users\Admin\Desktop\ShowStep.docx.spybqeeuuq
      Filesize

      16KB

      MD5

      311fa1c75905ea8af28e868f40fd5d96

      SHA1

      9434a03711644d74ac7c1c78ab90450a71c61d5a

      SHA256

      b488ba70a1afed40cdc830dda1ae698adfee9eee5e2ce487dabaf84133007190

      SHA512

      aabfaabf73a2187ff8f54f49cc375dd9034c3b14abf7b1ffad734b204bbbd18fcbcb8201bc50507590d9a0cbab07451aa9af44a26fdc80aee1bff22f318c2496

      Download Submit

    • C:\Users\Admin\Desktop\SyncConfirm.vsd.spybqeeuuq
      Filesize

      576KB

      MD5

      969f51c22ae92d1f458a2c02001a833a

      SHA1

      d892f6f2c61b284cde0a1979c1d9fc52eb56d274

      SHA256

      e79cbeb65c6a8df43b741bbd8a2f2325f89b5cee5db9ec76e5df50ecb94e3506

      SHA512

      bdfb6d6bd99f3277d84ac5951506429cff2e6690aec3e1554f9d794543bd1054b253a8038420ef3137458c9a945ba7cff7af1e2375b3770f23794ee22246cbea

      Download Submit

    • C:\Users\Admin\Desktop\UninstallEnable.htm.spybqeeuuq
      Filesize

      872KB

      MD5

      f6d691a15f004e280694aa6dafde69c8

      SHA1

      6de9f1106ca6efb53bee91ee676e06a70e215d0f

      SHA256

      ef78ccd72d32982037929883b3dbcf14e0b27d0733ec8a26c06ef0e25cf05c38

      SHA512

      8e85e1aae018a555800c2decfc8d32fe4ce661614351fe44c5e48bd27e34fad948e6f94f31ae3fa9df24101d122f3a4f55e7e789a6142eeae1e2a9e6c02a14ec

      Download Submit

    • C:\Users\Admin\Desktop\UnlockSuspend.TS.spybqeeuuq
      Filesize

      773KB

      MD5

      99b3206d5d197165d7947b5227b8a447

      SHA1

      4113a3fd82ca6d46c2fa64f3f4b36468cf82c530

      SHA256

      14a46cffd20cc05fe4e6f900821ead101a67adc44ec4c959c541e77be7b975db

      SHA512

      6c37c1d4fd7c2d29a4254ac3850825df4c23ebaa703616021cc9e5dc9b163d7feadeffeaa74e18fecde4fa859406edffa97266335c51e82af48d18b8f2f1099a

      Download Submit

    • C:\Users\Admin\Desktop\WatchOpen.i64.spybqeeuuq
      Filesize

      642KB

      MD5

      730bba5953eda751b5037d9d5ea1d4d4

      SHA1

      317de10454dcc8edebd06bdae4366f6e43f20257

      SHA256

      0fbd72854d005b90a34e7032eb11ba92831cb1f3d844aa2965517b7f5a98fcf2

      SHA512

      a52db6afb281e2f54bc6c2b9dba6c2d62560690d060b22d707bc959258de27a84586b48336063903abf13048874e6160258b07b22d44c3df82bf3aa06d36255c

      Download Submit

    • C:\Users\Admin\Desktop\WriteConfirm.dwg.spybqeeuuq
      Filesize

      806KB

      MD5

      803504379e8544e53617c7e06ee7b9b5

      SHA1

      ab86a039b9b8d17e6eb411737050536f09aa5b45

      SHA256

      183163d21825dd067c58521181b89ce2e9adfb80577edc0898a5cb9257f66139

      SHA512

      2ffc14fcb384cd1c8abbc7a615621478ec508e0f98ad6eff4180695cf116d81327449e78b96689dda9185c8421e6a412780cce46ba143849c0dd2654116482ab

      Download Submit

    • C:\Users\Admin\Desktop\cmd.exe.lnk
      Filesize

      1KB

      MD5

      da4cedecd7410851373f0dfb133e7d30

      SHA1

      6ac726f1018766520a853ef247e82667111b677f

      SHA256

      0af7e89bddb3d27c7e8bc6844251a233d2bc86b3de1481ff72180b6cb7dfdcaf

      SHA512

      fa3630b960ff89af26b9f649224909f1a5d483e1ab05b37b2653e162aa6e0dc8ee09fcc8bb0a67e5b7c844d1cc7176873fbe230b1902b50a5ce4c24bc00d5978

      Download Submit

    • C:\Users\Admin\Videos\SPYBQEEUUQ-DECRYPT.txt.birbb
      Filesize

      8KB

      MD5

      6740a56722ca4c4032895e95cf18a163

      SHA1

      edf4f69a4c3c5590eebdd76325db17fecbadccd0

      SHA256

      93d3c8f5d6b522211c95bde64e3ae333a1603c51a4957a3b058aa08c056b7761

      SHA512

      826e1b9bcd27ef1e77b77841cc3fcf0fa3607034baa93bb55865890215e7d906fd3adbb0594703a1af144c3a41f46ab5359dbf777fe9d94a78d232d86918d376

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Users\Admin\AppData\Roaming\Ymmy\ugpod.exe
      Filesize

      67KB

      MD5

      24b09dfc2fe825e9218fc2208ba1d974

      SHA1

      a9ac7d59ea18780b3358a0da7f0493d4c898e1bd

      SHA256

      7a5ef9b3150fe8d81390f8756dc4a53bec9707c72e311f81e9f4c738ab95e37d

      SHA512

      e46f8dd95c3cc03cd401023b4b9f61351083c95c559550dfeaba80cc2d8d9031050e4fbe9b8fda1455aebbba2b607653cbc39d339c5471823650d11c1d513b21

      Download Submit

    • \Users\Admin\Desktop\00341\Trojan-Ransom.Win32.Crypmodadv.xtv-050f0393c3b3f92d62e3837d2dd188d881290cfb707eb1f63254eaf36e4965d6.exe
      Filesize

      117KB

      MD5

      c4af5ec7826361dc5a22db79be296638

      SHA1

      3b4a9d1b697d7c0d2aace2b7a92288cfde84d10d

      SHA256

      050f0393c3b3f92d62e3837d2dd188d881290cfb707eb1f63254eaf36e4965d6

      SHA512

      1859e120dcae5854c6f47e8e95484cc1657e1a5a59dd52e79e4bce10e8d8d96c96e382bfc7d715589e15ca007aae962c0ecdfecf77a120f024d234ef5150d7e5

      Download Submit

    • memory/636-106-0x0000000001FF0000-0x0000000002007000-memory.dmp

      Filesize

      92KB

      Download

    • memory/636-108-0x0000000001FF0000-0x0000000002007000-memory.dmp

      Filesize

      92KB

      Download

    • memory/636-110-0x0000000001FF0000-0x0000000002007000-memory.dmp

      Filesize

      92KB

      Download

    • memory/868-127-0x0000000001BB0000-0x0000000001BC7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/880-1337-0x00000000009E0000-0x0000000001090000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/880-1606-0x0000000003930000-0x0000000003FE0000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/880-1532-0x0000000003930000-0x0000000003FE0000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/880-1541-0x00000000009E0000-0x0000000001090000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1064-87-0x0000000001F90000-0x0000000001FA7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1064-85-0x0000000001F90000-0x0000000001FA7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1064-83-0x0000000001F90000-0x0000000001FA7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1064-89-0x0000000001F90000-0x0000000001FA7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1176-94-0x0000000001EA0000-0x0000000001EB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1176-92-0x0000000001EA0000-0x0000000001EB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1176-96-0x0000000001EA0000-0x0000000001EB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1200-99-0x0000000002DA0000-0x0000000002DB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1200-101-0x0000000002DA0000-0x0000000002DB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1200-103-0x0000000002DA0000-0x0000000002DB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1764-67-0x00000000006E0000-0x000000000080D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1764-68-0x0000000000810000-0x0000000000881000-memory.dmp

      Filesize

      452KB

      Download

    • memory/1764-66-0x00000000001D0000-0x00000000001EF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1764-65-0x0000000000560000-0x00000000005FF000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1764-64-0x0000000000490000-0x0000000000559000-memory.dmp

      Filesize

      804KB

      Download

    • memory/1764-82-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1764-77-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1764-78-0x0000000002160000-0x0000000002269000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1764-62-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1904-56-0x00000000003C0000-0x00000000003DF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1904-54-0x0000000000410000-0x00000000004D9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/1904-57-0x0000000000660000-0x000000000078D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1904-55-0x00000000004E0000-0x000000000057F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/1904-60-0x00000000007F0000-0x0000000000807000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1904-58-0x0000000000AE0000-0x0000000000BE9000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2008-81-0x0000000001E70000-0x0000000001E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2008-79-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2108-1621-0x00000000002D0000-0x0000000000402000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2580-535-0x00000000002C0000-0x00000000002D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2580-175-0x00000000011A0000-0x00000000012D2000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2636-174-0x0000000000160000-0x00000000001C2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2640-115-0x00000000023B0000-0x00000000023C7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2640-1640-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-540-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-117-0x00000000023B0000-0x00000000023C7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2640-1595-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1713-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1639-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1723-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1345-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1346-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-1638-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-20-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-19-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-18-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2640-113-0x00000000023B0000-0x00000000023C7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2768-120-0x0000000001EB0000-0x0000000001EC7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2768-124-0x0000000001EB0000-0x0000000001EC7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2768-122-0x0000000001EB0000-0x0000000001EC7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2832-74-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-46-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-44-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2896-1602-0x0000000000B10000-0x00000000011C0000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2896-1539-0x0000000000B10000-0x00000000011C0000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3032-975-0x0000000000ED0000-0x0000000001580000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3032-1350-0x0000000000ED0000-0x0000000001580000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3032-1334-0x0000000003AF0000-0x00000000041A0000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3032-40-0x0000000000ED0000-0x0000000001580000-memory.dmp

      Filesize

      6.7MB

      Download