Analysis
-
max time kernel
111s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00319.7z
Resource
win7-20241010-en
General
-
Target
RNSM00319.7z
-
Size
12.2MB
-
MD5
e653fa79ad8314e2aa0168025a42c82d
-
SHA1
b56f8b3110d72c77e54ba7dd273537a99accf7ef
-
SHA256
84c78672f9e5510ef56bb2ee04a2e50b5a42272f534e2acb120ff0153026055f
-
SHA512
eca11e36ea634f772c9ecb1a14ab8a09e811e08ae67acf8fb311b3bd3cf58f3538b0e91d188e159626f065d0ddf1e3b67504487807ec006c54ed73b0c587e1b6
-
SSDEEP
196608:U1ltYMKrBYEDnnl6SGKvSIlkYYDAhU8EVg7pSkawU2tTKRq2yU2vQx:UBYJtDl/htrYYCg1S3LRq2yUsQ
Malware Config
Extracted
xtremerat
shigra.sytes.net
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\!HELP_YOUR_FILES.HTML
class='style5'>[email protected]</span>
http-equiv='Content-Type
Extracted
lokibot
http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Adwind family
-
Class file contains resources related to AdWind 1 IoCs
resource yara_rule sample family_adwind5 -
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/files/0x000600000001c6d4-277.dat family_xtremerat behavioral1/memory/756-299-0x0000000000C80000-0x0000000000D0C000-memory.dmp family_xtremerat behavioral1/memory/1972-303-0x0000000000C80000-0x0000000000D0C000-memory.dmp family_xtremerat behavioral1/memory/1972-305-0x0000000000C80000-0x0000000000D0C000-memory.dmp family_xtremerat behavioral1/memory/2124-315-0x0000000000C80000-0x0000000000D0C000-memory.dmp family_xtremerat -
GandCrab payload 3 IoCs
resource yara_rule behavioral1/memory/984-82-0x0000000000290000-0x00000000002A7000-memory.dmp family_gandcrab behavioral1/memory/984-81-0x0000000000400000-0x0000000000E3A000-memory.dmp family_gandcrab behavioral1/memory/984-93-0x0000000000400000-0x0000000000E3A000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Lokibot family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" MicrosoftSecurity.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Renames multiple (164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3TUY3S57-UOHQ-6643-Y1W8-52VY8KCQE5P1} server.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltExe32.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon.Exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsvc.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebCompanion.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon.Exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwscmon.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldDS.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserReg.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7AVScan.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCS-Uninstall.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER.EXE regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY.EXE\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC.EXE\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS.EXE\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFSSvc.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclam.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fcappdb.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER.EXE\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBPIMSvc.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bavhm.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavSvc.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore64.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldRTM.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKProxy.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessionAgent.exe\debugger = "svchost.exe" regedit.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2584 netsh.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 22 IoCs
pid Process 2988 HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-06a9995b6da1dbe6dd6a6632a385c4ff51f24cae80d8349e6e3c65680378b5d4.exe 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 1084 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 1264 Trojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exe 1516 Trojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exe 2904 Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe 2908 Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe 2348 cexplorer.exe 564 cexplorer.tmp 1700 MicrosoftSecurity.exe 2056 ChameleonExplorer.exe 1396 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 2124 server.exe 1624 424nxiz.exe 3332 ChameleonExplorer.exe 556 ChameleonFolder.exe 2020 ChameleonExplorer.exe 1824 javaw.exe 3288 java.exe 3840 424nxiz.exe -
Loads dropped DLL 64 IoCs
pid Process 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 2348 cexplorer.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 564 cexplorer.tmp 564 cexplorer.tmp 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 2856 taskmgr.exe 2856 taskmgr.exe 1700 MicrosoftSecurity.exe 1396 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 1396 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 1396 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 1396 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 2124 server.exe 2124 server.exe 2856 taskmgr.exe 2856 taskmgr.exe 1212 Process not Found 1212 Process not Found 564 cexplorer.tmp 2856 taskmgr.exe 2856 taskmgr.exe 2776 javaw.exe 2776 javaw.exe 2776 javaw.exe 848 Process not Found 848 Process not Found 1824 javaw.exe 1824 javaw.exe 1824 javaw.exe 1824 javaw.exe 1824 javaw.exe 2856 taskmgr.exe 2856 taskmgr.exe 1824 javaw.exe 1824 javaw.exe 1824 javaw.exe 848 Process not Found 848 Process not Found 2856 taskmgr.exe 2856 taskmgr.exe 3288 java.exe 3288 java.exe 3288 java.exe 3288 java.exe 3288 java.exe 1824 javaw.exe 3288 java.exe 3288 java.exe 1824 javaw.exe 3288 java.exe 3288 java.exe 1624 424nxiz.exe 3288 java.exe 1824 javaw.exe 3288 java.exe 1824 javaw.exe 3776 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 Destination IP 104.155.138.21 -
resource yara_rule behavioral1/files/0x0005000000019515-32.dat vmprotect behavioral1/memory/2908-42-0x0000000000400000-0x00000000005A6000-memory.dmp vmprotect behavioral1/memory/2908-50-0x0000000000400000-0x00000000005A6000-memory.dmp vmprotect behavioral1/memory/2908-96-0x0000000000400000-0x00000000005A6000-memory.dmp vmprotect behavioral1/memory/2908-2751-0x0000000000400000-0x00000000005A6000-memory.dmp vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 424nxiz.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 424nxiz.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 424nxiz.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Roaming\\KBFilt.exe" Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJCtdgePZu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\vICnowguKMt\\WmOQypbCRJl.tYJtsC\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\urlxyqdxixm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gjegrk.exe\"" HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Security = "C:\\MicrosoftSecurity\\MicrosoftCMD.lnk" MicrosoftSecurity.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftOffice = "C:\\MicrosoftSecurity\\MicrosoftUpdate.lnk" MicrosoftSecurity.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\MicrosoftSecurity\\MicrosoftUpdate.lnk" MicrosoftSecurity.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio = "C:\\MicrosoftSecurity\\MicrosoftSecurity.exe /AutoIt3ExecuteScript C:\\MicrosoftSecurity\\Microsoft.a3x" MicrosoftSecurity.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security = "C:\\MicrosoftSecurity\\MicrosoftCMD.lnk" MicrosoftSecurity.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PrintDriver = "C:\\MicrosoftSecurity\\MicrosoftSecurity.exe /AutoIt3ExecuteScript C:\\MicrosoftSecurity\\Microsoft.a3x" MicrosoftSecurity.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\424nxiz.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 424nxiz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup" ChameleonExplorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ChameleonFolder.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: MicrosoftSecurity.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\w: MicrosoftSecurity.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\z: MicrosoftSecurity.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\s: MicrosoftSecurity.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\F: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\u: MicrosoftSecurity.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\n: MicrosoftSecurity.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\v: MicrosoftSecurity.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\h: MicrosoftSecurity.exe File opened (read-only) \??\r: MicrosoftSecurity.exe File opened (read-only) \??\o: MicrosoftSecurity.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\j: MicrosoftSecurity.exe File opened (read-only) \??\m: MicrosoftSecurity.exe File opened (read-only) \??\i: MicrosoftSecurity.exe File opened (read-only) \??\p: MicrosoftSecurity.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\e: MicrosoftSecurity.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\x: MicrosoftSecurity.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\q: MicrosoftSecurity.exe File opened (read-only) \??\t: MicrosoftSecurity.exe File opened (read-only) \??\y: MicrosoftSecurity.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\b: MicrosoftSecurity.exe File opened (read-only) \??\l: MicrosoftSecurity.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 iplogger.com 4 iplogger.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 myip.dnsomatic.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000016d2c-33.dat autoit_exe behavioral1/files/0x0002000000018334-34.dat autoit_exe behavioral1/files/0x00050000000195ad-119.dat autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\System32\test.txt javaw.exe File opened for modification C:\Windows\System32\test.txt java.exe File opened for modification C:\Windows\System32\test.txt javaw.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1084 set thread context of 1396 1084 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 60 PID 1624 set thread context of 3840 1624 424nxiz.exe 129 -
resource yara_rule behavioral1/files/0x000500000001c846-309.dat upx behavioral1/memory/1624-317-0x0000000000400000-0x000000000051F000-memory.dmp upx behavioral1/memory/1624-550-0x0000000000400000-0x000000000051F000-memory.dmp upx behavioral1/memory/1624-2556-0x0000000000400000-0x000000000051F000-memory.dmp upx behavioral1/memory/1624-2546-0x0000000003030000-0x000000000314F000-memory.dmp upx -
Drops file in Program Files directory 34 IoCs
description ioc Process File created C:\Program Files (x86)\Chameleon Explorer\is-IB9AU.tmp cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-NJMR4.tmp cexplorer.tmp File created \??\c:\Program Files\Program Files.lnk MicrosoftSecurity.exe File created \??\c:\Program Files\Music.lnk MicrosoftSecurity.exe File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup ChameleonFolder.exe File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll ChameleonExplorer.exe File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup ChameleonExplorer.exe File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll ChameleonFolder.exe File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup ChameleonFolder.exe File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-QOB5K.tmp cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\unins000.msg cexplorer.tmp File opened for modification C:\Program Files (x86)\Chameleon Explorer\unins000.dat cexplorer.tmp File created \??\c:\Program Files (x86)\Pictures.lnk MicrosoftSecurity.exe File created \??\c:\Program Files (x86)\Reports.lnk MicrosoftSecurity.exe File created \??\c:\Program Files (x86)\Statments.lnk MicrosoftSecurity.exe File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-2DTKS.tmp cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-HJRDG.tmp cexplorer.tmp File created \??\c:\Program Files\Pictures.lnk MicrosoftSecurity.exe File created \??\c:\Program Files (x86)\Program Files (x86).lnk MicrosoftSecurity.exe File created C:\Program Files (x86)\Chameleon Explorer\unins000.dat cexplorer.tmp File opened for modification C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup ChameleonFolder.exe File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll ChameleonFolder.exe File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll ChameleonExplorer.exe File created C:\Program Files (x86)\Chameleon Explorer\is-T8AF9.tmp cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-HVR9O.tmp cexplorer.tmp File created \??\c:\Program Files (x86)\Music.lnk MicrosoftSecurity.exe File opened for modification C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup ChameleonExplorer.exe File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe cexplorer.tmp File created C:\Program Files (x86)\Chameleon Explorer\is-8GAQ8.tmp cexplorer.tmp File created \??\c:\Program Files\Reports.lnk MicrosoftSecurity.exe File created \??\c:\Program Files\Statments.lnk MicrosoftSecurity.exe File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup ChameleonExplorer.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\ server.exe File created \??\c:\Windows\Windows.lnk MicrosoftSecurity.exe File created \??\c:\Windows\Music.lnk MicrosoftSecurity.exe File created \??\c:\Windows\Pictures.lnk MicrosoftSecurity.exe File created \??\c:\Windows\Reports.lnk MicrosoftSecurity.exe File created \??\c:\Windows\Statments.lnk MicrosoftSecurity.exe File opened for modification C:\Windows\InstallDir\Server.exe server.exe File created C:\Windows\InstallDir\Server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3776 2908 WerFault.exe 43 -
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftSecurity.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cexplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424nxiz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChameleonFolder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424nxiz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cexplorer.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe -
Kills process with taskkill 47 IoCs
pid Process 3568 taskkill.exe 3292 taskkill.exe 4076 taskkill.exe 3584 taskkill.exe 3624 taskkill.exe 3188 taskkill.exe 4040 taskkill.exe 4092 taskkill.exe 1524 taskkill.exe 1364 taskkill.exe 3644 taskkill.exe 1168 taskkill.exe 1400 taskkill.exe 2236 taskkill.exe 3768 taskkill.exe 1820 taskkill.exe 4064 taskkill.exe 3432 taskkill.exe 2908 taskkill.exe 2256 taskkill.exe 3200 taskkill.exe 864 taskkill.exe 3864 taskkill.exe 2132 taskkill.exe 1348 taskkill.exe 1740 taskkill.exe 3112 taskkill.exe 3620 taskkill.exe 4036 taskkill.exe 3532 taskkill.exe 1340 taskkill.exe 4064 taskkill.exe 580 taskkill.exe 3484 taskkill.exe 900 taskkill.exe 3316 taskkill.exe 2480 taskkill.exe 3292 taskkill.exe 264 taskkill.exe 2124 taskkill.exe 1704 taskkill.exe 820 taskkill.exe 3624 taskkill.exe 2504 taskkill.exe 1408 taskkill.exe 2212 taskkill.exe 2532 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 52 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID ChameleonExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "c4988fd4a233d3ee6f9fec5ce0237ca1" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.zip\OpenWithProgids ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\CLSID ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\CurVer\ins13 = "installed" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\shell\open\command ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler ChameleonExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory\shell\open\command ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\shell ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive\shell\open ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.zip\ = "ChameleonExplorer.zip" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\shell\ = "open" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\ = "System.RangeException" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\CurVer\13 = "45600" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Applications ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory\shell\ = "open" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory\shell\open ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive\shell\open\command ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.zip\OpenWithProgids\ChameleonExplorer.zip ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB} ChameleonExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException\CurVer ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Applications\ChameleonExplorer.exe ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory\shell ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive\shell ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\System.RangeException ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" ChameleonExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Drive\shell\ = "open" ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.zip ChameleonExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\ChameleonExplorer.zip\shell\open ChameleonExplorer.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2580 reg.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3696 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
pid Process 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 1084 HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 1264 Trojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exe 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 2904 Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe 1516 Trojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exe 2908 Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2908 Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 2856 taskmgr.exe 564 cexplorer.tmp 564 cexplorer.tmp 2856 taskmgr.exe 2856 taskmgr.exe 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 2856 taskmgr.exe 2856 taskmgr.exe 1700 MicrosoftSecurity.exe 1700 MicrosoftSecurity.exe 2856 taskmgr.exe 1700 MicrosoftSecurity.exe 1700 MicrosoftSecurity.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2116 7zFM.exe Token: 35 2116 7zFM.exe Token: SeSecurityPrivilege 2116 7zFM.exe Token: SeDebugPrivilege 2856 taskmgr.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe Token: SeLoadDriverPrivilege 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2116 7zFM.exe 2116 7zFM.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 564 cexplorer.tmp 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe 2856 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1972 explorer.exe 2776 javaw.exe 2576 java.exe 1824 javaw.exe 3288 java.exe 3760 iexplore.exe 3760 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2988 2824 cmd.exe 35 PID 2824 wrote to memory of 2988 2824 cmd.exe 35 PID 2824 wrote to memory of 2988 2824 cmd.exe 35 PID 2824 wrote to memory of 984 2824 cmd.exe 36 PID 2824 wrote to memory of 984 2824 cmd.exe 36 PID 2824 wrote to memory of 984 2824 cmd.exe 36 PID 2824 wrote to memory of 984 2824 cmd.exe 36 PID 2824 wrote to memory of 1084 2824 cmd.exe 37 PID 2824 wrote to memory of 1084 2824 cmd.exe 37 PID 2824 wrote to memory of 1084 2824 cmd.exe 37 PID 2824 wrote to memory of 1084 2824 cmd.exe 37 PID 2824 wrote to memory of 944 2824 cmd.exe 38 PID 2824 wrote to memory of 944 2824 cmd.exe 38 PID 2824 wrote to memory of 944 2824 cmd.exe 38 PID 2824 wrote to memory of 944 2824 cmd.exe 38 PID 2824 wrote to memory of 1264 2824 cmd.exe 39 PID 2824 wrote to memory of 1264 2824 cmd.exe 39 PID 2824 wrote to memory of 1264 2824 cmd.exe 39 PID 2824 wrote to memory of 1264 2824 cmd.exe 39 PID 2824 wrote to memory of 1248 2824 cmd.exe 40 PID 2824 wrote to memory of 1248 2824 cmd.exe 40 PID 2824 wrote to memory of 1248 2824 cmd.exe 40 PID 2824 wrote to memory of 1248 2824 cmd.exe 40 PID 2824 wrote to memory of 2904 2824 cmd.exe 41 PID 2824 wrote to memory of 2904 2824 cmd.exe 41 PID 2824 wrote to memory of 2904 2824 cmd.exe 41 PID 2824 wrote to memory of 2904 2824 cmd.exe 41 PID 2824 wrote to memory of 1516 2824 cmd.exe 42 PID 2824 wrote to memory of 1516 2824 cmd.exe 42 PID 2824 wrote to memory of 1516 2824 cmd.exe 42 PID 2824 wrote to memory of 1516 2824 cmd.exe 42 PID 2824 wrote to memory of 2908 2824 cmd.exe 43 PID 2824 wrote to memory of 2908 2824 cmd.exe 43 PID 2824 wrote to memory of 2908 2824 cmd.exe 43 PID 2824 wrote to memory of 2908 2824 cmd.exe 43 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 1248 wrote to memory of 2348 1248 Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe 44 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 2348 wrote to memory of 564 2348 cexplorer.exe 45 PID 984 wrote to memory of 1812 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 47 PID 984 wrote to memory of 1812 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 47 PID 984 wrote to memory of 1812 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 47 PID 984 wrote to memory of 1812 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 47 PID 944 wrote to memory of 1700 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 49 PID 944 wrote to memory of 1700 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 49 PID 944 wrote to memory of 1700 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 49 PID 944 wrote to memory of 1700 944 Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe 49 PID 1700 wrote to memory of 2584 1700 MicrosoftSecurity.exe 50 PID 1700 wrote to memory of 2584 1700 MicrosoftSecurity.exe 50 PID 1700 wrote to memory of 2584 1700 MicrosoftSecurity.exe 50 PID 1700 wrote to memory of 2584 1700 MicrosoftSecurity.exe 50 PID 984 wrote to memory of 1708 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 52 PID 984 wrote to memory of 1708 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 52 PID 984 wrote to memory of 1708 984 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe 52 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1788 attrib.exe 1588 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 424nxiz.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 424nxiz.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00319.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2116
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-06a9995b6da1dbe6dd6a6632a385c4ff51f24cae80d8349e6e3c65680378b5d4.exeHEUR-Trojan-Ransom.MSIL.PolyRansom.gen-06a9995b6da1dbe6dd6a6632a385c4ff51f24cae80d8349e6e3c65680378b5d4.exe2⤵
- Executes dropped EXE
PID:2988
-
-
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:1812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:4068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:3736
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:1768
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:1712
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:4084
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:2948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:1040
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:3672
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3256
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:2384
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:4088
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:2556
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3120
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:1628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:2020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:3660
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3232
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:2788
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:1928
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:2500
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3424
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:3464
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:3380
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:2808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru3⤵PID:3352
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru3⤵PID:3300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru3⤵PID:2992
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru3⤵PID:4024
-
-
-
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exeHEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1084 -
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe"C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1600
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"C:\Users\Admin\AppData\Local\Temp\424nxiz.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- outlook_office_path
- outlook_win_path
PID:3840
-
-
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uole.jar"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2776 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.92129241048603557874015093324169135.class5⤵
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5809643718303914160.vbs6⤵PID:2196
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5809643718303914160.vbs7⤵PID:1960
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4421356242957908782.vbs6⤵PID:2476
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4421356242957908782.vbs7⤵PID:2104
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e6⤵PID:544
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5099053271571250252.vbs5⤵PID:1152
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5099053271571250252.vbs6⤵PID:2300
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive706335085931193960.vbs5⤵PID:112
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive706335085931193960.vbs6⤵PID:1620
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵PID:3040
-
-
C:\Windows\system32\cmd.execmd.exe5⤵PID:4060
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NOJCtdgePZu /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\vICnowguKMt\WmOQypbCRJl.tYJtsC\"" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2580
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\vICnowguKMt\*.*"5⤵
- Views/modifies file attributes
PID:1588
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\vICnowguKMt"5⤵
- Views/modifies file attributes
PID:1788
-
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\vICnowguKMt\WmOQypbCRJl.tYJtsC5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.194720779176518751424857593616867897.class6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3288 -
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3316672745611576613.vbs7⤵PID:3732
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3316672745611576613.vbs8⤵PID:4032
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5770757354281319453.vbs7⤵PID:2344
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5770757354281319453.vbs8⤵PID:1764
-
-
-
C:\Windows\system32\cmd.execmd.exe7⤵PID:2332
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1198438718504571287.vbs6⤵PID:3604
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1198438718504571287.vbs7⤵PID:3924
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3507519097224232658.vbs6⤵PID:2660
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3507519097224232658.vbs7⤵PID:2384
-
-
-
C:\Windows\system32\cmd.execmd.exe6⤵PID:1152
-
-
C:\Windows\system32\taskkill.exetaskkill /IM UserAccountControlSettings.exe /T /F6⤵
- Kills process with taskkill
PID:3316
-
-
C:\Windows\system32\cmd.execmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\EkpQSErLMr216925385986184068.reg6⤵PID:3340
-
C:\Windows\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\EkpQSErLMr216925385986184068.reg7⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Runs .reg file with regedit
PID:3696
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM Taskmgr.exe /T /F6⤵
- Kills process with taskkill
PID:3864
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ProcessHacker.exe /T /F6⤵
- Kills process with taskkill
PID:2124
-
-
C:\Windows\system32\taskkill.exetaskkill /IM procexp.exe /T /F6⤵
- Kills process with taskkill
PID:4036
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MSASCui.exe /T /F6⤵
- Kills process with taskkill
PID:1364
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MsMpEng.exe /T /F6⤵
- Kills process with taskkill
PID:3644
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MpUXSrv.exe /T /F6⤵
- Kills process with taskkill
PID:2212
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MpCmdRun.exe /T /F6⤵
- Kills process with taskkill
PID:4076
-
-
C:\Windows\system32\taskkill.exetaskkill /IM NisSrv.exe /T /F6⤵
- Kills process with taskkill
PID:2132
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ConfigSecurityPolicy.exe /T /F6⤵
- Kills process with taskkill
PID:1704
-
-
C:\Windows\system32\taskkill.exetaskkill /IM procexp.exe /T /F6⤵
- Kills process with taskkill
PID:2532
-
-
C:\Windows\system32\taskkill.exetaskkill /IM wireshark.exe /T /F6⤵
- Kills process with taskkill
PID:3432
-
-
C:\Windows\system32\taskkill.exetaskkill /IM tshark.exe /T /F6⤵
- Kills process with taskkill
PID:3584
-
-
C:\Windows\system32\taskkill.exetaskkill /IM text2pcap.exe /T /F6⤵
- Kills process with taskkill
PID:3624
-
-
C:\Windows\system32\taskkill.exetaskkill /IM rawshark.exe /T /F6⤵
- Kills process with taskkill
PID:1820
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mergecap.exe /T /F6⤵
- Kills process with taskkill
PID:4064
-
-
C:\Windows\system32\taskkill.exetaskkill /IM editcap.exe /T /F6⤵
- Kills process with taskkill
PID:1168
-
-
C:\Windows\system32\taskkill.exetaskkill /IM dumpcap.exe /T /F6⤵
- Kills process with taskkill
PID:1400
-
-
C:\Windows\system32\taskkill.exetaskkill /IM capinfos.exe /T /F6⤵
- Kills process with taskkill
PID:3568
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbam.exe /T /F6⤵
- Kills process with taskkill
PID:820
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbamscheduler.exe /T /F6⤵
- Kills process with taskkill
PID:2480
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbamservice.exe /T /F6⤵
- Kills process with taskkill
PID:2908
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareService.exe /T /F6⤵
- Kills process with taskkill
PID:2256
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareTray.exe /T /F6⤵
- Kills process with taskkill
PID:1340
-
-
C:\Windows\system32\taskkill.exetaskkill /IM WebCompanion.exe /T /F6⤵
- Kills process with taskkill
PID:2236
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareDesktop.exe /T /F6⤵
- Kills process with taskkill
PID:4064
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Main.exe /T /F6⤵
- Kills process with taskkill
PID:580
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Svc.exe /T /F6⤵
- Kills process with taskkill
PID:3188
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Up.exe /T /F6⤵
- Kills process with taskkill
PID:3532
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3SP.exe /T /F6⤵
- Kills process with taskkill
PID:3484
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Proxy.exe /T /F6⤵
- Kills process with taskkill
PID:3292
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Medic.exe /T /F6⤵
- Kills process with taskkill
PID:4040
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BgScan.exe /T /F6⤵
- Kills process with taskkill
PID:1348
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuard.exe /T /F6⤵
- Kills process with taskkill
PID:4092
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuardBhvScanner.exe /T /F6⤵
- Kills process with taskkill
PID:264
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuarScanner.exe /T /F6⤵
- Kills process with taskkill
PID:1740
-
-
C:\Windows\system32\taskkill.exetaskkill /IM LittleHook.exe /T /F6⤵
- Kills process with taskkill
PID:3200
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuardUpdate.exe /T /F6⤵
- Kills process with taskkill
PID:3624
-
-
C:\Windows\system32\taskkill.exetaskkill /IM clamscan.exe /T /F6⤵
- Kills process with taskkill
PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ClamTray.exe /T /F6⤵
- Kills process with taskkill
PID:3112
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ClamWin.exe /T /F6⤵
- Kills process with taskkill
PID:2504
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cis.exe /T /F6⤵
- Kills process with taskkill
PID:1408
-
-
C:\Windows\system32\taskkill.exetaskkill /IM CisTray.exe /T /F6⤵
- Kills process with taskkill
PID:864
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmdagent.exe /T /F6⤵
- Kills process with taskkill
PID:3620
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cavwp.exe /T /F6⤵
- Kills process with taskkill
PID:1524
-
-
C:\Windows\system32\taskkill.exetaskkill /IM dragon_updater.exe /T /F6⤵
- Kills process with taskkill
PID:3768
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MWAGENT.EXE /T /F6⤵
- Kills process with taskkill
PID:3292
-
-
-
-
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exeTrojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:944 -
C:\MicrosoftSecurity\MicrosoftSecurity.exeC:\MicrosoftSecurity\MicrosoftSecurity.exe C:\MicrosoftSecurity\Microsoft.a3x3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\MicrosoftSecurity\MicrosoftSecurity.exe" "MicrosoftSecurity.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exeTrojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exeTrojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Roaming\cexplorer.exe"C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\is-F0R53.tmp\cexplorer.tmp"C:\Users\Admin\AppData\Local\Temp\is-F0R53.tmp\cexplorer.tmp" /SL5="$2022A,6397385,121344,C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:564 -
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister5⤵
- Executes dropped EXE
- Modifies registry class
PID:2056
-
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3332
-
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2020
-
-
-
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exeTrojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2904
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exeTrojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1516
-
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exeTrojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\!HELP_YOUR_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3760 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3760 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 9043⤵
- Loads dropped DLL
- Program crash
PID:3776
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2344
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1370813133-554924062-13966996241184735422-197085197958805931283094652-1756307144"1⤵PID:1764
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" C:\Users\Admin\Desktop\003191⤵PID:3500
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"2⤵PID:588
-
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 5908063⤵PID:3944
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-37573615612458518762050848356270605952-494068651-696854723-1291171716-1231355985"1⤵PID:3924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1397346041-1627519887-11074923171367109488-1843882874427671826-5638565361054993936"1⤵PID:556
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1595401815195220061324728127-414061976-2023431066-41276981-1516860865-317787956"1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cb5ee540c6f604ea014b624cafaa57dc
SHA12ddadda7c442b185a3c0216acf08b8be49b2bfe9
SHA2567baba16eed15d64eeba2f43cd00cfdf45c481425e2b6a52de042effba97f3c19
SHA51281259a911f4270b7647a6643ce112f8c25dba0331eb15286f6942048862de109b901c04340f67338aa371b1e5aed90b17279ce319456c73b58c4e3a1edbab3f9
-
Filesize
3KB
MD528ebb2f4092fc85c12fbbb3140094ca2
SHA15252e1ccd39640dfc12aeb1af1c4cd35db76f69c
SHA256dc682edc1fe9835a9d995db98d1fa004ab83d4d339b8b187eb639b460cf3236f
SHA512ae02008637dd1e5ac76b490f77011a668e60ad714d4c816c20e1bc3f733333ad617955c38b38beab6f3eca4e472f8d63b295d69beb653f872e97cf871d64cd2f
-
Filesize
1.1MB
MD55572a742fd5278e65c00f29e34585c53
SHA11bd2ca7289b40152b135d5c2aacd99a4f07bff5a
SHA2561086bc30ce06409190fd892d3e3b4530d3a690e1c06251b865baae1cedabc7ea
SHA5125873c753bff9bb71e1bc9facf4dcf19b4dc61c98ee31ad2e6a3b8f37980516c3958f7d2378664c674d1d17d080be7515db89b4e89a703e1e53dc00c0145d5ca9
-
Filesize
816B
MD5d1f0f9cad41643620632de117a1a62c2
SHA16072ae83657aaefefc1aa4d26e2c3a4f1e311d35
SHA2564b5f07947def529592bdd18fa76f86876d4caa388775870fb02aeb23c49c3dc2
SHA512b73f271d171bfe3ea85a641e579076bf082484066f2c1d4b06b7d335ae833d4267468e0ef79e3542cdc6513a352acadfca245865bc483b0438694c49e41bf513
-
Filesize
786KB
MD5dd5ce4d765edd75eba6f311e6e0ea10a
SHA19ea7f6516e5ad0755b74463d427055f63ed1a664
SHA25664b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d
SHA512d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216
-
Filesize
1.2MB
MD5de5f74ef4e17b2dc8ad69a3e9b8d22c7
SHA142df8fedc56761041bce47b84bd4e68ee75448d2
SHA256b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32
SHA512515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314
-
Filesize
750KB
MD5fb76f4f533203e40ce30612a47171f94
SHA1304ba296c77a93ddb033d52578fcc147397db981
SHA2563de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6
SHA512a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995
-
Filesize
1.2MB
MD596f92c8368c1e922692f399db96da1eb
SHA11a91d68f04256ef3bc1022beb616ba65271bd914
SHA256161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9
SHA512b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14
-
Filesize
846B
MD517094e5316c9da9719e616e409fa885b
SHA1fdfcd299995246a28c914caacb65551786c53f9d
SHA256201388e6f411d744ae5b9fbf8bc7f17ae4276988ae183bc3781f1cb96dca03a1
SHA512c4328b2a3ea5cef89a4f2849400965792c1e859dab9873c33692dbc76fc1b6cbbb2a86bef8dfc93173b92ca948f38267506cbb0e880be3a480ec7d881cf55225
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD590b72a52c90b287c623e45974aa2f4bc
SHA1319564f6980f90de8d4b1dd17c789a8db23ffa65
SHA25632fe2aa5dc282dca6b31350e4867ca2937dc010a127189ba473dea868f81cb91
SHA512bea7da0c1d3db10f6f39c7b2b5f2f244256fa85de22e2d44e69aa35b9933876cfa9f4b440761e552ea3743a7bc6f5780a2a899b88ffa5e5da3b1bc0b706379bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d55b6965892cc7d66032066c0a83cbe
SHA16729384df260f62f4d43470254558d15be878e22
SHA2569a65c71f1965e678e9b4efb7d6b2f785d6bc3b77a60d2fa86fa7c6a8f491fd8f
SHA512acf990f02f79c389b8d713c7dd7419c9fda182860eb552a11714951bf5b20350dffefcf7a5f0eb48bc6a88002db14b42b9cae6278be1ef9e6c598f89e4ea23d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b4fe2a3cf05fa3f5c64c01a07618b1d
SHA103fd3f4a646382f54c5cde98d072d59881e757ca
SHA256d492c479f1c3f95838cd333aec68629cfba867b5e848cb7411e31a36507c9a2c
SHA5123701c89d9e783680c5d684181fa1713207065283a60f34b0c03da0a3d28cb8d107602e8ac225129711db7cb74a3512aeb5aee750805a4ab56c1fc661322d17a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5225c0c569302d2b96802c90dc36399e6
SHA175d72c0dce3c28af2d1f9bb1422fe03efe72be35
SHA2567a8cc268cff4b66f0a63e82cdc97bf5f21ff7c43a697d5ab44200e7c0916ecee
SHA512c3f4dc719210c1e702e7ee503ec97105602c6c19f5e37f58ceccca15ea953a92f4289f7031f205058e73605f3a5c2d0c8f64d7cc86568aca9a66103508c2b808
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55910ac8a632167ef9ba2e4c009298cf5
SHA19bddd43f9bea8166596d71855b4626222bf34b4c
SHA256ca93017878229e47b0764542b9cda76d171bb7f5e68c42b9a51acfe219e4f4a8
SHA512809d76c1549928ebb44e36e158fdf5c2a914d064253193d3a994025764fd8fe83f870a74d24e67de2d517122d26c5a4ff055bb7b7f91f5d105cf1b69c4a22e4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b6ac638eb2f301aebf42278192ace58
SHA1b68dfba86ab15a7d212c22495b89334189a46f69
SHA256838a5f14aa7a6ef0f987d1f06afb815ede9068d63d45815134db2deb966b695e
SHA5127deff74cc313b1e4d68f608cc870632296439b69cc7f243115a490502680514db045365c88e2c51bc07cb60720274e14c5ab7bac92ea142795ef7981bf98c857
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b247dbdcb6f8b9e9b7931037837d1588
SHA1a87af9a44bd91e03a348d62358a24ded3c64415b
SHA25652520e3d0f57b33c1e71a1fc2fde1ee509984994ad14af7bcf05caf2fa1e4c32
SHA512cd2633768f7d280eda8e7a3ae513dd21e41a171c716666aaa46af72ccf34cc9d93b1071b1de2d01fdc91f50fd5738fb3874835628d6a4cda00e2f819f2d6ecd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5138e3d1d25517dfa0f058ec83f366f64
SHA1e1be5ccaca1802432ef9c986e45ac43c46c5fff3
SHA2569c71955a6f84b4b8941ddcc27327c381f83e5bfbbdfee9f3e1d0ab8456c915ec
SHA51263a0aa9755f572f992710ab7ab7ab7d851214003b06f96b9d8fe3efde993f2c3889eae80e0d6055d3b0e7b410bd94ed0cbeb8ceda01cd00262b1bf238aa681c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ebca67712a7f4a20f3a6eeff965d836
SHA1c7b478c3255bf703091f376203fec9b2da68bd69
SHA25686a29b88f2d01c0b1bf3aab7220ae211d84f44887ed8cc557c6290596ee7f4a8
SHA51234d29829f0e701c91b90bcc7eaf750080b4d150430a551f07867f49f720df00a5df028dc3609f914205d664ee3a5b28978b3a91bec590b49a38fa2b48ac09db1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5b3964ae91567f0d0c49f2f43ae26791f
SHA10c36ace45cab8203905707e3b3b9718e39dff238
SHA256a2bacc133ef316b802698c899483a80013bdeb04e089eb039b87b15ff23d29a0
SHA51277c366b151172a42873944fe630c5ef9bb4b1cf2cebf084364c1622e800a71777ca9a6fe063de991ec7a811048eae25f1a508846961f17d16607a039218d346e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD55a0e763435709eaaee97370ad7e5a0db
SHA1671e203419edddd806cf3e4a01194566a550c74e
SHA256993b86c08efe3a5ed9156cbe5b9a597037dcb2adb4b1b1c60aad67ba7e6295fb
SHA512020735e849edb38521f14994ca1a2bd3ea1339522f1b13fb89ebea14bedc14172ba33ab62d8f8dba97a6912a8a67aba37044c1767b2856dc57622c3e01d16e94
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
Filesize
479KB
MD5e8896ac2f1c3ee9db6aba7a8001c236f
SHA1bf0f3d1fc94bb0736ad5dc1e337b6b93fec006cb
SHA25699c420147e884b06e14d6f15cc486a67347cae0d7dc567cbd3635dfe23366c45
SHA51296ee8d740196f018cc872688844432d4528300ff49c5772d7fec82b13b9f773fdd201e1c9729c6bd7020604ac7001ab6bae5f0ef967b6cc99af7b89b08a05411
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\83aa4cc77f591dfc2374580bbd95f6ba_6110149a-fcf0-442a-a749-601093ba4822
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
809KB
MD5df3ca8d16bded6a54977b30e66864d33
SHA1b7b9349b33230c5b80886f5c1f0a42848661c883
SHA2561d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
Filesize
3KB
MD50547e7c8dade7157d58f6bf5e74bcce7
SHA1f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f
SHA2566953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac
SHA512b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b
-
Filesize
153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
Filesize
27B
MD57da9aa0de33b521b3399a4ffd4078bdb
SHA1f188a712f77103d544d4acf91d13dbc664c67034
SHA2560a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA5129d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6
-
Filesize
27B
MD5715dc3fcec7a4b845347b628caf46c84
SHA11b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA2563144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA51272ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662
-
Filesize
27B
MD5e256eccde666f27e69199b07497437b2
SHA1b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7
SHA2569e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5
SHA512460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4
-
Filesize
27B
MD5a2abe32f03e019dbd5c21e71cc0f0db9
SHA125b042eb931fff4e815adcc2ddce3636debf0ae1
SHA25627ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2
-
Filesize
27B
MD511f8e73ad57571383afa5eaf6bc0456a
SHA165a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA2560e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2
-
Filesize
27B
MD502bc5aaee85e8b96af646d479bb3307c
SHA11bf41be125fe8058d5999555add1ea2a83505e72
SHA256e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca
SHA512e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14
-
Filesize
1KB
MD5df1d6d7601b75822e9cf454c03c583b6
SHA1966737a61ec5f9bcac90154389f5249ca6c0e1e2
SHA256f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c
SHA51250f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba
-
Filesize
27B
MD5ab2fd12cd39fd03d4a2aef0378c5265c
SHA14a75ef59534203a4f19ea1e675b442c003d5b2f4
SHA256df69a28476e88043eba1f893859d5ebf8a8d5f4f5a3696e0e0d3aa0fe6701720
SHA512a82567f84dd4300733cd233d1b8fd781e73eaf62f2f6d5e33a4129418d9b0dfc1001e1fa3deeed9a8129acd0ecc0e1153bfb154f93f26a4ca484c04e753808bf
-
Filesize
27B
MD5090c3805a378e5c6f9170de1f08505a0
SHA1b462772078f0264c175f7c9998a8e39d6e4bcc64
SHA2564ddfc9ed251c2298e6fca3a0742de925442d9164ba230d28e869097d27b74415
SHA51267e57206bff887539568596789c8d77bbb843a97a8ea2ae373225ad4c4fd185b6e602d9b171232a2b8811f2911778b9152ba08daac355e7eeb2e1558b1555763
-
Filesize
27B
MD537e9ac1310a963cd36e478a2b59160f8
SHA11406eaa01d4eea3b26054871f7d738e4630500e9
SHA25604c9e4b0f69a155074b9ff26351265f78090c7ea2f23c5593b7130b4eb1e5e32
SHA5120ccc4e958bd34c2a28dca7b9fc3e9ca018ffc6c54d0f24e3db40e86f0bfc5a232228288cce38350bf8140b98c74658d2616e2ef15b2a085a590711cf975982e1
-
Filesize
27B
MD5f49040ffcebf951b752c194a42ed775e
SHA14632642740c1db115843409f0bc32b9ca8d834d7
SHA2567422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934
SHA512f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6
-
Filesize
27B
MD54fae101fead3cd098a57d1715ca79a97
SHA1f0a556f72dea44bd4065cb874398994005bc5237
SHA256fbc6ae3bcdbdd8c91acc153bde0862d443afd70b211404879c36045442524b56
SHA512c9d2e4c94b8b0e87b251cc22b8e96799268545e73a9ba3cde726ac0797d6c3288344615bcf30fbe8135e7ddb8d429958357b1ba03a7e953a2c7c8eac3c5dde8f
-
Filesize
6.5MB
MD5b2e5a8fe3ca4f0cd681b5662f972ea5f
SHA1b7dbcfaee55ecbf0158431d85dabdd479ab449c7
SHA256e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8
SHA51240b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf
-
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-06a9995b6da1dbe6dd6a6632a385c4ff51f24cae80d8349e6e3c65680378b5d4.exe
Filesize52KB
MD577ad9594a213f831c7fdfa2d7555c76e
SHA1041b92984a1a8fd070ab42fe31a6b45b427ed704
SHA25606a9995b6da1dbe6dd6a6632a385c4ff51f24cae80d8349e6e3c65680378b5d4
SHA512892f674d4126dd473464e344ec1d88b67db81e2d398cb62eb42c70e676aa554bb7112e5cd874f4b8218cd57c1d984b62fe59cd5302971ad7a86b96168f5afac7
-
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8.exe
Filesize323KB
MD58ef4d36373de1fd3cce0beffa2734ec0
SHA1119c572f6f0582cac3be3d3f05ec257b940ae200
SHA256a3ef8cbe15b0261e1e0045ea3e7f810e8429cc5d79b713ea6b6de5c64a7018c8
SHA512c0cfc24eabba4a7aaf8abffa4bb664edf1faf58c21c809c47361ef7aca2d3e46c38caffdd5b2dc134a33d63e60036cf59217e3e65ba13d3de417c726df9eadab
-
C:\Users\Admin\Desktop\00319\HEUR-Trojan-Ransom.Win32.Generic-d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139.exe
Filesize4.4MB
MD52f0fa28e3873af01baa196498b4b0cbf
SHA1c9abc4dcf85b771ba80b03fb9a14cc26f3894dec
SHA256d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139
SHA512495bcf289c20ead2528cd9ebb86dd1edfb67ce6d33cff1588c155f1a7ed3f7a815aeb735ec604bab4e5886c2ec16ee9563b07f9e187a88e13afa356636b1fc1f
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.kqrc-4cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1.exe
Filesize1.6MB
MD5f604b0e9fb20f7e95968325971f28138
SHA1f700ef216d8f082cef63f89042c0bae1bbf90c3d
SHA2564cdc1fbc06f02da03975b5ced31e0c79aa79f8a3cb266db92e6d0eeeadfeb7c1
SHA51294705cab9546c75a86f41dcdd79ba08bd6e0d3e0c0dff01ff5d0fd23730ed9a4ebb792d98b89498413a824ababab33912b167f2e9377b3a2903ad50448841322
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.lbem-8dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe.exe
Filesize60KB
MD597599e2edc7e7025d5c2a7d7a81dac47
SHA193223c0dbc7df43e4d813c9809cde1263aaf4ec3
SHA2568dafd4f877b618c265b8b90b1bbde79f8afda970b805dd0eb0dcd87103eeb5fe
SHA5122d1e26d5f3437c53c983c6aac41b3b191816ef7bef671c5af9dcc32e58b62d6b57949ef9b51f3bfb1aa01464c480e6f0a5919f72a2a7773db2ed14d7cab85f41
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Blocker.lzgi-9978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811.exe
Filesize7.4MB
MD5b649d6ba3319738ea8909aed38680728
SHA154fbf51f16234dee4742ec3d52caa3cc15f601df
SHA2569978aca2bb3173fad0ec57847a11d7fe3c82c31c5eafe6e7c198178d1b0d2811
SHA5128e2085c40d18a6bd464859897c366adbc5e5177bd59df0837642d1acaea57cf8c15e408ca535f0c9448bb7f5a030650430c7a99d9d60c6bc9210f6e6ad248348
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Crypren.aela-675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe
Filesize1.3MB
MD5d30cc3d50062b47585d8e9216f5974c4
SHA186ab16232bdff82807eb09e9dae5ae7dec26685f
SHA256675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8
SHA5128fa7e529f58deb6c2b89c3bf3ceb04ca036e00ac694767b64625258fe39d3911d42ae9d5baf0d0089e06c936458fcacd0e6e56b8a7cba4a91084d66a5717bce6
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Spora.fcl-458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6.exe
Filesize1.5MB
MD5d0b7b818ea0f9b40ea58ab6e5ebd02a3
SHA1c0fd353065f8501a4a586f90d502a9828b1d3e53
SHA256458f2854d5674d2eab4095358bc7c5da061d2323b04484ea426901725f7453d6
SHA512d95196ee170dbf9cc18f7aae9f6ab008b2baeb39382eed237762206b610d7bbe53b4b01f097a1292412ad81339dfc29a494ee3b46c3d9aafbb4af286ba990f71
-
C:\Users\Admin\Desktop\00319\Trojan-Ransom.Win32.Takbum.z-980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda.exe
Filesize787KB
MD55f1ab58f0639b5e43fca508eb0d4f97e
SHA1774c7fd158bb3fa5d1b01c8177a2cdb586c9d46d
SHA256980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda
SHA512af74d72c74f18106cc1366e62c9fc75e2cb633bc887458682d94f6714e19c506fbac95ba6356dad0bc986fd5ac34be741001294127bb78849a6ddf7a8d71555a
-
Filesize
461B
MD556a7247e8eb90fd9bb644e90bf2b0fec
SHA172f6306acbf6be198ffaf0c168e541de316ce72c
SHA2567c2843cbbcf00b708e8673e80521a8b5ed00b5cb297c1ace49782d228012a9f1
SHA512d8b1b0eb024d933185db6109c6be918257ff60dc3efd2fc262d7125c0d8f73fd7a2e632a90fb4e8df6106ec9a211244169752d8ac8ae21178e9d2a341e8230a2
-
Filesize
609B
MD5bf9c65e9c8fd8e5421a986cecc6b2a33
SHA1acae8ec6e36652eea68d9d2f9d4a4416e0d0550a
SHA256f2761beadef1256c1f5f274902c65a8b5fc9aaafd53aeb6390b7d82dcc2dddb9
SHA5121c8683c03232e8374ccc4a7bd7676e9bc8f79fe40e49fa4a1b2dbf6eaaf8a44b2207fd8da304ebacbaac364fbc8d239074473279f7aa2e3bb6a0d08262b06d52
-
Filesize
869B
MD537c4ad8a245bebfb0f58c711425e3eb3
SHA1f147dee034aa273b6b6dee4293515a0ed73dfb93
SHA256dc6f639e9605cadbcf46817cfef55e627ce8f721d037fe71c24e794693e83e48
SHA512bd3db8717ad4d420d5dc8c652f50f79dd9732a8a12cda222806f9470d7549bfe8a1b779c83e61b4946918be2b686af62334bafb6c11eacf794950ca17a882f26
-
Filesize
739B
MD503c78d2313eb5f2615f8243a34cf9f1e
SHA15ec2d642dbc9c7bb8dda210d0e8c19a68ff7b26f
SHA256a56f5001b5e0702bcc181cd590087a6bb7d90125bc2ce2b4b5b80a44c0eb1e90
SHA512b8c80941ebc1a0ab236e9c06108771e3ab5564ed53ebb94f613e5faf912f91e69e663f164476223f906930048345d1d4c0f64dd22a17d709a656ea747cdfc6cf
-
Filesize
299B
MD5bca47e709b1e104744e2df13d68f28fc
SHA1d281ddd944696011d93140eda453c73e40a09492
SHA25674d191d3239ae2d1a60f2e623b94d113985c5b28a2eb1ac2d7eb7319c46740ee
SHA5128aff03e495fc3ca6b49dd0deb020a8a6fdfb548f86bfb639a8d828c6cf46b2522e78339c9e5b2ec5ada1777e0479337157cea5dbf2fe24674109b848eeefac5d
-
Filesize
1008B
MD5de63a4ae279b8e48e6699e9639dccf49
SHA1e6efad0a2a0d50b7b0de7ff2c9a4f2517c38978c
SHA25646c68f20a53dabc2df6d759d82be3e70e6e5133577387ff2620b7b2df74c7980
SHA5123e08355a0b7a775cba3e5855bea7c35896fefe1ed98b4af22f225b94a092f690137afd2b56057dcf00af963559edf3956f64a65b72ac763b42e516486c805178
-
Filesize
1KB
MD5ff2d258aced77dc7e4249e86ade491cc
SHA18890d869bbb2e6b0e40d96ab588bd435b8f943e2
SHA2560636d78e84ca30530896aa629ca9ae7bd564d39814a0741916ebf4d5356733e2
SHA512ba5fc2f9d9867f15b17621bdb6fe6d3b7027659791fb1c1ac9f3e197a8ec296e8560137a79fedd16af8184a1495f7a33157bf1e198461cb05f756934e690345f
-
Filesize
4KB
MD5811c8c245fe420239b9f7a934504d7eb
SHA185622b39b1126666f56c52064c499c8c0652c2a0
SHA2564779930538d386a454c03b45a3ba9e4623f7dd79b71fe1acdb7070cb2c1655e1
SHA5129d8d9e6f922525d2391890d97fc8d39d792de8ac08af1ac6ccea68d8e662b095a3382270165cdd6bc74f88b35f155150e6ae891996ba0a2fa2e22a4480cb91ce
-
Filesize
18KB
MD5a2f9587d1b0500e885ca1c3a16932f87
SHA19f21201c2093bcee1a86f6a96dd53e5edd819553
SHA25682e81425d58fe3f7845da064d39cfd4a92f7eb5ec2b5844d5ef6204a16c006e2
SHA512a01dcc1cdb0d6d429150f3e1d13c13088a2fad0cdfe166cfac2d3fa00423a1715f5fa17558372528b6d695d4530e5ccf6eb12b78c1d3952066520db46ec8a562
-
Filesize
1008B
MD549618eb85067c69cd249ecf8a7f31a5d
SHA16a33474e87da519b795d4629ac4e520302aefbe3
SHA25652df773058cefcf15086be5d8f39b993fbfd3e6b9c2a0f04e2f0ae46a34e21ac
SHA512b1bf1604e149d0f819633f62b361444b34cd54815e8517df4ae180cb8aa379dbc9de390595a8d94ca2737ddb89a70ba29aa999d0c2380761616a8404b5bbf7d0
-
Filesize
970B
MD59e4d635b368abf2e6f60d13943dc1f5a
SHA15867c96b57e9e48ce87620ab96314afdec34a729
SHA2560440aa55de5b190f39391441d117378d241d87b61d3dbbea8daf697f97055cba
SHA512b3de839704cc13beee69733fae6541608455814bcb6da4314a0d8aee3efe58dc1dac5da1fe787f423885beace7c5e006923341c4c1965aadf253947b5cbebdd5
-
Filesize
841KB
MD5325dc7fdfb8c842f62e5f5ad37d5ef24
SHA193beabf2204e6685d7af2594a795964b7bafe58a
SHA256d34b614b8bd57b20f7cef53e56b95389de423d7b898761f0257a7404fc84d049
SHA512207272e8080c3cc6243f0335401d320c79b0e6b4967e0af769473bb45da87441e71340da090e95ea5c535e65d04ab2a28371931dbc907a719af0d0eec41d31b6
-
Filesize
14.4MB
MD592a3d0847fc622b31f2d0c273a676c0e
SHA1e642d694367cc98a8863d87fec82e4cf940eb48a
SHA2569a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89
SHA51201d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c
-
Filesize
460KB
MD559bd27ed592d8d09b4fe3a0e06ff5f3e
SHA1d276996a14613106cb9fe4394ef71e813cbbf004
SHA2563d2a762f753cd3b64ffc394d43b899bed4fa561e1d6d7110f37a83e181f4024f
SHA512a36e5c9bd4d6599841552adf00d979d096b80d390630e795751591b30243bb555cd73303360653e0106607b3793aed475fde5113883816785ee0797fc1c79d9a
-
Filesize
1.1MB
MD5729bc0108bcd7ec083dfa83d7a4577f2
SHA10b4efa5e1764b4ce3e3ae601c8655c7bb854a973
SHA256b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49
SHA51249c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c
-
Filesize
516KB
MD5b5d61fd1f13fc2dd72479742784cecb7
SHA10a3691e1aa156ea6f2dd08ed7c72c1fe912c675d
SHA2565cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226
SHA51224fea19d5cf850b03be661aa1a28d43107054aaa414b78f3d50b566e761004aeec4741ec4154ab93f8b4d8543639f906ec667f8c9aabc76c74618d43dd378986