emotet | 62410fecfd00f01c48ee3cfc87d508d20eb490c8e03abcba1ebfa8b2a1e7fab7

Analysis

max time kernel
137s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00336.7z
Size

4.1MB
MD5

d687eacb1c6492efb8be4eb94f88ed97
SHA1

079756db279766a7f27041aed1412a9429f8cdb6
SHA256

62410fecfd00f01c48ee3cfc87d508d20eb490c8e03abcba1ebfa8b2a1e7fab7
SHA512

1625f9ff83102efc170b0271e4c0c561e87e8167b8dac18412ad90c9f488b29dcb79af2cb5100a2e079e5a831471cff15f5803baa5ff65490cd633d082039ed7
SSDEEP

98304:GQlJj+xGl2j3/p1a5d+LoDdoimUqBOHzBP9dJKHqi+:hj+cAT/KaQos3TBP97K3+

Score

10^/10

emotet gandcrab backdoor banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\MSOCache\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5cf0d747bfa4c5ab | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAO14AE2caSSrB5o8Gt+/9NzAKI7WTkvsUn2J+kpa/oB7KtouRDlIl6ZpM8T2GRkkFvPq8RB2yxAwCMR1A0knvRs8Tz9cLHBhSgGge4T3ftTU1wOAbjKkVYkdZM32kU6UHgjlK7nsMI73af6+RCYfSKDzZJTLaGb+2IDlp/y2Bs00fyLbPteUimODv9bayqrW2dqskYeMflk3hDv1Bj9HzcHBoHptALpj+Jbig/4SsOXn+V1AI5fVJS47RHydupsPXECzj2RkixP3E1rmLGa8YI7V+AP9VCAUnANGfoNOKzoTMgqEl8Bnxfk1Ksln9XlyrJhLYlUjml8ik7/STxk3kXcEDH0a8p3dQqJ6q47mbqZJN6bw5kNmlRJZhkyUtkOjBDLgva16k4jj9Xqa9K3ghm5DdiWYVZH+UJ7P+e+RepekT+2qkmjHXO8HbFAtEmmKtQ1YLAHP3fLHs4TRGeRkUSU9F8kX5dNMpqJITi9EQNXPAzTx9KsquV6fJYdbDfkBDGESET9Z2uxwpsnQ/n3rmkhHqBxfty+9/g54Bksth4cpgXV1m4DEROFd6/J/ozJkmJCjg86A01LIuDQ3A2srR12Ji1lpXUtG6iSN/suprOTRksxNZbOwB6QuKQoQEjFhZ1ITDwVR5/gaSRyw5rtXuy+e2BveM81CqBkVO3tFGhlLOyB6ufpGD/+i6ndi3ieiHvV66U9D3eYv89M2s34/jZE8ywXhwefUQ2s91k6moK/LPTJX7IFNKbA31ZEBqxn2oSSoMgQBCuyIhfvRAr78ouFsk2ZA+/JiIgP24kUUCOuUcBNH2dM0e9njf+mGPYA7RMLdd9Y+Pux6Lu7tPwUudhaggs+J38fAZ4Wzzo12iKzu4rdXOC9yPAheRvffXDTd3Ebgc8UqFyAbaESTv6cWKXPVlvsnATMo1i3FrO4JbEOVQGjubkyamKfEGeHZjAiQKWZX0J4Xi90fAveuEdKt+SXznGS4A7gIxmmizfJ8xdLN3eS56YN/xLJ1qiCC/gxDNop6RY2XGTDKGnWkeVHkjcfOsKmkkHVpa9udq0KKyzD4llbrloa+S7wgvVyvzld5TSGnBGSoYo3fbj4YJvqp2NwyoLylJdNr8U8d3LDd5hiLSoiJwfv00nTXJt+56Ww/xBP0zGHnoonp7zbu1S0VLoBSfeyEIJpWYLYQ8BF43ILM2Gk9V9iPpSBG3xxXKLFbxfhHPIYCyhzxpU4KOvBrJ+0mgepjKtyf6lk29YkB9GXgmtWLaov04MTe5Qsrfk56f8jEBrnv0LDtSHEG9gwLtSsLjqbAgRcYwbXgdvaMM7IYNdOMU4qaUWl8w/OGElOmPiw3W+oP9stelyQ2qOeeSdQ8N2qt8FwOsdc/O90gEs5gFbvERuIENyqEgFposRHyv7rpVL8ULk7LYBETOTkR1odMCL/wlG+R3EOJ2ezNGDrZBG3yXq0lECdmUz+nhgL0Z6s92SOF7MOgGIxLfLtEtqqBkEZRFVS8bb+mpRIBBazMnPjA8dKvjkIlm9Ca+aILSZf9Z8yrvz8aLIkOt6h1w48AGxkzUtnrccNG2uNQx0vfXr8znBcOvdmtK2ivpCLmUhhI2uYgAI9hJ+0OrjICJhdr1x4oL/f/Kzui/unIEprtMk2NI3jBwYFXkecL2xseICGIKHjx981sLqb+LfG6yOFHJ5MZpN4gVO5fckGvWTUK2rEyBOg1SxZHVxivs8z5/1bznatLyopgsIQ3c1ldUe1CDLNDtSv9v+vEgbAb8GRZsVcuumnxKDGfbaynA/fbSN2k71twZUx997rwoSrV8BzKd2xC+InWSNiCVtyYgVo5Z/zwNNlaHJRzkz64TBRj828rd/w8nxFfZsTd7/O5FdE5IJUk9o553duY2OvNlUp6Z4DL7GmzHSoTWDSXGsS0DCYyHePmHn5PIBof0yfITNQcCePcb9mlXTXsBIggllLsSMmlqoyJL63UDp7+nmcFP+i6tUmErL5vAJnXjlPJRDJX5d1To1//hfSJaXhk2sol9jIzD08S/99/imKltZXckUXJz5imTCXlseBP7rGFt0tafN0I3vCJDTV5A/UGfAZBWSrvblMmJ5vas6jZfma7TvhcnZFmyF27/G0xUAhfOxoSXs9Hs1GzVou56NCiiUb51kHW1loKAFQeoEcINHKTXBMUZLY7wT2cqBS+BI7R9Axnk0dpnMEpNE3oFsJ2P785RfctPxWzUzPof0m4iHJjtNypcbs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTodRsHYa7ntWs7fcTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5rEhkR7B4OLw/2E2FeshGolYOlrSBiPt/hHTEYgb8ycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72ZijpDRFK3v3LN+as1wAZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHpkOar+NRZwP9okRV/rusrPFzMP9OHYGh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/5cf0d747bfa4c5ab

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (293) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Executes dropped EXE 10 IoCs

pid	Process
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
2512	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
380	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
572	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
2532	Your.exe
628	cabinetdiagram.exe
1736	cabinetdiagram.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PremiumOs2 = "C:\\ProgramData\\Microsoft\\Windows\\PremiumOs2.exe"	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PremiumOs4 = "C:\\ProgramData\\Microsoft\\Windows\\PremiumOs4.exe"	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Your = "\"C:\\Users\\Admin\\AppData\\Local\\Your\\Your.exe\" /delay 0"	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "\"C:\\ProgramData\\services\\csrss.exe\""	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cabinetdiagram.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d47-22.dat	upx
behavioral1/memory/1976-41-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2844-416-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-695-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-1617-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-1622-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-1629-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-1648-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-2095-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-2102-0x0000000000400000-0x00000000007FD000-memory.dmp	upx
behavioral1/memory/2844-2118-0x0000000000400000-0x00000000007FD000-memory.dmp	upx

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SkipOut.001	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\CopyShow.odp	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\SearchUnpublish.i64	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\TestSplit.raw	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\PushWait.xps	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\SuspendRemove.css	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\RevokeSend.3g2	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\SyncUnpublish.rtf	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\WritePop.gif	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\DisableRedo.mhtml	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\ProtectClose.au3	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\ReceiveRestart.TS	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\DisconnectEdit.jfif	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\RestoreFormat.jpeg	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\MergeApprove.reg	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\PingResume.css	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\ReceiveUnlock.rmi	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\PushSubmit.vb	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\SwitchAssert.ppt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\DisconnectUnlock.gif	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\EnterExit.php	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\MeasureComplete.m4v	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\ProtectShow.mpeg2	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\AssertSave.jpeg	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\BackupProtect.xht	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\DebugMerge.vdx	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\SyncShow.vssm	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\WaitUnpublish.wps	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\bfa4c246bfa4c5a663.lock	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\AssertDebug.dotm	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\ReadClear.vsd	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
File opened for modification	C:\Program Files\RenameClose.xls	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabinetdiagram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabinetdiagram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Your.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://login.aliexpress.com/"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff240000001a000000aa0400007f020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Your.exe = "9999"	Your.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d397bd7a34db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	Your.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff240000001a000000aa0400007f020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 6020bbc97a34db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0341B7E1-A06E-11EF-B686-FA59FB4FA467} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://results.hyourmapview.com/"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url7 = 0000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000884557cec75b274b86d0374a433d400900000000020000000000106600000001000020000000d1698601097672668f9a78588acc0b3468efd8b5e7fcebe9390570aa560bd383000000000e80000000020000200000007f4ed9e973a0c42a060a89d3faf68799fa6c4114c60e8c469dabb6f39f5089e220000000c47cbc32fc5b13b320189bbeb5145b0c8a8fd46deaaf84850e0569c50896f41540000000c5befe621314dcd32c63670bb5b4f884623814c83d3509c12ac2f211d9ecdbc0b9c7855b72964e2033e9dd0df3272e1c07fce1644be29dd33d8428fc3e923da8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E83883C1-A06D-11EF-B686-FA59FB4FA467} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://hyourmapview.com/"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://results.hyourmapview.com/"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Your.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 20e06fcc7a34db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 00eaefd07a34db01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cabinetdiagram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}\WpadDecision = "0"	cabinetdiagram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}\WpadNetworkName = "Network 3"	cabinetdiagram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}\WpadDecisionTime = 504f7eb57a34db01	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}\7a-c9-92-82-f9-8f	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cabinetdiagram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-c9-92-82-f9-8f	cabinetdiagram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-c9-92-82-f9-8f\WpadDecisionReason = "1"	cabinetdiagram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-c9-92-82-f9-8f\WpadDecision = "0"	cabinetdiagram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cabinetdiagram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cabinetdiagram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-c9-92-82-f9-8f\WpadDecisionTime = 504f7eb57a34db01	cabinetdiagram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	cabinetdiagram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0078000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cabinetdiagram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{592CA940-6ECD-4830-AB42-FFA00C3B0AA1}\WpadDecisionReason = "1"	cabinetdiagram.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

pid	Process
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
380	Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
2512	Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
572	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
2532	Your.exe
2532	Your.exe
3024	taskmgr.exe
3024	taskmgr.exe
628	cabinetdiagram.exe
1736	cabinetdiagram.exe
3024	taskmgr.exe
3024	taskmgr.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
3024	taskmgr.exe
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
3024	taskmgr.exe
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2228	7zFM.exe
3024	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeRestorePrivilege	2228	7zFM.exe
Token: 35	2228	7zFM.exe
Token: SeSecurityPrivilege	2228	7zFM.exe
Token: SeSecurityPrivilege	2228	7zFM.exe
Token: SeDebugPrivilege	3024	taskmgr.exe
Token: 33	2468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2468	AUDIODG.EXE
Token: 33	2468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2468	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeIncreaseQuotaPrivilege	2608	wmic.exe
Token: SeSecurityPrivilege	2608	wmic.exe
Token: SeTakeOwnershipPrivilege	2608	wmic.exe
Token: SeLoadDriverPrivilege	2608	wmic.exe
Token: SeSystemProfilePrivilege	2608	wmic.exe
Token: SeSystemtimePrivilege	2608	wmic.exe
Token: SeProfSingleProcessPrivilege	2608	wmic.exe
Token: SeIncBasePriorityPrivilege	2608	wmic.exe
Token: SeCreatePagefilePrivilege	2608	wmic.exe
Token: SeBackupPrivilege	2608	wmic.exe
Token: SeRestorePrivilege	2608	wmic.exe
Token: SeShutdownPrivilege	2608	wmic.exe
Token: SeDebugPrivilege	2608	wmic.exe
Token: SeSystemEnvironmentPrivilege	2608	wmic.exe
Token: SeRemoteShutdownPrivilege	2608	wmic.exe
Token: SeUndockPrivilege	2608	wmic.exe
Token: SeManageVolumePrivilege	2608	wmic.exe
Token: 33	2608	wmic.exe
Token: 34	2608	wmic.exe
Token: 35	2608	wmic.exe
Token: SeBackupPrivilege	824	vssvc.exe
Token: SeRestorePrivilege	824	vssvc.exe
Token: SeAuditPrivilege	824	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2228	7zFM.exe
2228	7zFM.exe
2228	7zFM.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
2532	Your.exe
2532	Your.exe
2532	Your.exe
2532	Your.exe
3024	taskmgr.exe
2532	Your.exe
2584	IEXPLORE.EXE
3024	taskmgr.exe
3024	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
2532	Your.exe
2532	Your.exe
2532	Your.exe
3024	taskmgr.exe
2532	Your.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
2844	Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
2532	Your.exe
2532	Your.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1236	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2372	1956	cmd.exe	36
PID 1956 wrote to memory of 2844	1956	cmd.exe	37
PID 1956 wrote to memory of 2844	1956	cmd.exe	37
PID 1956 wrote to memory of 2844	1956	cmd.exe	37
PID 1956 wrote to memory of 2844	1956	cmd.exe	37
PID 1956 wrote to memory of 380	1956	cmd.exe	38
PID 1956 wrote to memory of 380	1956	cmd.exe	38
PID 1956 wrote to memory of 380	1956	cmd.exe	38
PID 1956 wrote to memory of 380	1956	cmd.exe	38
PID 1956 wrote to memory of 2512	1956	cmd.exe	39
PID 1956 wrote to memory of 2512	1956	cmd.exe	39
PID 1956 wrote to memory of 2512	1956	cmd.exe	39
PID 1956 wrote to memory of 2512	1956	cmd.exe	39
PID 1956 wrote to memory of 1976	1956	cmd.exe	40
PID 1956 wrote to memory of 1976	1956	cmd.exe	40
PID 1956 wrote to memory of 1976	1956	cmd.exe	40
PID 1956 wrote to memory of 1976	1956	cmd.exe	40
PID 1956 wrote to memory of 1208	1956	cmd.exe	41
PID 1956 wrote to memory of 1208	1956	cmd.exe	41
PID 1956 wrote to memory of 1208	1956	cmd.exe	41
PID 1956 wrote to memory of 1208	1956	cmd.exe	41
PID 1208 wrote to memory of 572	1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe	42
PID 1208 wrote to memory of 572	1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe	42
PID 1208 wrote to memory of 572	1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe	42
PID 1208 wrote to memory of 572	1208	Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe	42
PID 2372 wrote to memory of 2532	2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe	43
PID 2372 wrote to memory of 2532	2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe	43
PID 2372 wrote to memory of 2532	2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe	43
PID 2372 wrote to memory of 2532	2372	HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe	43
PID 2532 wrote to memory of 2584	2532	Your.exe	45
PID 2532 wrote to memory of 2584	2532	Your.exe	45
PID 2532 wrote to memory of 2584	2532	Your.exe	45
PID 2532 wrote to memory of 2584	2532	Your.exe	45
PID 2584 wrote to memory of 1204	2584	IEXPLORE.EXE	46
PID 2584 wrote to memory of 1204	2584	IEXPLORE.EXE	46
PID 2584 wrote to memory of 1204	2584	IEXPLORE.EXE	46
PID 2584 wrote to memory of 1204	2584	IEXPLORE.EXE	46
PID 628 wrote to memory of 1736	628	cabinetdiagram.exe	49
PID 628 wrote to memory of 1736	628	cabinetdiagram.exe	49
PID 628 wrote to memory of 1736	628	cabinetdiagram.exe	49
PID 628 wrote to memory of 1736	628	cabinetdiagram.exe	49
PID 1976 wrote to memory of 2608	1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe	51
PID 1976 wrote to memory of 2608	1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe	51
PID 1976 wrote to memory of 2608	1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe	51
PID 1976 wrote to memory of 2608	1976	Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe	51
PID 2532 wrote to memory of 1236	2532	Your.exe	58
PID 2532 wrote to memory of 1236	2532	Your.exe	58
PID 2532 wrote to memory of 1236	2532	Your.exe	58
PID 2532 wrote to memory of 1236	2532	Your.exe	58
PID 1236 wrote to memory of 1036	1236	IEXPLORE.EXE	59
PID 1236 wrote to memory of 1036	1236	IEXPLORE.EXE	59
PID 1236 wrote to memory of 1036	1236	IEXPLORE.EXE	59
PID 1236 wrote to memory of 1036	1236	IEXPLORE.EXE	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00336.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\Desktop\00336\HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Your\Your.exe
    "C:\Users\Admin\AppData\Local\Your\Your.exe" /firstrun
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hyourmapview.com/s?uid=4e026781-7ea5-42f8-8f2d-fa9ee51c45d0&uc=20180918&source=_v1-bb8-ab&i_id=maps_&ap=appfocus84
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1204
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hyourmapview.com/s?uid=4e026781-7ea5-42f8-8f2d-fa9ee51c45d0&uc=20180918&source=_v1-bb8-ab&i_id=maps_&ap=appfocus84
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1036
- C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
  Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2844
- C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
  Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:380
- C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
  Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2512
- C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
  Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
  Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe
    "C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:572

C:\Windows\SysWOW64\cabinetdiagram.exe
"C:\Windows\SysWOW64\cabinetdiagram.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\cabinetdiagram.exe
  "C:\Windows\SysWOW64\cabinetdiagram.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\KRAB-DECRYPT.txt
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\KRAB-DECRYPT.txt

Filesize
8KB

MD5
fcab892af7e59a5c83372f163f13e0a9

SHA1
5df83fc45e4735b8107023438c0afe00204df7b5

SHA256
41eef715cd59803f580fa063daec378c1e539b4bf3d42a8d316ccfb8efd52461

SHA512
20609ad570d852abf3dd89ef4aa1f7f622af2b709cc6cdc0e901eaccb10ab488a4dbb49253e08280d2d8fcb6b485462fb381abab6a0afec11f9b898aa6eb8f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
0d6c69b98f12028a206cf20e56455a84

SHA1
21be0d6ef1af136213ae8305324f01fbb82a6d9b

SHA256
a14a9723ef234b8fe54fa2d391d1921701cf776d51eb455b03a2a53c02953307

SHA512
40c1e8522fd3d698589ae615b0f936a3c34a9387855606ca7452a8c8af485cd0a162e2b2295227e4b818c33c86e03e90ed64a87bb4354c559e752ebfafa4bc9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
933f8e70e1b8d3764558de81796e03b4

SHA1
dfae974607663a5bbc03d22902c3f9da8f3fe1f5

SHA256
561a136b6e2aae230b64b53377fc2564bbe86756e16937a3333c2197eaf494c5

SHA512
5a701b8e9d1f168c3b3fe188a9d64cd3a8dfc664479c825517c05a1384561283be6ca58d46657112280ffdb665f6c1a5883b2f11e70b2576ca51732ac4bf7f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
99c5076a9b89d23297f52389ed18d85e

SHA1
ebb258806af383ee58814f339975d743ae6eb95d

SHA256
23bdd69574f08085755f3635c64626ac598d84c55a76942ba131dc0efaea4303

SHA512
55aabfa5556a6409e78e68c75f3844d50fc04f3a522082797df097f5c8dddb44039b72c945f6e9a6d0a569a5a78dcbcec6603f71610a49d889deeb5cf09f6279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
275a69a303f889fee71f37ea69aaa135

SHA1
8bf5b18e8a9eea2182ee66f5ccc9deba5fbe15af

SHA256
c20430aef5d8580364ce11499a5b3cd7e857536703bbd3ea1a8b0359a19220fa

SHA512
391203fc9a3773ee17e92f0b6d8fe43582ec451d5c36e12ba053b252a980c7125c3ff826ace7f2f22f2ebd238d6c20ba981fdfa57fb0d1008c511070e0e55875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_66844DFB40BF4B068A604CFAA53C897E

Filesize
471B

MD5
de4838aed89b89729120e6588486af3a

SHA1
ae65eb8c89485e3ce6f22d69d1c68651fa0ea398

SHA256
96838de03fbab8f53f74345668062101812b493984454891937df4c9cf2b30de

SHA512
c6d2a6ff36deb07a80fb9cfd2db45bad09a6c2c93aff55d99172efc50056656cda6fff861940931fec2d7c63c97e79a8e1e0993837a1a09b5959907403873da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_CFE12D30EC1AADB5E9325673D2588EA5

Filesize
471B

MD5
6b4b860178ba3661d58bc77179cbb06e

SHA1
96a59272e14cca78a4653e961129641f8c872a6c

SHA256
b469d713ff0b504e0ef2176b2127ec51498ef023b092ca71099ea0707fbab2b2

SHA512
d6690c05531043991f7664290aa7d5a5067c03e8e61c8506b112d07092a4911444499e54aa70b2d92f91ccb33402e6fec88c66dd54a3f466dffb4709f8ac507c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
e7416b6df7466f77b3dc7bf97c4bc321

SHA1
d7fcdeb188abf9dde78cd41e55361d2b24e0d431

SHA256
6be2c643965ecb6d906b8046d095f4e08a9d836f2e8c7d4269ab80ca19c38d80

SHA512
7bca66509bc53a4f8767a9bf3d439bf30cd47dcab513ff63e54df7c03f2f75cc5acf7573ff8c5daf0b83b77d791ef0a991bde75618924a49dc789ec423664e4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
57ea20e567427ab6d3fe3eaa9963e037

SHA1
1e56e3457f3c5be7cd9950b1b781920c106991fb

SHA256
b1a7361733e7e90d39e4dea01b8c4ace85c4d8806e7ad9eb0b5b929653242b43

SHA512
5e75e3803b7301ba1c2286e763604f9e8bae8cfc131831817296d62236b08ee2ecc26e085f435ba4431ae5269786932f4a9c1acd044a18481818e46f2ebab9a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
050b47d19ec5676eff233dc0588038a3

SHA1
7e9e37de8b26c4a0104f1e50c96b76d884db29d2

SHA256
fa2febfa6c9b7fedc19822acf0abc171c33f6fe997337955ff9deb18fab535b0

SHA512
acbcaa5b4d15f5b47d8ec8657ff48ef12367a7c14c6d9954684e6ee2f58880013740019c8100838c83ca7149fc261b7b8ee7aeb7940428d6a9d3f6dbe5ffbacb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
487c1b69c08e57f152fe8ff8dfae9dd7

SHA1
9b133f5e24ab4ec19df0619b60dde08933ceb4a3

SHA256
b2753bb90c56c8ef38f24f3bbf5ab6fb42e9588d47b0c6f05fdf58080babd48f

SHA512
e991d4d380bbd2601f8188aa4b096cced34fce445d39bc0a47bb63a3cc1c6aebbfccac9a19b20ac83f5ce40e4c333f4f2046b820e15f32e8b800e9f491968901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ebe7f0eac7482b8354a778b28ac19af

SHA1
ef40cc9331385bcd3cea02c79f1db1478607f322

SHA256
0e44212aaa6e4a564e78b33a81a56d26a9e82166ee1c1540ee3245145db9aa12

SHA512
a521e948054f6c023ffd9758066090f808639e5a0fdd1eaa68ae30f91b7a7b65dcbaa40392e5b2af6e7f5281f2e8c1a3a23bb29cc9cedc2f0726835788b08a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbe111a051772f679215dc2bf4ebef43

SHA1
29b37b969b54f62dc5f5200024d49afeb8f0fc67

SHA256
0f131c3bdb317d17410d41aff72621faefd32fd8d3276c66e71837ff0fda33b6

SHA512
af1ed0697e29314a38cc623e1d1bcb5428ea8a929072e74714d1a3a00d602aa9a57b613c3c6fea4fc2b3c7ff415252e1d50fe234b9c0f531fbf17164dae14a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd8e2b22610d35124126f3360860913b

SHA1
563f023df3e493d25ead99be3ade371d107fed1a

SHA256
d7e3e52e5dff5a8dae4610ab28c5eedb237e8d3a3469a88f30ce9daaa9a1f224

SHA512
f65bd3c6beffa8e4484de7c1a29f48860414d994d1094bda403b75a59dc75b73936c8b20f1646bcfee5c9ebc912a35f32a3e3ee983dd08077640a3d257a18c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4473810cf47327e9a82f6f4789374bc

SHA1
9e099665c7b5ac3f6385e2df3eae951893ad3b36

SHA256
24dc39adb7fcafb4d889d35a2ce3601308eb45942edb38ad4fc2d1b24d6f590d

SHA512
09eb5fd0bbdb6eed7cdaf60db8a9de29f84462d3331ff80363c93370f6a3e7d19adc1c662e93e51e16782d86719fc15c295a0c400e42d465c13631dec93c29f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2b06dc57d88dcdd9c3318519fc6cb4d

SHA1
7c9e2363c76bbba305ddf31e637957c1dfc53292

SHA256
602969c2b556b0acbff84f66d5084519fd3967b245a853e33e228c039877b1dc

SHA512
9478fd1f09b26dfba16984b762e77dc19ec708601034359718c872208d2135d925a601724c594466d9ebd2554b8b0da3ee9060ef15055f67ddb6532ea4abfabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1048b535062bb24dbdb5a7086796b273

SHA1
3aa72b0754373a2b7046a6e16dbb0f4190b3bc82

SHA256
df1e784bece7a7f80567c80181d2a0047df328d5ddd48946a290baf2dd4227ac

SHA512
132e6914ae3d58a3a95b6d7d2c3c7e2bfc65e003b06d680e1d32f918fb319bb3cff6fbf7e301968f01197ceaa92ba74606e012d7ff1770bc8513c2b26e209273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c091a2e81acbe78fd33ee929af9515

SHA1
dff7b11a5d8bb6a0f0a81c82db8cc833a0ffb4bd

SHA256
5fe854a5e3908f432e12dedf8a2c6d0706810724d5b5a43bbca9378da55713d9

SHA512
8b9bbf0d69402506b0586c3ae34f0367180bc7e0661d4846737eb112d9d994fa7ee86c8bb2601eecf759281f8d4c2fd2474b569ab493d8f251b1075d31ab434c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6f2ee80afa9b2857ab0e6d7eab6d99c

SHA1
25d850caa9f7d8c6c50a8b9ddc31236bb7075256

SHA256
7555b3776dd79531531fdc1d6167c164b6406adfa1d36332f0b642c28ef3287a

SHA512
79ec40bea557de7faebb0263af4868160fb48d50d37a9fab44bc2f0531adf8f7e46bf010ff8deceb5bf5b3826845d167eab640c1077713d7a264e7bef12c77fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dc5521f622dea947fdd2f40a0fb75fe

SHA1
88df60b5f1db996ed9853402651ff06f1af43d28

SHA256
3169ed14b12ec81e6a4d636d82e6e83d90f956e7b8446a725eb6e3632763b81f

SHA512
7e691fe5cc1c54a10625e06be35f2f0cc0d2e3070c4002be4af4aa102e9e1a77318f7fe4162b1421a9aabe66784299cab4e6b9377a675937945c380e3a8bf371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61c8477e376d480fb54dafdc63fdb92d

SHA1
dd7588a5b6f15be6a34052cf747fa44771c678e5

SHA256
912ad6314ff7e9b85d70cc8715b4a8bc066e33342a8292f013432ebca856eccf

SHA512
547c0c2622f0975b68f727d994a928b7b15f5498310a15f6b869f2d7cdbb17c1cb32bf547d4d534d71a43b701c6409d77111e92bad5a4c30ec09e1f6500fe5f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e842636107592f261cc707216f7a41

SHA1
bff336c875a3f80b6f2d61af3142c3a7905eaf71

SHA256
7aaf331f6e6d6b80402d9a02be2371dfa0101efc306c86d2ab83bbc08905af4a

SHA512
5c683d122f8040b714f6d6f032586883ce9cba56a0566e6193bc3d248290b30531e71fef82ce1d20528ad4c3b7e851f1be255b673c940b04bbec4cec160a1a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a72147cb637a8fd7eeff32fe30274b

SHA1
cb97df68467b8b0fa7ba41ed22c8ff11aa1603ad

SHA256
d852682a50b037cb979ec6a76bbb42b1ba5add392fab447b258e5f47cc294dbc

SHA512
aa019e256dbe1dbf7bc01264fd85d6100f8db41512c4529f9e36002b13dc540ec28e38057cfa8f61e5c8ad572d4f832c2341629bcd078539ebe034511caca817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf0bd8c80cb706a51ca820bc1230631

SHA1
d801d9eabd22e3417ba9172db0f3b9c787a7cad2

SHA256
3fee974792c90bedec64a994f38cad302c7866709802ce7fadc4ec2a581824f4

SHA512
1d5975c46ac05487abc49581d2360d681a07e04ae7524a979cc94a5dbb75f1551d549398821df8923ee057a7e2131ba2eefc99878d72f4bad7ded3d771cf1378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691814a6cef28a58318dc75b97588ac3

SHA1
a1d00b9400b2801471bc534f994888ebea9a1c71

SHA256
076fdf0faed23f9a7491a82be8dec4639afe21c7862137e9a834c001c10a9da2

SHA512
888ba922babe196cf92e0c2d58e7532023f5eecd6131818a09173a2da2f7c760e1fcc53f895fe45b35579e8734778150e2598d029518e42ad62152e9b7c08d30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9972c1f3f1074314bc24cc5f1554a6b

SHA1
411262ef1abb1b770d2774fdcc37f9e412345fbe

SHA256
73ff11b86e86402c72be8f6c6834b115a2dba299173a5388058a095d5cb9472d

SHA512
4ede5bae083e1b9baba62e860787790e6c57edea0b9f7e1b1954a9b67db2282bc1a0200a4d10da4790db898849985c717648245d7ffeeb298bec61f7e7f265aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b989f50f4920eca36b1b440d8d240f8a

SHA1
16d9d92f45c055697dcd5de1c7e4b1f958094730

SHA256
825b8b38bbb8ab1c686a580eb10f2820b1019e1457658a33d1ac96824c316992

SHA512
53734e9bf96cd1aeb32da03c884851e2370166eccffa52fde201ad358f37452644e3a3e657e1a249232f916f58d296570ad3b39bd758430c6c88de678a4fb70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef35884e0b2b66dd039c88955cbfaf75

SHA1
1783ab5113a2c5fef1958911a4dbff791ec15069

SHA256
cadd9c2c3c5356b4478a8b875724168f60bddf628e345251a262890f991ed850

SHA512
386790063acea5b06e565d311d7e923166f3ee7db87f31377354d0afa9c6a8cc5500d1196f3df78c1aedaac0959178cd2058dd1f0e6e42936c3cee327b3eb921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8283b54459ee6f411b21a04e8dcfe191

SHA1
7b70500d9d9eb435d013654c044e2303321598f5

SHA256
50165b384fb3219b91067848644a5d4115e8fe14e9fd4d87723f7edccfc2d69a

SHA512
3274ad3c5c7a2b2db8d21733756b5f6b193e0dfa5dd42821bf2828280cec6ebebfeba89a9d3575f9a699f8b74f00e5d190663f040df686680d251af4a933383e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
454073a7cf526763a9a64c3bd8b5d96d

SHA1
eaddd4b4ca20991bdcab729427d4b934052b1d27

SHA256
77ba8e145dd3c1494f57206813aaa75fe435cd55a6848453b371a48533788eba

SHA512
f9026b20544c2cbcb57ce7e24f2c81eab4364982770f4be8203a64877761a4855ce97e375c1b091080cf9d6565cac0b5e1f1430fda10a421bd3fd94541343d6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d969267285af96c4a0d32e63ecd89cbd

SHA1
58d9088157d0c3f60d8eba6aa1347a3040c18c60

SHA256
df4ac49bae8b70fa3637b973a1e256c5ba23ae5c4495b4f91db774119ec41ba0

SHA512
9f92b81160678e1321fec61cd8366e0e9fefed03f5a935c25dfb13a738225fff7da8cce78c8a488f0427808d758c60024dee82a0a24eeda6bd9966a219e81416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729d9f06c272580c972ee171b6576bf6

SHA1
8c3d2e8413d511c34b55c88b8ba45439448f1aa9

SHA256
8d3b4cd759aab70c3295d9fb27a890b6dc31ea038713cbb8a0598bd708d989fa

SHA512
1a796adbe7085048dde518af6332d41003e10f513ac1198307c4b1be053db786867868c3ac7c61aee4723f19f752d3978e3878113b111959204538b5b8150af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aadce28ffdffac08b79a3783d6dc8f73

SHA1
2fea0ad58d34ef76289fc71e1439d3fba9d713bc

SHA256
c928082d8119c2ed08da597757c5ecaac19da2a353c29f6116172aaa7870e4fd

SHA512
b32725ea7452ab5b09de03968a696173909fca963cb910b6055f507e8d3954a5914ebe6b27f19ad9820452fd73058cd987131217296fb0b10552bcaccc93ee34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dccbd24bc12cab7d85200ada9c229897

SHA1
0ff50cff8a56ffc434587273fe3b951996fe4029

SHA256
6e171af22b35594f8ce70e73eb82b41cc06821cd38567c16ce174cca4e63781c

SHA512
83acf68094e47fd22689d6196d8445d6e7608dad14c68194a4633d6bfaf5dba5dd20763c143e2fbc70219ca69ab28ee7f994d70345eed3b92457b2bd237b98f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
cff8159e691d94c7ba4fbe152b91146f

SHA1
1bd59e87640c48c8232d2f8363e7999b2c526a92

SHA256
a3439dd37b5ebbd0507027f8b3bf00133871e98e050bedd4d2dd6c18b696b878

SHA512
bf2b38073c2b9854820e5a00ef9afb832618890dc8b75acba2e7a2f5f1134e88f67185c2db95c0652c2b49facf449db3aaf764ea3742accf3c1b28ca9042ba9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
3cf4145b4f1b7530f72ef641404184ab

SHA1
137eb1f0f47f0da0050e7e411035cf3194f7ac8c

SHA256
9f5059106769125cf730c96a4cf9695fa0db8f25664f92a26af8b261a1a30b44

SHA512
32ccef40c13bb41916550c4be6b1f0709ae4c36d1396edd5d102f0b4f552ae72cab6ff5bb7992628d931526fd56765dfc3376792c3cf5a7fa1ff4bca71e4c02b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
c4c8ac8f272bc9e6f7e72888d987cea6

SHA1
c07a819f6ef707a850379ef980d1dbbae267a261

SHA256
4444d1f3453e43603c32496778a8c49fb9e401db725b817b6f4004da1f002d5f

SHA512
7ae4feca30968ff1635178a50aa98c1862069b05ded99f5ce96313e9c450549e796421dd2c91463f33d3446eec82c00ed416707fab975a52be2069dc3ec9b0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_66844DFB40BF4B068A604CFAA53C897E

Filesize
418B

MD5
0612c5814d980a10cade8031c027057a

SHA1
4310e95399cb9c12f153709d669dc527e0e69f9b

SHA256
d85ad309c6a41f9666790b1eae5f6a967214ed02bd52b31f9207441432108549

SHA512
9b31589664bfbee0987e898b46967f49ce00ba4247c1612253035850566489bcd9e87967fc303717822c04425d0ab6658461a0ca55a4cd65d010627c2cb79bc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_CFE12D30EC1AADB5E9325673D2588EA5

Filesize
422B

MD5
ddada62d475ed98ef4a7ca87b4911f27

SHA1
3a5ab678b4b880736d9f4bce8de172dc6aa03dbc

SHA256
f78b80f6231fb49bd48e0a3928ce80626c411feda68746fa2e32899c5bd9c64c

SHA512
9511118833f0d3ff839dfb296fa7c2aa42d3916016d79423316117c931bf45d1a749f51b2776776a04c4cfc7962e0fdb597b787195b888e3a10c8fb0e128092c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_3B32E91D54CCCEAAC0529F21AC70D0DE

Filesize
426B

MD5
a0980fc668876d0f4e8c4310cd845801

SHA1
9f9d8a0577367ec09e475ca1b69bda890599a16d

SHA256
c6e0344410125665eadd038e2ca8b89421d5ddc60cdf74234e64af87dd897020

SHA512
8e357dc935ae3c873a807b18f777a27f99f154413066200143fad373b27380a24172c64c5844077b89d3c4910f3bd8ca4704b93d217b3fbe0f63875e4fd78b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\s[1].htm

Filesize
134B

MD5
4aa7a432bb447f094408f1bd6229c605

SHA1
1965c4952cc8c082a6307ed67061a57aab6632fa

SHA256
34ccdc351dc93dbf30a8630521968421091e3ed19c31a16e32c2eabb55c6a73a

SHA512
497ba6d8ec6bf2267fe6133a432f0e9ab12b982c06bb23e3de6e5a94d036509d2556ba822e3989d8cd7e240d9bae8096fc5be8a948e3e29fe29cab1fea1fe31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC92.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCCC4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF3462B2DA79A44D08.TMP

Filesize
28KB

MD5
5cf4e56f89d3a6f3964456c84b7be0a5

SHA1
a05595b11cc158cde383f6a2aef41d6fc817cefc

SHA256
ed91615985d8fd0a0ac11f790635adeb308051ed2a2b19d2e75daf6a155dc37e

SHA512
878d845a8b101869dcd566c892e79f748177565f8e2172fd2c1852bd72c0d386d7a794a789042ee02a9326394ad84c24b1f761f73ed4f5d998d88f109fdd006d

Download Submit
C:\Users\Admin\Desktop\00336\HEUR-Trojan-Ransom.Win32.Blocker.gen-3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d.exe

Filesize
1.2MB

MD5
2611a72621182988a0ea33e285e2b426

SHA1
babd564272849a735421d4a6b66a916f228328c3

SHA256
3a382884220431ef47325e950f10db30a8f86be4b567a4280ea54d3a0e340f0d

SHA512
33983d4ec499d2dbe63dff9511e979e2b0deaefd40936673ecb2603390ce25d4e30cfaaf52321769f136778c4ae694f531d10134c0934e7680b315d8da7f4641

Download Submit
C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obcp-36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003.exe

Filesize
2.3MB

MD5
224c4d783900186e62d09bb7cc022a14

SHA1
af8da82d48fd69b774e9ceac8ee33c57a5923df0

SHA256
36a63c8774aba2266441b25a96f20c705f6c08f0b5cb3eca5f58fcfc57eb0003

SHA512
5af851acef4a22b86faee20797756fc9a02705a5f368df4e70b64c1ad5f7fce40d36712a86fb6cdb3fed2c978c8e1f2ec5f4cd7cc1fd4c2c90fe669840cea6c0

Download Submit
C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obdo-ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75.exe

Filesize
947KB

MD5
09d25be79b416811042a2b2c375672fa

SHA1
cb707a0d4a4426e8eeceb34e27ba06df6e4d79e5

SHA256
ed723339a0637e7e75c101d99212d66356280410e9ab33ca88d4b5fe95a49e75

SHA512
e33217cde60187fbcc9a45a5eeb08d5b20b845ef1239f72ca809eeefa83ed858e3130c29c674b1b5f09d9a38ecee557c7b5498f5fa34a5f9bfdbee326a674696

Download Submit
C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Foreign.obeg-5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f.exe

Filesize
943KB

MD5
4eaf630c308909d72b1359c3ae0e53fc

SHA1
672dde6e4bc737b1567ce1a27d747883199c4e1d

SHA256
5e23cd974d5dfb610db2e1f2247001bc0e5365fb7e6ba6d8d47e7976274f703f

SHA512
fff1133dfffd6de492a7686e04f9a91dde7e77c34b64a2a61a2579534176d53d486dcd9b86c3e1a73df4f73ced2406eee0929e7a6871027e97fde5874cb55af5

Download Submit
C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.GandCrypt.fcv-d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5.exe

Filesize
432KB

MD5
93ad328f216fa50b356a37feca83325c

SHA1
b624955639bebb465408248867cff4e187fda441

SHA256
d2225a9ec3a9d62ddbb3ccfc958a94287e1fca745377e26b22a9a4205e8127f5

SHA512
1e0f66ea8f569207a8fd875b64694d9d66745abd2c631da83f875721ae758c90bad0c09d13b59ab7df3e13abeb0f3afbc47105a5f94da5cbb4adf74d61b9af4f

Download Submit
C:\Users\Admin\Desktop\00336\Trojan-Ransom.Win32.Spora.fgn-9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf.exe

Filesize
416KB

MD5
38e2db4ac766d301a5c2e642e7d64d6b

SHA1
a5a007e510d84b06371e65442ce9f6a421962bbc

SHA256
9ded0b543db0d53a2792a7487272b6a9adda0347e6f56c448e5ca8d5406eaddf

SHA512
bfebb3bc2a253a099b58823b37ed6bb65547194ee9d2e67d8ce6b7866b1114cdb25bd39b64d1dc762d2ca068d6d238632cecf8d228318cc3b9bc6007130ece29

Download Submit
\Users\Admin\AppData\Local\Temp\nseBEEE.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
\Users\Admin\AppData\Local\Temp\nseBEEE.tmp\npHelper.dll

Filesize
328KB

MD5
ef81554c861acf96e5b9a61277838a01

SHA1
15200c8163840e47688271c18a5e611bf170e05b

SHA256
bc48e8ed0d9961d410984e8a4abc8870890bd0a7610d2db7a68ec15c651aec6b

SHA512
97909f2730130d53d3e70686e973fb81c95574fcb03b1075053ec9bf8bb6f91dcc223a98c1f726c4692e1f6e5e2a240f49eb2aa955fdde908ae587073fc23676

Download Submit
\Users\Admin\AppData\Local\Temp\nseBEEE.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
\Users\Admin\AppData\Local\Your\Your.exe

Filesize
2.1MB

MD5
db72ac3bdb93f5663239e4262a6d39ad

SHA1
73154457fa59941e1cfc1d385225cd81b4a800de

SHA256
fe5fd9300c6aa1c44868668d506edd1a1435a7a5c641fff36e1ae47051f543ad

SHA512
8d88a60b8ad4c7d76e29a345d41c8a18ffbc7636c2dfa8bd40e89c22cb37477e17e0d68ece14241f0ec8aeaf915d3b5c81d53725959cfdc9878248d2ca6396b9

Download Submit
memory/572-394-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/628-383-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/628-387-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/1208-28-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1208-32-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1736-389-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/1736-393-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/1976-403-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1976-41-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1976-697-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1976-1618-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2844-695-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-1629-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-2118-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-2102-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-1622-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-2095-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-416-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-1648-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2844-1617-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/3024-1620-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1451-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1452-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1650-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1619-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1624-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-14-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1621-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1632-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-13-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1631-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download