Analysis
-
max time kernel
76s -
max time network
285s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 19:03
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00290.7z
Resource
win7-20240903-en
General
-
Target
RNSM00290.7z
-
Size
10.8MB
-
MD5
42132159ee3c9fd4fbf8c9658edaa7a0
-
SHA1
4683985b7bf4bbd46e55d938812995b02155c2d6
-
SHA256
6d674c71f84ee952a38f99bdca445e5d4e4282d2c4b7f33c24f9d6808e9c14b5
-
SHA512
abf421f29228016eb8b4731a4af251e637f2ed8c45d503bf690c13cc504824503ab6bdb910c81659204bc97e7b36a3c15e66bb2d268a0e46ed1e0cb592a1dcbb
-
SSDEEP
196608:a8inC/4cRO5sqQYO3IEUmFinGUt4EkeKeK95PWS7G4C/3BuWH8mGg7uBHri80uFw:a87/4cAfO3VUm8nGUe+K3PTVCJu2FGgj
Malware Config
Extracted
C:\Users\Public\Videos\how_to_back_files.html
class="mark">[email protected]</span>
Extracted
C:\Users\Admin\Searches\!HELP_SOS.hta
http://'+s.bp
http://'+s.bp+s.txp+tx
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+iabol.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/15D7381D228031CF
http://tes543berda73i48fsdfsd.keratadze.at/15D7381D228031CF
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/15D7381D228031CF
http://xlowfznrg4wf7dli.ONION/15D7381D228031CF
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERqmvin.txt
http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/8460CEA76DABAC
http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/8460CEA76DABAC
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/8460CEA76DABAC
http://k7tlx3ghr3m4n2tu.onion/8460CEA76DABAC
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ibuju.txt
http://ytrest84y5i456hghadefdsd.pontogrot.com/15D7381D228031CF
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/15D7381D228031CF
http://5rport45vcdef345adfkksawe.bematvocal.at/15D7381D228031CF
http://fwgrhsao3aoml7ej.onion/15D7381D228031CF
http://fwgrhsao3aoml7ej.ONION/15D7381D228031CF
Signatures
-
Cerber 8 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 1448 taskkill.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe -
Cerber family
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky family
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Contacts a large (8811) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1808 netsh.exe 2232 netsh.exe -
Executes dropped EXE 52 IoCs
pid Process 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 2808 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 532 HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe 1868 HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe 2800 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe 2424 Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe 2928 Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe 1976 Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 2948 Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe 1856 Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe 2076 Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe 2936 Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe 2160 Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe 2788 Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe 2976 Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe 2064 Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe 816 Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe 1920 Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe 3016 Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe 2456 Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe 2292 Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe 3008 Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe 1300 Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe 2472 Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 1792 Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe 992 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 708 Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe 1444 Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 2104 Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe 2224 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe 2748 Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe 1076 Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe 480 Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe 988 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 2136 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 2584 Rj3fNWF3.exe 908 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 2496 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 1676 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 1004 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 2092 Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe 524 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe 2124 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 2792 Rj3fNWF3.exe 2000 HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe 2336 Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe 2344 Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe 2060 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe 1932 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe -
Loads dropped DLL 9 IoCs
pid Process 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 2224 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe 992 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 816 Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe 816 Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.25.202.192 -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe -
Drops desktop.ini file(s) 6 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe File opened for modification C:\Users\Public\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe File opened for modification C:\Users\Public\Videos\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3016-123-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/1076-266-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/3016-265-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/1076-313-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/620-1959-0x0000000000D90000-0x0000000000F12000-memory.dmp autoit_exe behavioral1/memory/1076-1999-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/3016-2010-0x0000000001320000-0x00000000014A2000-memory.dmp autoit_exe behavioral1/memory/2600-2030-0x0000000000D90000-0x0000000000F12000-memory.dmp autoit_exe behavioral1/memory/620-2056-0x0000000000D90000-0x0000000000F12000-memory.dmp autoit_exe behavioral1/memory/2600-2206-0x0000000000D90000-0x0000000000F12000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 1792 set thread context of 2748 1792 Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe 69 PID 2016 set thread context of 988 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 74 PID 992 set thread context of 2136 992 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 79 PID 2808 set thread context of 908 2808 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 81 PID 908 set thread context of 1676 908 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 83 PID 1092 set thread context of 1004 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 85 PID 2160 set thread context of 2092 2160 Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe 86 PID 2224 set thread context of 524 2224 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe 84 PID 908 set thread context of 2124 908 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 91 PID 532 set thread context of 2000 532 HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe 97 PID 2928 set thread context of 2336 2928 Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe 98 PID 1976 set thread context of 2344 1976 Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe 99 PID 2800 set thread context of 2060 2800 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe 100 PID 1752 set thread context of 1932 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 101 -
resource yara_rule behavioral1/files/0x000500000001924f-109.dat upx behavioral1/memory/3016-123-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/2292-127-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2292-126-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/files/0x0005000000019299-160.dat upx behavioral1/memory/1792-183-0x0000000000FE0000-0x0000000001026000-memory.dmp upx behavioral1/memory/1792-252-0x0000000000FE0000-0x0000000001026000-memory.dmp upx behavioral1/memory/2748-254-0x0000000000FE0000-0x0000000001026000-memory.dmp upx behavioral1/memory/1920-255-0x0000000000400000-0x00000000005EC000-memory.dmp upx behavioral1/memory/1076-266-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/3016-265-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/988-287-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/988-285-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/988-283-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/988-289-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/988-288-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1920-297-0x0000000000400000-0x00000000005EC000-memory.dmp upx behavioral1/memory/988-298-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1076-313-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/620-1959-0x0000000000D90000-0x0000000000F12000-memory.dmp upx behavioral1/memory/1076-1999-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/3016-2010-0x0000000001320000-0x00000000014A2000-memory.dmp upx behavioral1/memory/2600-2030-0x0000000000D90000-0x0000000000F12000-memory.dmp upx behavioral1/memory/620-2056-0x0000000000D90000-0x0000000000F12000-memory.dmp upx behavioral1/memory/2600-2206-0x0000000000D90000-0x0000000000F12000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\tsrmxyujujgo.exe Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe File opened for modification C:\Windows\tsrmxyujujgo.exe Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2432 2076 WerFault.exe 51 -
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rj3fNWF3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rj3fNWF3.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2108 PING.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x00060000000174f8-74.dat nsis_installer_1 behavioral1/files/0x00060000000174f8-74.dat nsis_installer_2 -
Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2840 vssadmin.exe 588 vssadmin.exe 1780 vssadmin.exe 2616 vssadmin.exe 2160 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 1448 taskkill.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2428 NOTEPAD.EXE 1872 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2108 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1824 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 31 IoCs
pid Process 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 532 HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe 2808 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe 1868 HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe 2424 Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe 2800 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe 2928 Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe 1976 Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 2976 Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe 2948 Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe 2788 Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe 2936 Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe 2160 Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe 2076 Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe 2064 Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe 816 Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe 2456 Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe 1920 Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe 2292 Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe 3016 Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe 1300 Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe 708 Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe 2472 Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe 1444 Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 1792 Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe 2104 Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe 992 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 2224 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2948 Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2016 HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe 992 Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe 2224 Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 3044 7zFM.exe Token: 35 3044 7zFM.exe Token: SeSecurityPrivilege 3044 7zFM.exe Token: SeDebugPrivilege 2084 taskmgr.exe Token: SeDebugPrivilege 908 HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe Token: SeDebugPrivilege 2060 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3044 7zFM.exe 3044 7zFM.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 2084 taskmgr.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 2084 taskmgr.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 2084 taskmgr.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 2084 taskmgr.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2800 Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe 1092 Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe 1752 Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe 1764 Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2292 Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 2016 1496 cmd.exe 36 PID 1496 wrote to memory of 532 1496 cmd.exe 37 PID 1496 wrote to memory of 532 1496 cmd.exe 37 PID 1496 wrote to memory of 532 1496 cmd.exe 37 PID 1496 wrote to memory of 532 1496 cmd.exe 37 PID 1496 wrote to memory of 2808 1496 cmd.exe 38 PID 1496 wrote to memory of 2808 1496 cmd.exe 38 PID 1496 wrote to memory of 2808 1496 cmd.exe 38 PID 1496 wrote to memory of 2808 1496 cmd.exe 38 PID 1496 wrote to memory of 1868 1496 cmd.exe 39 PID 1496 wrote to memory of 1868 1496 cmd.exe 39 PID 1496 wrote to memory of 1868 1496 cmd.exe 39 PID 1496 wrote to memory of 1868 1496 cmd.exe 39 PID 1496 wrote to memory of 2424 1496 cmd.exe 40 PID 1496 wrote to memory of 2424 1496 cmd.exe 40 PID 1496 wrote to memory of 2424 1496 cmd.exe 40 PID 1496 wrote to memory of 2424 1496 cmd.exe 40 PID 1496 wrote to memory of 2800 1496 cmd.exe 41 PID 1496 wrote to memory of 2800 1496 cmd.exe 41 PID 1496 wrote to memory of 2800 1496 cmd.exe 41 PID 1496 wrote to memory of 2800 1496 cmd.exe 41 PID 1496 wrote to memory of 2928 1496 cmd.exe 42 PID 1496 wrote to memory of 2928 1496 cmd.exe 42 PID 1496 wrote to memory of 2928 1496 cmd.exe 42 PID 1496 wrote to memory of 2928 1496 cmd.exe 42 PID 1496 wrote to memory of 1976 1496 cmd.exe 43 PID 1496 wrote to memory of 1976 1496 cmd.exe 43 PID 1496 wrote to memory of 1976 1496 cmd.exe 43 PID 1496 wrote to memory of 1976 1496 cmd.exe 43 PID 1496 wrote to memory of 1856 1496 cmd.exe 44 PID 1496 wrote to memory of 1856 1496 cmd.exe 44 PID 1496 wrote to memory of 1856 1496 cmd.exe 44 PID 1496 wrote to memory of 1764 1496 cmd.exe 45 PID 1496 wrote to memory of 1764 1496 cmd.exe 45 PID 1496 wrote to memory of 1764 1496 cmd.exe 45 PID 1496 wrote to memory of 1764 1496 cmd.exe 45 PID 1496 wrote to memory of 2976 1496 cmd.exe 46 PID 1496 wrote to memory of 2976 1496 cmd.exe 46 PID 1496 wrote to memory of 2976 1496 cmd.exe 46 PID 1496 wrote to memory of 2976 1496 cmd.exe 46 PID 1496 wrote to memory of 2948 1496 cmd.exe 47 PID 1496 wrote to memory of 2948 1496 cmd.exe 47 PID 1496 wrote to memory of 2948 1496 cmd.exe 47 PID 1496 wrote to memory of 2948 1496 cmd.exe 47 PID 1496 wrote to memory of 2788 1496 cmd.exe 48 PID 1496 wrote to memory of 2788 1496 cmd.exe 48 PID 1496 wrote to memory of 2788 1496 cmd.exe 48 PID 1496 wrote to memory of 2788 1496 cmd.exe 48 PID 1496 wrote to memory of 2936 1496 cmd.exe 49 PID 1496 wrote to memory of 2936 1496 cmd.exe 49 PID 1496 wrote to memory of 2936 1496 cmd.exe 49 PID 1496 wrote to memory of 2936 1496 cmd.exe 49 PID 1496 wrote to memory of 2160 1496 cmd.exe 50 PID 1496 wrote to memory of 2160 1496 cmd.exe 50 PID 1496 wrote to memory of 2160 1496 cmd.exe 50 PID 1496 wrote to memory of 2160 1496 cmd.exe 50 PID 1496 wrote to memory of 2076 1496 cmd.exe 51 PID 1496 wrote to memory of 2076 1496 cmd.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00290.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3044
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:2016 -
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:988
-
-
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:532 -
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Users\Admin\Documents\nsghdc.exeC:\Users\Admin\Documents\nsghdc.exe4⤵PID:1312
-
C:\Users\Admin\Documents\nsghdc.exeC:\Users\Admin\Documents\nsghdc.exe5⤵PID:1828
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet6⤵
- Interacts with shadow copies
PID:2160
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\HEUR-T~2.EXE >> NUL4⤵PID:1392
-
-
-
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2808 -
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe"C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" /stext C:\ProgramData\Mails.txt4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe"C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" /stext C:\ProgramData\Browsers.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe"C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" g753g1 DZTNwSWsp 9083⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496
-
-
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe2⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1868
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exeTrojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2424 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exeTrojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe3⤵PID:2272
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\tsrmxyujujgo.exeC:\Windows\tsrmxyujujgo.exe4⤵PID:2744
-
C:\Windows\tsrmxyujujgo.exeC:\Windows\tsrmxyujujgo.exe5⤵PID:1612
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive6⤵PID:2924
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\TR0FC7~1.EXE4⤵PID:1008
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2928 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe3⤵
- Executes dropped EXE
PID:2336
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1976 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe3⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\hypdcybfomwk.exeC:\Windows\hypdcybfomwk.exe4⤵PID:316
-
C:\Windows\hypdcybfomwk.exeC:\Windows\hypdcybfomwk.exe5⤵PID:1720
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive6⤵PID:2492
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\TRF7C5~1.EXE4⤵PID:2580
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exeTrojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe2⤵
- Executes dropped EXE
PID:1856 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://get.adobe.com/flashplayer/completion/adm/?exitcode=3&type=install3⤵PID:1136
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275457 /prefetch:24⤵PID:1500
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\Users\Admin\AppData\Roaming\lpt9.{208D2C60-3AEA-1069-A2D7-08002B30309D}\dbhost.exeC:\Users\Admin\AppData\Roaming\lpt9.{208D2C60-3AEA-1069-A2D7-08002B30309D}\dbhost.exe3⤵PID:1488
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\6B14C1C8.cmd3⤵PID:1392
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exeTrojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2976
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exeTrojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
PID:2948
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exeTrojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2788
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exeTrojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2936
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2160 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2840
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exeTrojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:2432
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exeTrojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2064 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g3⤵PID:2756
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g4⤵PID:1828
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g5⤵PID:2592
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g6⤵PID:2056
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g7⤵PID:2224
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g8⤵PID:1876
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g9⤵PID:2264
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g10⤵PID:2456
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g11⤵PID:2512
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g12⤵PID:2324
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g13⤵PID:2112
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g14⤵PID:2224
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g15⤵PID:1104
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g16⤵PID:1632
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g17⤵PID:1264
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g18⤵PID:2140
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g19⤵PID:1980
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g20⤵PID:1912
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g21⤵PID:3340
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g22⤵PID:3576
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g23⤵PID:4056
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g24⤵PID:3640
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g25⤵PID:3952
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g26⤵PID:1376
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g27⤵PID:2796
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g28⤵PID:2724
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g29⤵PID:2624
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g30⤵PID:1392
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g31⤵PID:3124
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g32⤵PID:3912
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g33⤵PID:488
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g34⤵PID:3076
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g35⤵PID:2540
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g36⤵PID:1292
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g37⤵PID:3692
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g38⤵PID:3828
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g39⤵PID:2244
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g40⤵PID:2868
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g41⤵PID:3964
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g42⤵PID:2696
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g43⤵PID:3244
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g44⤵PID:1680
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g45⤵PID:1936
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g46⤵PID:3368
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g47⤵PID:3584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:816 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe"C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe" g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:480
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1824
-
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:588
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1780
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2616
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"4⤵PID:1996
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"4⤵PID:1356
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exeTrojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2456
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exeTrojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1920
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exeTrojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of UnmapMainImage
PID:2292
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3016 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeC:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\Isass.exe":Zone.Identifier4⤵PID:2908
-
-
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe4⤵PID:620
-
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"5⤵PID:2600
-
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exeTrojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exeTrojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1300
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exeTrojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:708
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exeTrojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2472
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exeTrojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1444
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1092 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1792 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeC:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
PID:2232
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_LVOF_.hta"4⤵PID:2476
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_YRRW0F_.txt4⤵
- Opens file in notepad (likely ransom note)
PID:2428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe"5⤵
- Cerber
- Kills process with taskkill
PID:1448
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2108
-
-
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exeTrojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe2⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2104
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:992 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe3⤵
- Cerber
- Executes dropped EXE
PID:2136
-
-
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:2224 -
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe3⤵
- Cerber
- Executes dropped EXE
PID:524
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2576
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:2712
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4501⤵PID:1992
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3312
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_YRRW0F_.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1872
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5eadd07e5a5da785bcce6680959cea880
SHA10d293ffcef9bcb8c2f2dc143216ed7abaa9f05e6
SHA256db562817745cee7e6e949f20c16889132f5ef3a6b77c214e322076caa3a2c65b
SHA5121781423a69ad0146b39b10640403b4ab587aac7a4bf015cd0f655fed4281a8e0bf5b3c39ee19ac2081ea066a24e0b3401e31380e443f9ddd609a20f0c602703f
-
Filesize
80KB
MD596886d704fd6c5a24a074b184243052f
SHA19072e40f916e121a1bafeebf966c4fb6dc879b93
SHA25661ef2e034d5d5dceea6377643103407f3d554db570cf66f769072fa991936143
SHA5126f4391158c1b654a98fbf271e0a48168da90c54b1727822e8ff4ff2a2c866150ddd1f75529beabcacc71030742774854526706cce8dadd05a4941a3d70752dfa
-
Filesize
2KB
MD57827450dde17e835faca67a5dc8cafe7
SHA1d75f12a4b51e742306a8fe47b7a726859ab4020c
SHA256b30aed75b82b1598acee00bb2e9235c7685f11d7fb12adaa53bb1748b548dfa7
SHA512e5eb592a691ff4b74259dd132297647d8e3130322490181a2e76f5c24bfc14e5648ef02a82ad5c59a3709b15db348fea693a887fb31ea571c5e49b68f89e385f
-
Filesize
9KB
MD562aeb38b798ffa08d3e9f1c26b4b29cd
SHA1ffad156ff760bb30493f944461f8a5a1ac0383bc
SHA2563459594fbda497bc21b4ffffbb57cd5648b8112d9938b6085aa12f583e9edff2
SHA5129a74661257c3f6386cba6c2a27faf028e2a39fa6f55e1adcf4be3e3eaff5371e6b55009b098dd937cff22324ebda21b23d858037ee4a17c9cbafc19dd2a7e040
-
Filesize
68KB
MD590876d0e7676e57c2ec2524a6d7a9e48
SHA1396545d133029dba6a143fdd51fe163dcab5cf13
SHA2564e8783f5e2fd6a0e2ad8281b796b1a118423876041711cbed5786b5d19a76adf
SHA512b7328aed3ee3dd918499a07b558b89e360f05bc759db49d50524da5d9484444495e28848db87d20d1fca39f30fcf2b5e33ac954c3825ba8648501a77189394d5
-
Filesize
2KB
MD536144b4b16f683cdc062a3bf0bf40636
SHA1b16d06b6e5f81e8efeb517347d5dc7e1766908e7
SHA25640b285c20fb217eaa298a8e8a6693021ff15973745616a435bee46539ad42f68
SHA512b88eba07a3e82c29987e674d343a656e3e61d314ad4a541c1220ddd8f4a0c83519c320009a109c3ee68399ef523818ebb9359961b8b7cafbae2febb7e5e0ace7
-
Filesize
11KB
MD5d2ffda6d93455e8fc0ca067c6b7ffdcb
SHA1d840fb17601c3ef594f7c478774112406aabcbc7
SHA2564c97fc2933f7f8ce16de2324ddc8d3829d006fd2ae87206118a93e39cf3e3f9b
SHA512321d22d0b4bcddb56243845d57bb746e36d8f3c0408713d661bd351f74fe1a75bd048dbac6724ed176f888db20f1a24e41141192a13c294ad5da748bcbc8c974
-
Filesize
62KB
MD5a985580156ceb7f02f6733c822ee8565
SHA183d4ca1e094220ece44ae9e1838e4a924f2a93fb
SHA256333156eaf80a27c13b73584d4ce95f78323a3379b138ed72510df79672f59f57
SHA512e850f7158db1c87a52962fa40635762de141b3513e0836c071452775cb1adafda6aaf31483a8cf54708bc69daa02491ad8ba99aa4a7afe06e185dce1120bcfe1
-
Filesize
1KB
MD5d4e67e805aa92915364d5d47524ad630
SHA1ff44ff54b63bcc80501bb897debbef92ba3e6d71
SHA256f45948d46ba2254dd29481c041a83dafefa6d0e0fabba3d880a816c3969638e1
SHA512da049f1f435e3c0d4d81b82f0ae690459dab068ab019a8e3f48f6ceaafb1f6b142532fc0b0b4ae226b664908f473c110aa8e5924585f43bc831cbd58ee677413
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD52abc5bc4353f2bf18ec55b63e2b4defa
SHA1b35e48adedb39523dd2b7b83e802ca4e3ae6de84
SHA2568e6871f635e53129610979cbe81938a6d38e9cd99e809352196275f71e273e37
SHA512c87148d5be688e075923c8b29fae8faeb08c1eb0a4d1b0b90478daea5b11da23eec2b247b65f788129ed2802c7eb62a7fa52123735f8011e75450efd9dae655c
-
Filesize
198B
MD584b0e3690444b0a441c55dee57d94092
SHA1f67c644a06886abee4c28f3e5e1b0f6db93af8d5
SHA256316fa1eec2091dec828b8936cc36accf5585bca1a15482ae2d2f4351c1d63aa9
SHA512c3fca7a13109aa6acbcebc8854b1676648b6bb91916c1c7b5c72eacbc452c0567be150ce0a73e88781c631ac1f2ee6c6c2befd91ee349bf11f02ec0156092f6b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
9KB
MD577d45da97617c672538dad546a05748a
SHA1785fe1093cf9cc2be8a1db7f79efa8490a320f6f
SHA25603a972e8855e355f7cfb379da67b44d0eb45d076b35e57f1eb3cd18d84dddb2b
SHA512d1dd2096ce669def6dd5c09fd403492472216b0f782fd20305b96ebe7044087e0a508d585d6943477c5647c2c681f9dc197bd3557fac6baeabd00a1737f95c74
-
Filesize
108KB
MD562525c14d6d47f74aa1edd0185c76e99
SHA10ec064c3057f19e3b8103a19d3ea24437c901e06
SHA256505d56c1c6490575a445685596bf2442730883054821cfe856c6761d80129efe
SHA5127f903250903f592ec57e73e73ed5e5c548df778640fbc93ece6953707b55150ffebd32a98e30f25b383129468f7dc2d3c3957f510fabc7be8fc564be55db4310
-
Filesize
49KB
MD54548111720326b6f66e6e17bc6750d99
SHA127d5ada93cc30f6e97fe6598e41666c334033f8a
SHA25619fa6a6715cc597fecb48b6e51cd40ea554b1241c3cf4957eede1b8aaa0e27e7
SHA512677970db1ac6e6943af304a33aaae026542b5a25fdc839f7787c520bd765beb9be73da412860fc29dc167891df232dc1c9cda1340b29f4238952ff4b2b2e77aa
-
Filesize
19KB
MD5605560409ea9a2b17865ab4004e8e749
SHA1ea149de5a167ed5550202ae93beded081f214ffc
SHA256fb4ca9a4bfbb82725ac48e6bfa61309e55ab5a275ccbd8d9db6d4e3d11feb8da
SHA5127f4b58276b1c29be93154c164e604595f52ba9e33d87ddc0c7ca6aeaa8624d4e3dc8c1c020c81e88762f148f4e731b297e14459c8d295aa9ceb648cc412e58d8
-
Filesize
11KB
MD53e6bf00b3ac976122f982ae2aadb1c51
SHA1caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA2564ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA5121286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706
-
Filesize
4KB
MD51eefe4a9a29bacba5dc32f36102c4ce9
SHA1482d71dca6148a4c4a05b2ea4395c481478c961c
SHA256799d4532b788656b1dfe8a0f1ffbb5970ef393bc7fcf015f19699e58dc9fa9ae
SHA51237bd2f4e3a69f48b869b8ec14ae1ae01ea7cf7c2d7020b3224210edd53fbb7c4ea1f30780c394d518b81eb7af420f43ec773a789c34e743c313cb11e6d400943
-
Filesize
5KB
MD510c0ec7ed77302d8c7b5ca5cd15a7fb3
SHA15fdb2608ab136e712c0e929e6ef8a4294d32b55a
SHA25619b2701fc2edff3debe61129b402d8e4aba7fa37f76146ca91edb060c5d4c46c
SHA5128169694e865cfb073b15fd5fbc387092e366ccbce63ea7f675ee425927a296ecf48fde62c0eaa26ba71c389b9b093e25085011dfc0bbe56c7b1a789ac04c9189
-
Filesize
16KB
MD51de7ccfd0a2c763d6395515608931f40
SHA18455caaab02dd6761e6f8ef97434b9aeb3e0d11a
SHA256da49b93ed7479cd236de41a1f2b5180807499e7d5293a9c1f44424554a68dea1
SHA5126e883584bd88a306110cf9a62c1d34ceb70165a7a86659d3743347fa293284c28e30232f769acf12d8c3cf0a5120df75be019e212a711c972ba5643036642375
-
Filesize
53B
MD5f32acc491d3a8d278a691d4f0b07570b
SHA114cd7c2f93b7682c953f9053dd6957762e4ed2d7
SHA256c9f18085eaea446a4910a70f332577267d3f483ca71c8bf63dd1c208efd5fb3c
SHA5127b32a62037441e182d04aeb7f3863e629a135f6f3e14128b18ef825aee7436bd9d004ce2beeeca4c6c7f0406faf4d79874506cd6c5b592faf5be858f4f6854fa
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
Filesize910KB
MD52236aeb7f5985071cee2b60b264cd8e8
SHA1a9a20b337fe2c2343454394bc40369ae5c403c78
SHA256d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1
SHA5128064871a2c89795a7a5eec5b9f742061ce998e0eb867100c3228224d5ff6d96568bf8cfbc06bff07ee7e07d568e4529c625cbd693f1b84f405eac4b7f1160f96
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
Filesize389KB
MD5b941ae3f452dda3bb26ebeff6f8a57db
SHA1d3055fbad0e8bb5a8e3962c6c82a053767a27711
SHA256948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec
SHA512fd50e63c068bb8328ac2e3a1d7322a4fdda7b31c4733d50f942580409c9808d42c062c347792d88e5a98d95ef468ea48f7fcc8556405e39302df6591dc8d5ab4
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Filesize1.3MB
MD5c6e1a30ebb4c046784174a6d87dd8c72
SHA1e38cc57374c7063c678086c1f35079530962b446
SHA25602d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014
SHA5124b6e5ca679ea56d9d797ce832fa1e8dd17caa21b4dec493d658989807242ff9a138f367cf734e97d2ae6468cf406f78758d4153ad72b3d1eaa93a48ed4fac0fe
-
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
Filesize266KB
MD5ad4daa19df6b79f3f579f70734e069ff
SHA10e40b186007eae5431f2cd37db397df8a4ebe4d7
SHA2560d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5
SHA512d23469a3d8e87fa192ce427b835a934450d7e3c7311cf664c2b452c202e700df751a16f60b0f60ccca35f5ab5e294a278ae3eb83bb7fd24bf548a1a3bccd9239
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
Filesize117KB
MD5f14f1e4ca341f809487027fdc99fcfda
SHA1aac84cb19f3a37ab8be1470c0d93bb582b92ab23
SHA2565c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6
SHA512c0bebe5aa19b19239cd12ad2c999a0960c66ebf853b83263bc4c5e35a0e8aa313aa17eb9f89cf2e5e56024cd8421adcbb969c8b82fdd10b69a832a936b00f167
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
Filesize380KB
MD54982c3d01df0abd18e149a74824d272c
SHA11e0ab928d0ef465f6bf5e1712f4f7e9e8a37cbf2
SHA256e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea
SHA51223492feb43c7ba2f4ce309f766ef6be0cfce62c06a8f3db3319029b167935668f86b3a305bab60629691258b83981f6cda25f461b79b5fdb8dbd0b7f61d4db7a
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
Filesize372KB
MD5878ab2ec640b2afd7f34ab598a6c35de
SHA1a44db3cb6e3140b520cc4f6c812d4cc61eda0930
SHA2567f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239
SHA512c84dc8def5b9ab9cb42afc4851b5bc4ea46fd85f18f2770d3c136914a6a3f82c541e10dee36e91b6becde76101b5c96e675a1a55d38b290be46704e1978610fd
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
Filesize369KB
MD5a5e1ef215cb67914ab3ecc4003beee7c
SHA140c44d5fcdf2a0a7731827251e98397509be250d
SHA2567a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911
SHA512f3a42313795d5232b672f89cadd807d0c215797403bd52ef09af176b194667f4a9ac375ada45df6a23a256b70cc7856e3be1c3a24190ebf15169457b3371888d
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
Filesize756KB
MD5fade5d31ec3f2c4ad7ef39cb3cfa535c
SHA1f39cf39945ee95e93014ee9b57f2e750c9202c24
SHA2567ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375
SHA51281f51e6a5a877d39170dc887ef6751450c95d4caebe42ec89124945963bab2990d53efe6f94d9eb4c55d68d79cd4b4bd1c36dc2bacf20932042a3c22165b6ccb
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
Filesize266KB
MD570c6ac0dfd6972a4d89880c1120fef8c
SHA1d362171859c71dd248450604522bc64df78c9e33
SHA25665f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16
SHA512c425394ff39ece1878759243149096f9b3cd889ce9dd923f0c62684798710406f21775e56ae3d26777a9f782e6f76620c17e3760a3dad32b86297d006c5e65e2
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
Filesize244KB
MD5e4ffdf2c2cc044b334637de0ae662e25
SHA1de80c1e08a11e23c7670affbe47de13d711b3e07
SHA2568d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e
SHA5127097bf1456c621df282cbafaaf80325f218a738398c54dd40171890a720c7d64583d58afe6edebad088e8feb5968b883929efe61c44b7aeedb500c3371c37485
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
Filesize188KB
MD54da52f86774c4ee7010c5671b106db40
SHA176c4ef9b7e64d87e5c582da74eca2c3f8c176f99
SHA256c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5
SHA5128c527cd09f703465ba94be805f4add2f5b8f4df18ba0db646fd1dcce6ca1f432cd4150e92e7c28a155198b6e099c10ea87b14d727cb21d2ab0c2372e2446618f
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
Filesize133KB
MD5caff8cc0aab0ea1e6a906f86df7777b3
SHA1af96d30dd699822b43ae8c2c296b096eec4613f2
SHA256c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba
SHA512474fd1a9bf2b3d6003ab34e07b930a7de52e2640fa7cfbf9c40fb6d612fd015717b136921be6404732d51e9c767dee4d4a9ac4eb9b9f1571b95c297cf083aab9
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
Filesize392KB
MD5f040c59616d56d58e1fcf9b5eeb7a90e
SHA1cdbc10b25fbdec64f65e88523cff423ccc6d9550
SHA2566d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac
SHA512749a529a67e54943dfc6bcc1133ce9f6c98960ede89af48e0a6c26494e1ed5bf675c61f7f399704f8ceb4be69403cd5380c7b452a5908b9d77cce45e501021aa
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
Filesize224KB
MD5f94474596c6c4b46345625583b8afc0d
SHA115e8daafefbef10d8cc7578ee70b0935e094ec96
SHA2566b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7
SHA5127fddf677cb6b817656fb1ead956de9e403ade2ddd5d15169a9951092922d34896b81812e681565640f85b385d55e35c2bf0e8e24ef36bbec2e550b34d85560f5
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
Filesize154KB
MD5e62d58a48f3aca29acd535c3ae4b7ce1
SHA1e58d5804d3134b6e0557d2210253d8914320a35a
SHA25693e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499
SHA5123ec457a0f59534f5a263d5fd2ba9830df02ad0c2e1abf0caf9736f530f5e9e334c908265729040311dd23aa7eaed84a209ba5b58056ac025db42d7358369a340
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
Filesize379KB
MD5ea4088cbab7961c194033e806c085bd1
SHA1cc5a365c4f3305c097d37c08de12dcbb010ca4dc
SHA256d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f
SHA512351797525eb4579efed85f87d615414226ab80323c20142baabbc901dfe7e5f1e912754f1c31dfaa2912ababbfa17d599e06d93eb9dbd1b15952c591dbf89207
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
Filesize433KB
MD533812e0b232ea7bc5e691a8bd5efb275
SHA101c8b3189f1611de65b328241e641649805d71e1
SHA256e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb
SHA512787459ac4a0f6b35dacd608bc876d0c50520266220bdbf937f7b5290f64b73e0d98c8cb7eeb4b1ab78485b69a16aded50c3b2606b9b54a3d7df663b8b4549597
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
Filesize1.4MB
MD5d3459166d75936ffff323e1f2bc972c1
SHA184ca1534b9c77b036f45960906af8f23bc562fcc
SHA2561f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead
SHA512ebcc3434bccddcb903e2a228cf54349e11cd2b461397a69889ad75aed6096df3fb9b67be5c42f6623068cc796f6186e6031da08a5e51ac1a5bc87bb0fa725482
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
Filesize1.4MB
MD5b254c18d227391401ef8f36051761c53
SHA1413e9c98b45afd2c2e2e0b54cf1e5089c9954f66
SHA256db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72
SHA5124fd9e70cfeef7e45e751e5da7e74123996c7742ffa27ebd9d3e511b1cdd8df69db70d7ff974c6af03885514fb0b5d28b1576a21dc5139b4004f398522e8f973a
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
Filesize1.0MB
MD5dfe7ba1e4812fe9219ec09d7f10465ac
SHA1d793055f8b882bf05a6afb7eb4b9532441ba6276
SHA256ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821
SHA512cdee7ae7ffda2f537e107b728fd4e56005fc44604c051ec950cc93626f0c6eb4a41c196105e405535e657ca6ea7c14abf4f284851966fe0c9f68d09f9ac84c32
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
Filesize683KB
MD5156db6fa58faecd89712220972cc1f6e
SHA16614ce93d8c1bb21e3918b220c18571653671d85
SHA2561a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e
SHA5121f22915a8e91d2436cc54a2ebed4f89e6ac9fd2c4b1465f620fe3f9d0d289f36dbaef74689ffaa1d148add53ce3d1bb94091cfa72f0aa081a6880f67cb5b306a
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe
Filesize3.4MB
MD582fd8635ff349f2f0d8d42c27d18bcb7
SHA1c91b27f3ab872999a8f0a4ed96909d6f3970cb8b
SHA2564c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee
SHA512d39555ffdbaede541fda01865f6923e126d4de5bb40e873298a44d55a83d9ed2188f972c2675276be7b1ffe020d88a73ae0bb661c49f6fd93f1d3dbd3c727ed5
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe
Filesize424KB
MD5ed3c944314e63bb0924787ca31defef4
SHA189c1c471a203e30de39155d5d88323773b2f7480
SHA256a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5
SHA51295fecc5df63ae23bca79cbdb727cf93e53560ff4daa080aa7161483f8459ce4ce64467dba8e548f7d7caa44cf150bcbfb221d6557114c34646e1c0ca6d24f667
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe
Filesize540KB
MD5a33b0c0b35c798a6b794cfd74b0a14bd
SHA1ee23f826b4f5efea03cb3c4248becabe35d11a01
SHA256470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82
SHA51221733c02e904e888816e7505b1f86e8ea892c69e4c060c2a8cf55f78c7c5c9b0a2a50cc252bab9ce25c8da385a9d5354ba705123e7c4ac95813883e4eb10d2e7
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe
Filesize460KB
MD5fc33bf1b25e08d1c5358cb5ecac65519
SHA1d7dc88846e385b1a3f62084b6ce09ed75854f7e0
SHA256107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82
SHA5124024681128e59ef71d239c6d8d857ced70b6793836aff0f5507ad1eaa2cef2897682b495ba4b08215edfe243810388af95a4f3b7840a4a12d91168de5ec18888
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe
Filesize512KB
MD58c290a321dcb67e6c23a308c0fc6bdd8
SHA17501abfaa1ac9755b66f6966a90c1dc27fbfaf56
SHA256681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37
SHA512af8a6ce84bb2b5259b8bdbe5c0b9267626f276ef194892de26456fc3bdeb40654914f26e7935d73b4c50d158a025bfce6f209d4653c036884cd934eb393582d6
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
Filesize580KB
MD5ff2754cb8e71a2943059104917f4d39e
SHA1fc57aa87d50b3306e23f32724a7159fab6d0a7c9
SHA256d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363
SHA512a39d7599566fd6144595181d7a2ee6de78ceb5c3264310ffc67bc13f0650355e3bd982c473358dbc275d72d6ac68ad8f5695d1925629174a657d9e6a25d33a34
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
Filesize355KB
MD5966ea9bdba60a76ef2488433d0f548d6
SHA17d9957e7889b32744d5003f4f1e5986b1900aeda
SHA2569cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6
SHA512eb2be0bbddc55524159282576dda11acd53aa8c60bab0b5eeb73d050cf7b5c52420f0b6a0b5009eb89cc6343cd02e9efc860eaaf238e712d276fa7af9c6e804a
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
Filesize336KB
MD5a37993aac888dae0aee0ee2041a12ba5
SHA14ec03d3aa4140d66d00eccfd0ae6cb1c7843e12f
SHA2568db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90
SHA51259486f48152ece391e9d0712655ef8b4d5748d0f6db6a02431a5a236cf60ccc049d514fdb64cd0f7355c15dc0a00b2b184afb3040aa562c2f68311ef2b1a20d2
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
Filesize269KB
MD5575c95d590fd4ed1ee1052dd8d5f0b2d
SHA17e4682b652de8352dfc8de05967ae67941553070
SHA2569301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe
SHA512e18e8dbc1ef709d907e090a4e04fb2968f4bfa12ccd5c1e66f408f536e948597a20d1ad9ffbadabc29f7a073001a71c6ee16198e33d483f916dc3ef4e35bd687
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
Filesize287KB
MD5849fb8ec852a440d46ff8f91031d7f87
SHA13927903a6d8b4ab2cdb28cbba8b00447fba8e4c3
SHA25667af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4
SHA5121a3b26e707ce22cafe0f171929d49b75fb22291e22d6a205f3fcd2261fa3d0a008d7816dc3bd360978a13d16896c5255390b94aa8f2b31f2f8a0175e104b7a38
-
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
Filesize284KB
MD5e8dc3fc3df5e4cc0e11b7d9e77ee330b
SHA1fd4b1f867e6cb1f2c239c28379b372908cf38973
SHA2566016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1
SHA5128c548fb6186d29b23303eca9ef7f9b10a34dba46d12cb7879a6a188e3b42dd710b7a53883ed969842fa7216f7fb967445db1d77d2983960aecdea1081fc5d5d3
-
Filesize
99KB
MD5983917c5fbf117310297012a5d4c8d7f
SHA1397bfb0564f75b91c9d226f0ab68167c4f6aa722
SHA2567488dc6d3aec2cb0275f2d16a88f45383edc8fef5085753a134d7de6acfe49eb
SHA5124602db4cb4d98582080ab230dc5ddd30cade732c9fa471d3e007e923bb55ffa2e3d91b24d84f6ec06a3f1872719485b4be469e52febd950af9666d69a382a6d4
-
Filesize
4KB
MD5c58f3350e0c3b471d28cf489e49d7ad4
SHA1dad1408e526d96d6ae3dbcaa88691f941cc213f2
SHA25668adc693daec87333e1815518fbac49bb9c3c87be3b35faba8aec447367fd6f7
SHA51216ad246285054f07bfeaa15ad005bd665745139267f10e628b41931f0510acf8e382295e70df8a6f33ae4a8b19386ade94ef7eed9b1711e022b64346515a10db
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a