globeimposter | 8de80fed294f0d140d03d2032d3007857549e73d30380bd3a7ea16bd8073f55e

Analysis

max time kernel
47s
max time network
158s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00307.7z
Size

3.0MB
MD5

6e75188020c5ec1ffdc041e11124c72e
SHA1

6559fc7c6e214857ef3c9b7e7e3b03684504cc8f
SHA256

8de80fed294f0d140d03d2032d3007857549e73d30380bd3a7ea16bd8073f55e
SHA512

954b6640be4a49980cf7f7a80d6c0a6f8e64999ba3840e34c6d04479ec7a06ddc0ac458fe940829a9ddf78ed51117347ab614c16e420741f5f31d699209cb495
SSDEEP

49152:3HTDMwebpsC3IhttAhpgjRjU6x4JiPakqZnbnOJAVmT4PYkpTPwkD8jyX4Owa:3HIpL4hwhYQ63akQEA4MPYk14kD8j+wa

Score

10^/10

globeimposter bootkit defense_evasion discovery evasion execution impact persistence ransomware upx

Malware Config

Extracted

Path

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0C0A\__READ_ME__.txt

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins https://paxful.com/buy-bitcoin https://bitcointalk.org/ [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: 9*2[0uua#UL7^imrr!HZ67h$1seq7[kXgVW).]O$iGNG42CRKP3j:T9f`WJ?o0uge/7T&Hk;,7sY%PoIdD BW'0?>Kp>aQ\+07!2`E)[m(Z(7=OS'gB"FUd3`#aDM5=7aoqacA(5`TZg^Rt86bYYn3iY<>[T,$oRA(9lI ARlCsS1#8aS+N/#&&KQF5u5\?5`Y<\Z=&^@!`V!cY'fe"BEJ=C1D><q8$7GeV5;QZ9SKfZ9-I5:Va4NAR* K2T@dqi4o)g!![QWZ@F>^m9f&%GU(;AAeK21Zk1)P^2_\O'Gb+*AJ8d""c&,%PnfIJ!h.'N$TY%=@,V

Emails

[email protected]

URLs

https://paxful.com/buy-bitcoin

https://bitcointalk.org/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Globeimposter family
globeimposter
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2784 netsh.exe

pid	process
2784	netsh.exe

Executes dropped EXE 21 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exeTrojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exeTrojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exeTrojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exeHEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exeHEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exeTrojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exeTrojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exeTrojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exefuba.exefuba.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exeabgrcnq.exe

pid	process
2836	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
2964	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
2856	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
1776	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
2956	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
1660	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
3036	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
2860	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
2852	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
2932	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
3068	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
1944	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
1220	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
3044	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1032	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
272	fuba.exe
1764	fuba.exe
2672	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
2516	abgrcnq.exe

Loads dropped DLL 9 IoCs

Processes:

WerFault.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exetaskmgr.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

pid	process
3048	WerFault.exe
3048	WerFault.exe
1032	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
1032	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
2868	taskmgr.exe
2868	taskmgr.exe
3048	WerFault.exe
2672	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
2672	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.14.29.140
Destination IP	185.14.29.140
Destination IP	178.63.145.236
Destination IP	37.187.0.40
Destination IP	128.199.248.105
Destination IP	178.17.170.133
Destination IP	128.199.248.105
Destination IP	95.85.9.86
Destination IP	178.63.145.236
Destination IP	95.85.9.86
Destination IP	37.187.0.40
Destination IP	178.17.170.133
Destination IP	178.63.145.236
Destination IP	37.187.0.40
Destination IP	178.17.170.133
Destination IP	185.14.29.140

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXETrojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{331A8899-4337-F1B9-BCD5-B57EB88B3418} = "C:\\Users\\Admin\\AppData\\Roaming\\Fehewe\\fuba.exe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe"	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

Explorer.EXEtaskhost.exeDwm.exe

pid	process
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1104	taskhost.exe
1104	taskhost.exe
1104	taskhost.exe
1104	taskhost.exe
1164	Dwm.exe
1164	Dwm.exe
1164	Dwm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exefuba.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

description	pid	process	target process
PID 3040 set thread context of 1944	3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 1128 set thread context of 3044	1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1776 set thread context of 1032	1776	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
PID 272 set thread context of 1764	272	fuba.exe	fuba.exe
PID 2860 set thread context of 2672	2860	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe	upx
behavioral1/memory/3036-65-0x0000000000400000-0x0000000000586000-memory.dmp	upx
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe	upx
behavioral1/memory/2964-49-0x0000000000400000-0x00000000004FB000-memory.dmp	upx
behavioral1/memory/2964-933-0x0000000000400000-0x00000000004FB000-memory.dmp	upx
behavioral1/memory/3036-977-0x0000000000400000-0x0000000000586000-memory.dmp	upx
behavioral1/memory/2964-2505-0x0000000000400000-0x00000000004FB000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
3048	2956	WerFault.exe	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exeTrojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exeTrojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exeTrojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exeHEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exeabgrcnq.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exeTrojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exeTrojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exeHEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exeHEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exeTrojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.execmd.exetaskkill.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abgrcnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2304 cmd.exe
2756 PING.EXE
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2704 vssadmin.exe
2484 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1596 taskkill.exe
1600 taskkill.exe
1572 taskkill.exe

pid	process
2304	cmd.exe
2756	PING.EXE

pid	process
2704	vssadmin.exe
2484	vssadmin.exe

pid	process
1596	taskkill.exe
1600	taskkill.exe
1572	taskkill.exe

Modifies registry class 6 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2756 PING.EXE

pid	process
2756	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exeHEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exeHEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exeHEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exeTrojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exeTrojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exeTrojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exeTrojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exeTrojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exeTrojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

pid	process
2836	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1776	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
2964	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
3036	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
2852	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
2856	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
2932	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
2956	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
3068	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
1660	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
1220	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
2860	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe

pid	process
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

7zFM.exetaskmgr.exeExplorer.EXEtaskkill.exetaskkill.exetaskkill.exevssvc.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

description	pid	process
Token: SeRestorePrivilege	2532	7zFM.exe
Token: 35	2532	7zFM.exe
Token: SeSecurityPrivilege	2532	7zFM.exe
Token: SeDebugPrivilege	2868	taskmgr.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeDebugPrivilege	2672	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
2532	7zFM.exe
2532	7zFM.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

taskmgr.exe

pid	process
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exeUDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exeabgrcnq.exe

pid	process
1220	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
1220	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
2860	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
2516	abgrcnq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeHEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exeHEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe

description	pid	process	target process
PID 1880 wrote to memory of 2836	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
PID 1880 wrote to memory of 2836	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
PID 1880 wrote to memory of 2836	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
PID 1880 wrote to memory of 2836	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
PID 1880 wrote to memory of 1128	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1880 wrote to memory of 1128	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1880 wrote to memory of 1128	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1880 wrote to memory of 1128	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1880 wrote to memory of 1776	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
PID 1880 wrote to memory of 1776	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
PID 1880 wrote to memory of 1776	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
PID 1880 wrote to memory of 1776	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
PID 1880 wrote to memory of 2964	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
PID 1880 wrote to memory of 2964	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
PID 1880 wrote to memory of 2964	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
PID 1880 wrote to memory of 2964	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
PID 1880 wrote to memory of 3036	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
PID 1880 wrote to memory of 3036	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
PID 1880 wrote to memory of 3036	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
PID 1880 wrote to memory of 3036	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
PID 1880 wrote to memory of 3040	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 1880 wrote to memory of 3040	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 1880 wrote to memory of 3040	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 1880 wrote to memory of 3040	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 1880 wrote to memory of 2852	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
PID 1880 wrote to memory of 2852	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
PID 1880 wrote to memory of 2852	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
PID 1880 wrote to memory of 2852	1880	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
PID 1880 wrote to memory of 2856	1880	cmd.exe	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
PID 1880 wrote to memory of 2856	1880	cmd.exe	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
PID 1880 wrote to memory of 2856	1880	cmd.exe	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
PID 1880 wrote to memory of 2856	1880	cmd.exe	Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
PID 1880 wrote to memory of 2932	1880	cmd.exe	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
PID 1880 wrote to memory of 2932	1880	cmd.exe	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
PID 1880 wrote to memory of 2932	1880	cmd.exe	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
PID 1880 wrote to memory of 2932	1880	cmd.exe	Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
PID 1880 wrote to memory of 2956	1880	cmd.exe	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
PID 1880 wrote to memory of 2956	1880	cmd.exe	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
PID 1880 wrote to memory of 2956	1880	cmd.exe	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
PID 1880 wrote to memory of 2956	1880	cmd.exe	Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
PID 1880 wrote to memory of 3068	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
PID 1880 wrote to memory of 3068	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
PID 1880 wrote to memory of 3068	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
PID 1880 wrote to memory of 3068	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
PID 1880 wrote to memory of 1660	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
PID 1880 wrote to memory of 1660	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
PID 1880 wrote to memory of 1660	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
PID 1880 wrote to memory of 1660	1880	cmd.exe	Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
PID 1880 wrote to memory of 1220	1880	cmd.exe	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
PID 1880 wrote to memory of 1220	1880	cmd.exe	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
PID 1880 wrote to memory of 1220	1880	cmd.exe	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
PID 1880 wrote to memory of 1220	1880	cmd.exe	Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
PID 1880 wrote to memory of 2860	1880	cmd.exe	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
PID 1880 wrote to memory of 2860	1880	cmd.exe	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
PID 1880 wrote to memory of 2860	1880	cmd.exe	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
PID 1880 wrote to memory of 2860	1880	cmd.exe	UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
PID 1128 wrote to memory of 3044	1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1128 wrote to memory of 3044	1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1128 wrote to memory of 3044	1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 1128 wrote to memory of 3044	1128	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe	HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
PID 3040 wrote to memory of 1944	3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 3040 wrote to memory of 1944	3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 3040 wrote to memory of 1944	3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
PID 3040 wrote to memory of 1944	3040	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe	HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1192
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00307.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2532
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
    HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2836
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
    HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
      HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe
      4⤵
      Executes dropped EXE
      PID:3044
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
    HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1776
  - - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
      HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\Users\Admin\AppData\Roaming\Fehewe\fuba.exe
        
        "C:\Users\Admin\AppData\Roaming\Fehewe\fuba.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:272
      - C:\Users\Admin\AppData\Roaming\Fehewe\fuba.exe
        
        "C:\Users\Admin\AppData\Roaming\Fehewe\fuba.exe"
        6⤵
        Executes dropped EXE
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_ddd0e7e8.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
    HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2964
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
    HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3036
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
    HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
      HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe
      4⤵
      Executes dropped EXE
      PID:1944
- - C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
    HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2852
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
    Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2856
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
    Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2932
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
    Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:3048
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
    Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /T /PID 2856
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /T /PID 2932
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /T /PID 2860
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1596
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
    Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1660
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet && bcdedit.exe /set {default} recoveryenabled No && bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        
        PID:2888
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2704
- - C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
    Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:1220
- - C:\Users\Admin\Desktop\00307\UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
    UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:2860
  - - C:\Users\Admin\Desktop\00307\UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
      UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2672
    - - C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
        
        C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
      - C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
        
        C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
        6⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
        7⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
        8⤵
        Modifies Windows Firewall
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
        
        "C:\Users\Admin\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
        7⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00307\UDS-TR~1.EXE"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2304
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2484
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\Read___ME.html
  2⤵
  PID:904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
    3⤵
    PID:2240
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:799748 /prefetch:2
    3⤵
    PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16934336651667685074894507278-923555768-1045624894-1946162346-16879155401291696692"
1⤵
PID:2436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b18ce6d1f972f0404068b6a62fd6af2

SHA1
d9d712518e90148ac81dfc830d09f43e337be0b7

SHA256
cee58ebbc9b7ee0771be968128367df21e732c3f6d6019ffad140f1804c96a2e

SHA512
9eff53273a43b0b87ff793903ac55eec03bb1d830896d4e138203253eabcafd06a69f15a70483a742dd72172be9d4b31c3b08522396a9c0964d653120f804008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61d63263777be413d2ce5142755f13e1

SHA1
af120f1b1d0652f6ba86ac3c58d75c34926e9df7

SHA256
c72a6297f7cc88bbda66645435df795ca7fbf03611fb0dcb5f3839457afdec5c

SHA512
7d035426c807c360576fc68970a51ec8996b9c2f543d64ad39360e9e7c451eb17a95f92a65e3c8743d8d8e3232e91c010dcb232fe42cf96b3efbe0dc1fa18aed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27a4b4540dd8a5b0489df01fbc7b7ce7

SHA1
2cf75334f06b68d54195d2e70d3ff99f208b3cb0

SHA256
d697082e9e874dcf9ef906866960242fb2c9890314a985abd2c430c269bd1eb4

SHA512
b81beafcfc52b547e7ac9f3fa1e7dedc4b584f9c6e153a02176bb8c05ef9fdfeecbd19eae415ff54c0499e29b2d844c9593193db6531896c9bbf4f60a70f71d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a926ff8c844d2212ebe26cfd13b453a

SHA1
46a70dd9395521f0261fb8f57201f4e31eaa2a6d

SHA256
c01774ac7d0b9d746792bcc65861059efcc8c1c67b2131e98999fea774b9dd34

SHA512
67003bc62be92e4699d4fa7eea90ac99763f208818eb7439bb563ff95608bbccfaf2f57f67e7eaf49eddc37a61145012887c93afb0aac49baa28a3231efa89d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c609cab0296fdc725fae68126a937c5

SHA1
a8c9debd9a1b30059a524a9d7fc61fa0dc91e2cb

SHA256
e66b2ee850f5a8d5abb4dd7ecfda296943f414e25ba4f9195178939128f016a8

SHA512
bff9122b046c545b690b550e98588f5614ed95ee9fe04fde7e0ff06e314c8b416ef96fa03331d8ac8d160f7f5004559a8cdcef5a1892181081f5893656703e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54a714ada38abc78775dbb6144f355ee

SHA1
2e1e0dce0b1faba7f42cf62730a513dfae605e77

SHA256
9c3eca57420946e6841a4a5176543079afce0b7990d79782140895875ca31ecf

SHA512
cb5d00bcd389961d76db06bf2a6a4857b762d896594f284af074e4c21757177b36f929a5b1adb3f2b09cf65772b30367b55e6d5ed81d1be327003ad0731b96b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a97ad2853337e4374907851c1b76e17

SHA1
9d11f52d9bc28ca13efe6672fb14a840ee8104c6

SHA256
5b6070a8555ca39dd0d83117eb1f049fc247a50b8f94a5869a5844e164a944a2

SHA512
8a89fbe2bec3f9e86d1fcb2407ff6a3308afaa809005a107980f1d52d37cf0e41286deeb204f2cb1e9bee09ece1e34d83bdac39b0291699e6790821395eccb4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b90e0202650e5949f8649e6459b4ce99

SHA1
1d2d88f640ac2c8740915c4e315fd58da22f05dc

SHA256
87a4951d51ddf9e2a26d9a718435036a9684c03b5e0e129150c797fd206a1658

SHA512
b014dd413b79a6941d5aafc6227093dd92da308f261202dd8fc3cb94262d8ef1a3203cd8a1b22bb828fa2ccc1bd424012a85b75773ca969eecdbdf5d7b6c9bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f22aae19c8c2a804571ae29d4fcc5c

SHA1
8e6736c64c91e7277594687dba5dfb1f76c32c6c

SHA256
f628cacd60774094348d3fc809ad39b520af5b4e22d282ec7b82ef5e29478a50

SHA512
f6dbeba2a207d3dbb41920d2965669f5b3851eb1353035cf954f873474311fd53748b766803a57d590f93339dba9595183e16a8c56924156f501dccff4caadfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0af8d32145b21af1d5f0575a4d9cfc94

SHA1
fc32d541ed4e6cdce22d6f7847a7f23465735ed8

SHA256
1bc5bc853ce3fa97d13718ef3829f2f718ece30c55e1a7938ce6ee169bd8002b

SHA512
e51850d81e86cbfec63803f547109c7ff4392043b17374761bee2ead911b69886a76132141691ac2b0a9b41cbf9726338037161e30dda5e7897b61d2288ae691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ebf3269d62cdcefe0b90fb2bfe8765a

SHA1
c4eb5c4c9b8000d89e0172c19552415fbe33de7b

SHA256
f59e95f90200b0ea9de53df807b0930b440c43a7cb6f6c2160643cbf5917a8ff

SHA512
78d09a5453835a9085b65f278abf9213846eeeb2d423018ad86c8e1073e1519e9af43de624eacd1d602bf7cad0071560f81d45b372f1b5dfefbd7eed4f2ec599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83ee66fa9b243f7b99fe5a472b4ad6e5

SHA1
980ea74147aedc0f8ccb66942220953d655d6021

SHA256
d8e79a5dd4990f5b6f3a996ad4fbb58a9109b8f5da3a44f618aed45e2804e923

SHA512
f9e12f40a14839741ee170abab8265e9b77136ee88c0120c908977e6fccd805bfad3ba87b69956fa658bfe65c8280cfbea516f4c08c9ac8788f7cebe124205ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
647dd5aab5516144ce1ea0802043864c

SHA1
6a4fbe2d6f0edf1f3ca541f51065500ba79cb420

SHA256
27a9e61d2f42c89db366d1d1a4889976809b7a96cb0290ac125334412bcd95b2

SHA512
db9cd6734c7556b252b6976cf1d57275ae21c28bb597636622b0124d963e818fd57eb3bb59fa9dbb3104a334960e614436846d3f1b4865b92b7f195220584a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1845.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FB7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ddd0e7e8.bat

Filesize
364B

MD5
e8bf6066b6d46fd357ff34d421b19dd3

SHA1
c07ba5e4d891caa8f789daf394ae1e4711edeebd

SHA256
ec50ba372b99ca3f81f2541a3f4a02a4ce67a1e4ee9d6a1b8fedd324b1af0b06

SHA512
b8638fd496571e80c6d5ee7709eb2f2d044824ab0d79ea62865f846b78b2f81dc8fe593109bff03319526d2460c712c16c011ec1dcfa350284f1e84e0e021702

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Foreign.gen-85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242.exe

Filesize
716KB

MD5
faa3989b7d9f646b33c0766e961588d7

SHA1
8cf06215e8fcc8c924fff53932c12a7ba8e51f18

SHA256
85b16ccd1d3e8c27eab6c704db4c5d66b0bf92b425b509d93b5d7a97e6ced242

SHA512
069ecbe76e92b8af5380a86b6297a39cc2e8378079083a620fc423cfb201dcb52a1a57b30c09c605dfc3e91a36b0fc0e883e82c0282863e17ed2250ccaec4779

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a.exe

Filesize
134KB

MD5
05918313e9863b3a472bc17d3daa16d2

SHA1
8fb4638326603c21a6f5e8541a9ad683aa38dbdd

SHA256
0f7031df81722f0ddc823ce874f69eba846cfffe90653b3e87e44407be08bd7a

SHA512
7171ba1ea67f6932a8cb8b62a25ce6be2d4676bb2a10697482690418853d3eb89043c62f7fcf2f6dce81b5237f6e9e949da9f2812ecd4291744fffa639b9dc7b

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07.exe

Filesize
184KB

MD5
f61e0e7182ea80b6d37739f44db1acb3

SHA1
85cc15b74ace6db765b59d7eb6e1572a2315d1bb

SHA256
4e0b4099a0308359052d63224feb6307ff5b18cc6d997418b2789b2c6d691a07

SHA512
b350dc292ea9492088c7571274c3577a59ffeeea8ea2b0085af7ccb48528ffc9d4515911013971a76edc3484fd448163f3323f981089ccdc2d484eeadbe7417c

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238.exe

Filesize
411KB

MD5
d079b02b6a21bc70f10e60c20394bec6

SHA1
8bc1ec67d99180524327c1dddb1f9912d04dc414

SHA256
8730a228e70d039515b3390186f207028a337a64fdf7545be554933797945238

SHA512
78caf4c14185c67746dd7daf947cb561d77e37a236dce73c6e0713aabb5dffa7c3f22bb51fe8d3792d82fa8960c594f86bd71eb4949b2974daacbda8ef67980c

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026.exe

Filesize
704KB

MD5
cb40c157e93e8013af5447c28fd3b942

SHA1
16b0df235b3954c6e6b96f7aecc252f22bc021db

SHA256
b8d074da8531b10cee3844431f8502da1a3932586fb6fa82da7a38da44409026

SHA512
d4bf092e3c911aeed4f88d2327ee9300fb3cc7501ab85e47596fb620dd40667265ca05b29f2fba3eac6ba15b0c19d66b185ab214eb7ef7a68349bb4d5fa3303d

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c.exe

Filesize
134KB

MD5
181761d6d7e12ee24173235333c0a9dc

SHA1
dd7ef3a8903d35d5e0d2f1423d725c1f2e082f12

SHA256
f60bc94cb1851bfa389028e220d94629346171c8c5606579b332d3c64062ac1c

SHA512
622b84ebbc5697818c314ac4a4874c689800415eddf4a677027201ce8d2134014b18fd901f9111812f2fdc8b5b7fcd8050ac7d8fcb9b9b756b384daa2425f3fb

Download Submit
C:\Users\Admin\Desktop\00307\HEUR-Trojan-Ransom.Win32.Generic-f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759.exe

Filesize
509KB

MD5
c8e9e658f5b14994e2eb9085bce2767e

SHA1
61e4e25c673288cad9d6d6c42663b2b9bbb36ac2

SHA256
f76346098898a9dd5c8fbd9cf498a95786bc22a6a83713040d029276ac276759

SHA512
91832fd9059b9f35318ac1aa508c5c368427d2909faa1dd492998d0e4da5fa7bb135a374fc8fe9854adf8f88cc7eaeff75ca1acc18cdb8ad2918ce0df1b99738

Download Submit
C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Blocker.kqmw-b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08.exe

Filesize
792KB

MD5
ff3facac4f470297b63b9076a5793cd2

SHA1
1ee8d74bc3f9a8390a31a163276de9c3356558c7

SHA256
b48aa369cc602c73b1b8e1acac971c22176bf7eb72d51d8eea386342c1243b08

SHA512
24bc19111339b6c54433438aa93e9f69814c93725fa04d089741d63dfa6500478a81c8d6de68c99d5552b573d5bc72641e0f893b92ec817f399695f35d6619d6

Download Submit
C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Foreign.nxll-e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5.exe

Filesize
420KB

MD5
fcbe45d42b2134331496c74fca78aef9

SHA1
d91d93a90cd5110b44533c068031c1cd0a8372a8

SHA256
e1b14fc4d2cc073d99db38053c79ab0ce01ccb530efcb3474d0c921c0a932ac5

SHA512
52f646c8fe967cacd8f01a8ab850fdec66032e1336d3a470a8663315f30a6e345779e978c913f965e987533c67fb033afb54a5ea6e325a9a4c0de90e2e06cc9f

Download Submit
C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Purgen.agk-c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Filesize
170KB

MD5
b0ee9dae7de7781ea809278c48c310a5

SHA1
28be65219441d78399027aa42c9cc7456ee67130

SHA256
c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8

SHA512
5b954dd7bd05549d8f29b720db615b4e79cf07a41efab7ed765eb8533ad429c0d351e610900fbc6ee8f1dc5f2c8c10e53a494a4f9ec8ffd54444a8ab0c2bd8ff

Download Submit
C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Purgen.pq-533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4.exe

Filesize
769KB

MD5
c19db88b3bbb71db0a4d24616f172479

SHA1
96a33da03e0cf51eb12989082c0a58bbac211bb1

SHA256
533db3a810e61411433af9a04835a0c44388f80f157ff055c71a0e37c1aff5a4

SHA512
f880b8514ae43e718591e315642b7e4ce8c0a001dcebc9a78d77ce88548d755002903e6aa3d5190cbdfbed1ecfdd36f755c3988eeace693c690861c814427c57

Download Submit
C:\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Wanna.al-3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9.exe

Filesize
180KB

MD5
9c7c7149387a1c79679a87dd1ba755bc

SHA1
828001f20df60b6af286593c37644d39e5a6122a

SHA256
3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

SHA512
aa13bbd5b55be305f0dcd9bd5f6c43410219e3d889bd86d66f5644f2e12f4656c103179fa18a021e29a1f7294c7d7908164ef2fe8e26ff327acb6fd79fc1c4f8

Download Submit
C:\Users\Admin\Desktop\00307\UDS-Trojan-Ransom.Win32.Blocker-2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4.exe

Filesize
224KB

MD5
4bf22cf6898a7c3af690faaea01894e0

SHA1
78e6977344a32419f96d1f228b8efb6a288882b4

SHA256
2c0e9febb73947d77870278d08d58b787b60b6cf7f620c41dee6e0691cd04bb4

SHA512
695ad8a7eef0f0fa3c20d3afb4cd0f1cc18f6d20206771ae2552cbfee52f49f66a8d4ebd28c25c031888501323a549b9a630b21810aaf4fc435d4a5e6929de69

Download Submit
C:\Users\Admin\Desktop\PopPublish.xlsx..doc

Filesize
12KB

MD5
0a259d4ac92477911c8c59b21ab2455a

SHA1
e0c93afbc91890fe228a6fe745a17cb9b2ee7a43

SHA256
fc6c1b2e3005c499ea84a4ddd8eb3996377e2a41cbdfab8efdab8f235b6a7897

SHA512
d7aa3957f11a6aee7e09a5a9dccbcc7b9ec8494cde6fea2407c561e95dc32537eec51bf7054fc4056b80934f2a54b72987005083962728ef78c04170da1efa6c

Download Submit
C:\Users\Admin\Desktop\RenameNew.mpe..doc

Filesize
400KB

MD5
43d38d819c209d889e93b03fd11e6198

SHA1
25065ef518898c96c53272f7afe1899ea58ccd78

SHA256
7b15782701ff77e48d4255a3b970c46604041754b1c7521c70891f01cb52bd03

SHA512
54a539173dc4508ce2c5137a094d14341552f0e04ccf63695cfc35b6ba8fd80a56335d3ba84982cc70b2e51694c84e3de287fdadf6663dea9fba67e56066ac9c

Download Submit
C:\Users\Admin\Desktop\RequestAdd.xlsx..doc

Filesize
13KB

MD5
83b7ee5e57523617ef9620e2b82dae5d

SHA1
4959c9716154d4bae78226eff6e1cc154491ec0f

SHA256
a47457fe55ff539c2b9ebdb2bf6aefa5327936827b44ded6b84c20fe18efc517

SHA512
56ad2dcd38afeffdc2d7acbf5150d0091038a0be93e7e7663778a9d9e138d7b7ae28463fa84f4ae31a32b179f63bd9615fc6806870355852be923b878add2f3a

Download Submit
C:\Users\Admin\Desktop\RequestInitialize.ini..doc

Filesize
766KB

MD5
eba52502706c1a9740cdde0189357a10

SHA1
789e36a534ef2ea2541470d662ed64a1484dcd2e

SHA256
b13dd6b3088d590cd9586ad384c6febe5099f0248f379c36de56a9202bd1be54

SHA512
33af75dc6f7d5ac58bb751ef5469d118df8a47ba69b511b12837154502336d0d69e667f7d82c2b34070e6008d8748da55e2e2b0f03415db2abd69d27640a346a

Download Submit
C:\Users\Admin\Desktop\ShowBackup.dib..doc

Filesize
333KB

MD5
8e35042232831b24550b3b61edcd0b24

SHA1
eafed1d2e54d729dbed8203862a80685f5686794

SHA256
5621362e3dc1df27c8ced99a6101bcdc06c900f563fa826a83340fc0240a0ea2

SHA512
1de329d9e50eadcd8622a668d40116d05e18a7e2abd29806ee4c0806fe8c45b35e5415d69ecb7d9598e3c710cdc90d610eea37dc280a85f7491b1cb314d28909

Download Submit
C:\Users\Admin\Desktop\SuspendConvert.mp4v..doc

Filesize
533KB

MD5
1235423291f409e9fdf23907560d61ad

SHA1
c79d02458b8aeebe92c9d61cb21bd4cd5e1761ef

SHA256
874fca24ecfdf31c396c81da42615b28380924de94e41da3296864c0877448cb

SHA512
55c5d15f14cc3b1c1975e260dacff742eef9b9d2d3ff95384087d06265b205e9e70f681c7db025406fb02612372e1c6dcef2a8b0e208f0b18189b4a424f2d34b

Download Submit
C:\Users\Admin\Desktop\UnblockRename.WTV..doc

Filesize
699KB

MD5
48f603a8a100eb28f7ddd8451959f2ce

SHA1
4cf2d5ce222e3158467dde8407bae5412b7be856

SHA256
944e8780c7d0022d9b44b7973e2048f2ad8db58b592fd0e6c3e18c1163956f57

SHA512
25bd5f5089be1b408f020e7245bbe31da1043c7cc5f4f4de3500e501060ec106ba51c34e63cc21656e1d947c8ce69a59f5760539ffad081301bd22983220776c

Download Submit
C:\Users\Admin\Desktop\UnregisterSwitch.M2V..doc

Filesize
866KB

MD5
67bad582625fd977c0d2a19cd3774a0d

SHA1
267109fe7fd75ad9e6a5b2e611ce68a8f7023478

SHA256
85104cba8c26f50e54221535140ce92d6fca046ba91eb983d566b6a3b17bf042

SHA512
01836a428dc5ff7c655252ea37a6dea8841ca6b84c95ecf01296d834b81638af22d8a2d714b0371a5da424ae47420574d3bc716b4eb5705a537bc4598f4cc482

Download Submit
C:\Users\All Users\smartcontroller.exe

Filesize
792KB

MD5
055db42416b532e40f07c14a61f2b046

SHA1
9fd50672fbc8f8d46cb991b79755323b4e09ce05

SHA256
7f07d2612cc708eec8808dc68facac0d657b05bfd6ff3b6c259ac737cb939769

SHA512
295779dd3a2a1a8eec280a1f7b286f060405103991f6eaf598d89a94eaeeb3c3280335067de2253aef8a38366b46fa6cde4b7c0ce467ed15731a4b468803627f

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk..doc

Filesize
2KB

MD5
afe945f86f96ac26f1c762c08a8e2643

SHA1
bd0a6459efc65c74785c9c49fc9e99eae8a94cd1

SHA256
430bf0b059abd16230cfcd38ce2703845dfe6d4dfd32f8a814d077febaeb22a8

SHA512
09a2b0ea593a4ae9bcfc33085532dbea51e73c984cf8c36e18b8e7bd630f984e2eeb3bbec11c9888dfb37ec7d77faf8e519ff5695a52d1b037c9e0fb557aa489

Download Submit
C:\Users\Public\Desktop\Firefox.lnk..doc

Filesize
1KB

MD5
b7af3db74af7ec445766bdc48775f5a0

SHA1
c45ceeb04e0a4c3e791b0c1f53a69bc6c90fb32f

SHA256
503995b1504c45266861b2c6ac07bf9e8a25886b91c6abd2de14337cb264df27

SHA512
e19c611434954b1f57c056f3d78178495095b6e048e68298ade7be31ebc65509e175808f65f5dc62a8d15a1490498c67d117bc70ad5b0d4643c69f077cf30b33

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk..doc

Filesize
3KB

MD5
291ab7a19f35bc4580a3be73a4089123

SHA1
e54b245344157b157263b460645cb0dcb8a93974

SHA256
e2d95febb453e0a60770e6a4a62902682ec63d8c57696a0b0789609672a4ec76

SHA512
62225492040744bf126923dd7fd63af2157449940a57221806d2618ce96efd6a8a5f1c0c9afa848e0dda8ac5f9171b663f63ba6f82b1fd363cc6925d024e2e18

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk..doc

Filesize
1KB

MD5
038f39ebb669babcd26526c461d6f478

SHA1
1388125de72d1161b2250de77b9980bb97b42f89

SHA256
38917d9993dc7dd70e606f36cb89319f23786ef0dfd8051682d69f691cdffddf

SHA512
d05327d133c70969fda5e76f639385222925a479e400d09b144fa568569486d33a6cc2624334b26d83d39f1bb613c3a56f614602a04559aed53e2ba3f36d0cbe

Download Submit
C:\Users\Public\Videos\Read___ME.html

Filesize
4KB

MD5
7b7f0ae0ef1f0fb2ec8591db4aac20b0

SHA1
3661d6d42b16afcadfad7c3c98dcba391129338a

SHA256
28153db0ba252bd74b87a615b8e56342fcec6a7613e954bac749050f65259f7e

SHA512
0007a9a4919e98629f788bb4a3aaff25d09f84355c31decd44eacdcdfc84b37501e11bc7915fad4c802e1ff8a2b7a1d259bed7d56316098beef5a73c29ee18eb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0C0A\__READ_ME__.txt

Filesize
1KB

MD5
4608c212f54a203d1c6ffe24d9035d08

SHA1
e82b93b884f5c5ad88d055a30b0201db30e3ce39

SHA256
bf40bc7770cefcc8769750cb46b3acb2cf2130459c3f4a858e051d76ae4a6960

SHA512
a77cd6aa05b989ca5d89f32a8e2127d6b43ff74ae55b6d42abb9ad445becc3b9ff287a33e05fb6aff130771f1ecc2435d9d44d560e21743b562857ce3a428bbe

Download Submit
\Users\Admin\AppData\Roaming\Fehewe\fuba.exe

Filesize
67KB

MD5
5a60e8a67a6c261279c3161ee2233885

SHA1
d007f232637ceb46b33f24eb1e55b5aa4b8b5d04

SHA256
927c8cbf217772cab9e7ab63f833e0b63799acde1a652159c7ae2ede8d47062c

SHA512
805c703ba947e225f0db57378a3b7fbe603d5af08e84b28783d36b2ba2739f5e86a502e6305b3605eed6afe8f5d3b6228932a3208e89b9b552b4ae318e7e2b22

Download Submit
\Users\Admin\Desktop\00307\Trojan-Ransom.Win32.Locky.adjs-6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601.exe

Filesize
147KB

MD5
5fd584e53db08dccc1d3497db8a8848e

SHA1
ee2087a20f541ff0fe7b76c5b8049fb7171e239f

SHA256
6ecdf583a03203295e308afe3238bcd3c29e1e2687783cb15bb72a0cb5a41601

SHA512
841d789da65ec433021bbe250e078f2d67d0a998f057e91e883ae9c9010757082420fc9d032f911395d6f885cafba01364498c42810338d2ac68d2efcce84957

Download Submit
memory/272-91-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/272-100-0x0000000000790000-0x00000000007A7000-memory.dmp

Filesize
92KB

Download
memory/272-94-0x0000000000A80000-0x0000000000B89000-memory.dmp

Filesize
1.0MB

Download
memory/272-93-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/272-92-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/272-90-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/1032-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1104-117-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1104-115-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1104-113-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1104-111-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1164-124-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1164-122-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1164-120-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1192-129-0x0000000002D10000-0x0000000002D27000-memory.dmp

Filesize
92KB

Download
memory/1192-127-0x0000000002D10000-0x0000000002D27000-memory.dmp

Filesize
92KB

Download
memory/1192-131-0x0000000002D10000-0x0000000002D27000-memory.dmp

Filesize
92KB

Download
memory/1312-134-0x0000000001CD0000-0x0000000001CE7000-memory.dmp

Filesize
92KB

Download
memory/1312-136-0x0000000001CD0000-0x0000000001CE7000-memory.dmp

Filesize
92KB

Download
memory/1312-138-0x0000000001CD0000-0x0000000001CE7000-memory.dmp

Filesize
92KB

Download
memory/1764-110-0x0000000001EC0000-0x0000000001ED7000-memory.dmp

Filesize
92KB

Download
memory/1764-104-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/1764-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1764-106-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/1764-105-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/1764-107-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/1764-103-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1764-109-0x0000000002180000-0x0000000002289000-memory.dmp

Filesize
1.0MB

Download
memory/1764-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1944-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1944-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1944-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-236-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2672-976-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2780-978-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2780-5182-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2836-40-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2836-4341-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2836-654-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2868-28-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-5095-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-30-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-141-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/2868-29-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-143-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/2868-145-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/2868-147-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/2868-5094-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-4974-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2868-4973-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2964-933-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2964-49-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2964-2505-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3036-65-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/3036-977-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/3044-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3044-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3044-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download