cerber | 6d674c71f84ee952a38f99bdca445e5d4e4282d2c4b7f33c24f9d6808e9c14b5

Analysis

max time kernel
76s
max time network
285s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00290.7z
Size

10.8MB
MD5

42132159ee3c9fd4fbf8c9658edaa7a0
SHA1

4683985b7bf4bbd46e55d938812995b02155c2d6
SHA256

6d674c71f84ee952a38f99bdca445e5d4e4282d2c4b7f33c24f9d6808e9c14b5
SHA512

abf421f29228016eb8b4731a4af251e637f2ed8c45d503bf690c13cc504824503ab6bdb910c81659204bc97e7b36a3c15e66bb2d268a0e46ed1e0cb592a1dcbb
SSDEEP

196608:a8inC/4cRO5sqQYO3IEUmFinGUt4EkeKeK95PWS7G4C/3BuWH8mGg7uBHri80uFw:a87/4cAfO3VUm8nGUe+K3PTVCJu2FGgj

Score

10^/10

cerber locky teslacrypt troldesh collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan upx

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note

<html> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>7A 4F 62 B1 AA 89 4F 2E 6F E3 18 B3 94 60 E1 6C A1 9F FD C9 05 9E 66 F6 B6 A5 9E A3 ED 9B 95 D7 E9 4B 8E 5A E0 0C A7 4B C5 94 DE 98 7A EE 2F 8C 17 A7 BC A4 E3 8A B5 E2 1C 61 BC CA 29 C7 52 10 C3 45 FF 2A BA 5E AD 01 F0 6C 30 69 62 F0 E4 65 D3 E1 3E 66 24 CA FC DA 9E BE 1A 71 A3 CB 1B 10 83 BD 54 E7 0E 01 F2 B2 47 30 52 8F C0 2B A1 88 BC 58 D3 2F 6C 9E 47 87 9E 27 F0 D8 57 95 97 4F </pre> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>site for buy bitcoin:<br> </h1> </div> <div align="left"> <strong>Buy 0.5 BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://xchange.cc</strong></li> </ol> </div> <div align="left"> <h1>bitcoin adress for pay:<br> </h1> </div> <div align="left">1AMBqAqiNcJXPojKcgQQLREncgunopyt5G</div> <div align="left"><strong>Send 0.5 BTC for decrypt</strong></div> </div> <div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>We give you the opportunity to decipher 1 file free of charge!</li> <li>You can make sure that the service really works and after payment for the «Decryptor» program you can actually decrypt the files!</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>

Emails

class="mark">[email protected]</span>

Extracted

Path

C:\Users\Admin\Searches\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AY4R8DVXkN2IavHc1BwTFk_Xw13vO2DlGqwuv5RuYjtsONuGR0ZICTTA" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密，但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�

URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+iabol.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/15D7381D228031CF 2. http://tes543berda73i48fsdfsd.keratadze.at/15D7381D228031CF 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/15D7381D228031CF If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/15D7381D228031CF 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/15D7381D228031CF http://tes543berda73i48fsdfsd.keratadze.at/15D7381D228031CF http://tt54rfdjhb34rfbnknaerg.milerteddy.com/15D7381D228031CF *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/15D7381D228031CF

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/15D7381D228031CF

http://tes543berda73i48fsdfsd.keratadze.at/15D7381D228031CF

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/15D7381D228031CF

http://xlowfznrg4wf7dli.ONION/15D7381D228031CF

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERqmvin.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/8460CEA76DABAC http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/8460CEA76DABAC http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/8460CEA76DABAC If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/8460CEA76DABAC 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/8460CEA76DABAC http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/8460CEA76DABAC http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/8460CEA76DABAC Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/8460CEA76DABAC Your personal identification ID: 8460CEA76DABAC

URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/8460CEA76DABAC

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/8460CEA76DABAC

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/8460CEA76DABAC

http://k7tlx3ghr3m4n2tu.onion/8460CEA76DABAC

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ibuju.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://ytrest84y5i456hghadefdsd.pontogrot.com/15D7381D228031CF 2. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/15D7381D228031CF 3. http://5rport45vcdef345adfkksawe.bematvocal.at/15D7381D228031CF If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/15D7381D228031CF 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://ytrest84y5i456hghadefdsd.pontogrot.com/15D7381D228031CF http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/15D7381D228031CF http://5rport45vcdef345adfkksawe.bematvocal.at/15D7381D228031CF *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/15D7381D228031CF *-*-* Your personal identification ID: 15D7381D228031CF

URLs

http://ytrest84y5i456hghadefdsd.pontogrot.com/15D7381D228031CF

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/15D7381D228031CF

http://5rport45vcdef345adfkksawe.bematvocal.at/15D7381D228031CF

http://fwgrhsao3aoml7ej.onion/15D7381D228031CF

http://fwgrhsao3aoml7ej.ONION/15D7381D228031CF

Signatures

Cerber 8 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exetaskkill.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exeTrojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

description	ioc	process
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
1448	taskkill.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
Mutant created	shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6}	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

Cerber family
cerber
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky family
locky
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Contacts a large (8811) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1808 netsh.exe
2232 netsh.exe

pid	process
1808	netsh.exe
2232	netsh.exe

Executes dropped EXE 52 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exeTrojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exeTrojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exeTrojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exeTrojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exeTrojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exeTrojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeTrojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeTrojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exeTrojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exeTrojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exeTrojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exeTrojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exeTrojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeRj3fNWF3.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeRj3fNWF3.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

pid	process
2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
2808	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
532	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
1868	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
2800	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
2424	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
2928	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
1976	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
2948	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
1856	Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
2076	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
2936	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
2160	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
2788	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
2976	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
2064	Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
816	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
1920	Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
3016	Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
2456	Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
2292	Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
3008	Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe
1300	Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe
2472	Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
1792	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
992	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
708	Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe
1444	Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
2104	Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
2224	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
2748	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
1076	Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
480	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
988	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
2136	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
2584	Rj3fNWF3.exe
908	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
2496	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
1676	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
1004	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
2092	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
524	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
2124	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
2792	Rj3fNWF3.exe
2000	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
2336	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
2344	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
2060	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
1932	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

Loads dropped DLL 9 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeWerFault.exe

pid	process
2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
2224	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
992	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
816	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
816	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 103.25.202.192

description	ioc
Destination IP	103.25.202.192

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe

description	ioc	process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3016-123-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/1076-266-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/3016-265-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/1076-313-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/620-1959-0x0000000000D90000-0x0000000000F12000-memory.dmp	autoit_exe
behavioral1/memory/1076-1999-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/3016-2010-0x0000000001320000-0x00000000014A2000-memory.dmp	autoit_exe
behavioral1/memory/2600-2030-0x0000000000D90000-0x0000000000F12000-memory.dmp	autoit_exe
behavioral1/memory/620-2056-0x0000000000D90000-0x0000000000F12000-memory.dmp	autoit_exe
behavioral1/memory/2600-2206-0x0000000000D90000-0x0000000000F12000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

description	pid	process	target process
PID 1792 set thread context of 2748	1792	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
PID 2016 set thread context of 988	2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 992 set thread context of 2136	992	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
PID 2808 set thread context of 908	2808	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 908 set thread context of 1676	908	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 1092 set thread context of 1004	1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
PID 2160 set thread context of 2092	2160	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
PID 2224 set thread context of 524	2224	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
PID 908 set thread context of 2124	908	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 532 set thread context of 2000	532	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
PID 2928 set thread context of 2336	2928	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
PID 1976 set thread context of 2344	1976	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
PID 2800 set thread context of 2060	2800	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
PID 1752 set thread context of 1932	1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe	upx
behavioral1/memory/3016-123-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/2292-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2292-126-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe	upx
behavioral1/memory/1792-183-0x0000000000FE0000-0x0000000001026000-memory.dmp	upx
behavioral1/memory/1792-252-0x0000000000FE0000-0x0000000001026000-memory.dmp	upx
behavioral1/memory/2748-254-0x0000000000FE0000-0x0000000001026000-memory.dmp	upx
behavioral1/memory/1920-255-0x0000000000400000-0x00000000005EC000-memory.dmp	upx
behavioral1/memory/1076-266-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/3016-265-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/988-287-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/988-285-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/988-283-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/988-289-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/988-288-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1920-297-0x0000000000400000-0x00000000005EC000-memory.dmp	upx
behavioral1/memory/988-298-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1076-313-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/620-1959-0x0000000000D90000-0x0000000000F12000-memory.dmp	upx
behavioral1/memory/1076-1999-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/3016-2010-0x0000000001320000-0x00000000014A2000-memory.dmp	upx
behavioral1/memory/2600-2030-0x0000000000D90000-0x0000000000F12000-memory.dmp	upx
behavioral1/memory/620-2056-0x0000000000D90000-0x0000000000F12000-memory.dmp	upx
behavioral1/memory/2600-2206-0x0000000000D90000-0x0000000000F12000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe

description	ioc	process
File created	C:\Windows\tsrmxyujujgo.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
File opened for modification	C:\Windows\tsrmxyujujgo.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
2432	2076	WerFault.exe	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exeTrojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exenetsh.exeWScript.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeTrojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeschtasks.exevssadmin.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exeTrojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeRj3fNWF3.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeTrojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exeTrojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeTrojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeRj3fNWF3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2108 PING.EXE

pid	process
2108	PING.EXE

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe	nsis_installer_1
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe	nsis_installer_2

Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

2840 vssadmin.exe
588 vssadmin.exe
1780 vssadmin.exe
2616 vssadmin.exe
2160 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1448 taskkill.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2428 NOTEPAD.EXE
1872 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2108 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1824 schtasks.exe

pid	process
2840	vssadmin.exe
588	vssadmin.exe
1780	vssadmin.exe
2616	vssadmin.exe
2160	vssadmin.exe

pid	process
1448	taskkill.exe

pid	process
2428	NOTEPAD.EXE
1872	NOTEPAD.EXE

pid	process
2108	PING.EXE

pid	process
1824	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 31 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeHEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exeTrojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exeTrojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exeTrojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exeTrojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exeTrojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exeTrojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exeTrojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exeTrojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exeTrojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exeTrojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exeTrojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exeTrojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exeTrojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exeTrojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exeTrojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exeTrojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exeTrojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exeTrojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exeTrojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

pid	process
2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
532	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
2808	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
1868	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
2424	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
2800	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
2928	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
1976	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
2976	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
2948	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
2788	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
2936	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
2160	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
2076	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
2064	Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
816	Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
2456	Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
1920	Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
2292	Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
3016	Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
1300	Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe
708	Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe
2472	Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe
1444	Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
1792	Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
2104	Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
992	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
2224	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe

pid	process
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe

pid process

2948 Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe

pid	process
2948	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exeTrojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exeTrojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

pid	process
2016	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
992	Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
2224	Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exetaskmgr.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exeTrojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe

description	pid	process
Token: SeRestorePrivilege	3044	7zFM.exe
Token: 35	3044	7zFM.exe
Token: SeSecurityPrivilege	3044	7zFM.exe
Token: SeDebugPrivilege	2084	taskmgr.exe
Token: SeDebugPrivilege	908	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
Token: SeDebugPrivilege	2060	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

pid	process
3044	7zFM.exe
3044	7zFM.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
2084	taskmgr.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
2084	taskmgr.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

pid	process
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
2084	taskmgr.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
2084	taskmgr.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe
2084	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exeTrojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exeTrojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exeTrojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe

pid	process
2800	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
1092	Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
1752	Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
1764	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

pid process

2292 Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

pid	process
2292	Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 2016	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
PID 1496 wrote to memory of 2808	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 1496 wrote to memory of 2808	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 1496 wrote to memory of 2808	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 1496 wrote to memory of 2808	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
PID 1496 wrote to memory of 1868	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
PID 1496 wrote to memory of 1868	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
PID 1496 wrote to memory of 1868	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
PID 1496 wrote to memory of 1868	1496	cmd.exe	HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
PID 1496 wrote to memory of 2424	1496	cmd.exe	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
PID 1496 wrote to memory of 2424	1496	cmd.exe	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
PID 1496 wrote to memory of 2424	1496	cmd.exe	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
PID 1496 wrote to memory of 2424	1496	cmd.exe	Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
PID 1496 wrote to memory of 2800	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
PID 1496 wrote to memory of 2800	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
PID 1496 wrote to memory of 2800	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
PID 1496 wrote to memory of 2800	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
PID 1496 wrote to memory of 2928	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
PID 1496 wrote to memory of 2928	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
PID 1496 wrote to memory of 2928	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
PID 1496 wrote to memory of 2928	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
PID 1496 wrote to memory of 1976	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
PID 1496 wrote to memory of 1976	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
PID 1496 wrote to memory of 1976	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
PID 1496 wrote to memory of 1976	1496	cmd.exe	Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
PID 1496 wrote to memory of 1856	1496	cmd.exe	Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
PID 1496 wrote to memory of 1856	1496	cmd.exe	Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
PID 1496 wrote to memory of 1856	1496	cmd.exe	Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
PID 1496 wrote to memory of 1764	1496	cmd.exe	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
PID 1496 wrote to memory of 1764	1496	cmd.exe	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
PID 1496 wrote to memory of 1764	1496	cmd.exe	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
PID 1496 wrote to memory of 1764	1496	cmd.exe	Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
PID 1496 wrote to memory of 2976	1496	cmd.exe	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
PID 1496 wrote to memory of 2976	1496	cmd.exe	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
PID 1496 wrote to memory of 2976	1496	cmd.exe	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
PID 1496 wrote to memory of 2976	1496	cmd.exe	Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
PID 1496 wrote to memory of 2948	1496	cmd.exe	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
PID 1496 wrote to memory of 2948	1496	cmd.exe	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
PID 1496 wrote to memory of 2948	1496	cmd.exe	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
PID 1496 wrote to memory of 2948	1496	cmd.exe	Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
PID 1496 wrote to memory of 2788	1496	cmd.exe	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
PID 1496 wrote to memory of 2788	1496	cmd.exe	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
PID 1496 wrote to memory of 2788	1496	cmd.exe	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
PID 1496 wrote to memory of 2788	1496	cmd.exe	Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
PID 1496 wrote to memory of 2936	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
PID 1496 wrote to memory of 2936	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
PID 1496 wrote to memory of 2936	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
PID 1496 wrote to memory of 2936	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
PID 1496 wrote to memory of 2160	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
PID 1496 wrote to memory of 2160	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
PID 1496 wrote to memory of 2160	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
PID 1496 wrote to memory of 2160	1496	cmd.exe	Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
PID 1496 wrote to memory of 2076	1496	cmd.exe	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
PID 1496 wrote to memory of 2076	1496	cmd.exe	Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00290.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
  HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:2016
- - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:988
- C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
  HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:532
- - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
    HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2000
  - - C:\Users\Admin\Documents\nsghdc.exe
      C:\Users\Admin\Documents\nsghdc.exe
      4⤵
      PID:1312
    - - C:\Users\Admin\Documents\nsghdc.exe
        
        C:\Users\Admin\Documents\nsghdc.exe
        5⤵
        
        PID:1828
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\HEUR-T~2.EXE >> NUL
      4⤵
      PID:1392
- C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2808
- - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:908
  - - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
      "C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" /stext C:\ProgramData\Mails.txt
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:1676
  - - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
      "C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" /stext C:\ProgramData\Browsers.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2124
- - C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe
    "C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe" g753g1 DZTNwSWsp 908
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2496
- C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
  HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe
  2⤵
  - Cerber
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1868
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
  Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2424
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
    Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe
    3⤵
    PID:2272
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
  Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2800
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
    Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
  - - C:\Windows\tsrmxyujujgo.exe
      C:\Windows\tsrmxyujujgo.exe
      4⤵
      PID:2744
    - - C:\Windows\tsrmxyujujgo.exe
        
        C:\Windows\tsrmxyujujgo.exe
        5⤵
        
        PID:1612
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\TR0FC7~1.EXE
      4⤵
      PID:1008
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
  Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2928
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
    Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe
    3⤵
    - Executes dropped EXE
    PID:2336
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
  Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1976
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
    Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe
    3⤵
    - Executes dropped EXE
    PID:2344
  - - C:\Windows\hypdcybfomwk.exe
      C:\Windows\hypdcybfomwk.exe
      4⤵
      PID:316
    - - C:\Windows\hypdcybfomwk.exe
        
        C:\Windows\hypdcybfomwk.exe
        5⤵
        
        PID:1720
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00290\TRF7C5~1.EXE
      4⤵
      PID:2580
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
  Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://get.adobe.com/flashplayer/completion/adm/?exitcode=3&type=install
    3⤵
    PID:1136
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275457 /prefetch:2
      4⤵
      PID:1500
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
  Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1764
- - C:\Users\Admin\AppData\Roaming\lpt9.{208D2C60-3AEA-1069-A2D7-08002B30309D}\dbhost.exe
    C:\Users\Admin\AppData\Roaming\lpt9.{208D2C60-3AEA-1069-A2D7-08002B30309D}\dbhost.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\6B14C1C8.cmd
    3⤵
    PID:1392
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
  Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2976
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
  Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2948
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
  Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2788
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
  Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2936
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
  Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2160
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
    Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    PID:2092
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2840
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
  Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2432
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
  Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2064
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
    "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
    3⤵
    PID:2756
  - - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
      "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
      4⤵
      PID:1828
    - - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        5⤵
        
        PID:2592
      - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        6⤵
        
        PID:2056
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        7⤵
        
        PID:2224
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        8⤵
        
        PID:1876
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        9⤵
        
        PID:2264
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        10⤵
        
        PID:2456
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        11⤵
        
        PID:2512
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        12⤵
        
        PID:2324
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        13⤵
        
        PID:2112
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        14⤵
        
        PID:2224
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        15⤵
        
        PID:1104
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        16⤵
        
        PID:1632
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        17⤵
        
        PID:1264
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        18⤵
        
        PID:2140
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        19⤵
        
        PID:1980
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        20⤵
        
        PID:1912
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        21⤵
        
        PID:3340
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        22⤵
        
        PID:3576
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        23⤵
        
        PID:4056
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        24⤵
        
        PID:3640
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        25⤵
        
        PID:3952
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        26⤵
        
        PID:1376
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        27⤵
        
        PID:2796
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        28⤵
        
        PID:2724
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        29⤵
        
        PID:2624
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        30⤵
        
        PID:1392
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        31⤵
        
        PID:3124
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        32⤵
        
        PID:3912
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        33⤵
        
        PID:488
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        34⤵
        
        PID:3076
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        35⤵
        
        PID:2540
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        36⤵
        
        PID:1292
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        37⤵
        
        PID:3692
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        38⤵
        
        PID:3828
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        39⤵
        
        PID:2244
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        40⤵
        
        PID:2868
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        41⤵
        
        PID:3964
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        42⤵
        
        PID:2696
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        43⤵
        
        PID:3244
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        44⤵
        
        PID:1680
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        45⤵
        
        PID:1936
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        46⤵
        
        PID:3368
        
        C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe
        
        "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe" g
        47⤵
        
        PID:3584
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
  Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:816
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe
    "C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe" g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1824
- - C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
      "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:588
  - - C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1780
  - - C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2616
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
  Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2456
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
  Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1920
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
  Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:2292
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
  Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3016
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe
    C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\Isass.exe":Zone.Identifier
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Roaming\Isass.exe
      C:\Users\Admin\AppData\Roaming\Isass.exe
      4⤵
      PID:620
    - - C:\Users\Admin\AppData\Roaming\Isass.exe
        
        C:\Users\Admin\AppData\Roaming\Isass.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"
        5⤵
        
        PID:2600
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe
  Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe
  Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1300
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe
  Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:708
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe
  Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2472
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe
  Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1444
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
  Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1092
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
    Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe
    3⤵
    - Cerber
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1004
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
  Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1752
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
    Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe
    3⤵
    - Cerber
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
  Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1792
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
    C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe
    3⤵
    - Cerber
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2748
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:2232
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1808
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_LVOF_.hta"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_YRRW0F_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe"
        5⤵
        Cerber
        Kills process with taskkill
        
        PID:1448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
  Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe
  2⤵
  - Cerber
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2104
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
  Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:992
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
    Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2136
- C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
  Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:2224
- - C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
    Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450
1⤵
PID:1992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3312

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_YRRW0F_.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERqmvin.html

Filesize
7KB

MD5
eadd07e5a5da785bcce6680959cea880

SHA1
0d293ffcef9bcb8c2f2dc143216ed7abaa9f05e6

SHA256
db562817745cee7e6e949f20c16889132f5ef3a6b77c214e322076caa3a2c65b

SHA512
1781423a69ad0146b39b10640403b4ab587aac7a4bf015cd0f655fed4281a8e0bf5b3c39ee19ac2081ea066a24e0b3401e31380e443f9ddd609a20f0c602703f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERqmvin.png

Filesize
80KB

MD5
96886d704fd6c5a24a074b184243052f

SHA1
9072e40f916e121a1bafeebf966c4fb6dc879b93

SHA256
61ef2e034d5d5dceea6377643103407f3d554db570cf66f769072fa991936143

SHA512
6f4391158c1b654a98fbf271e0a48168da90c54b1727822e8ff4ff2a2c866150ddd1f75529beabcacc71030742774854526706cce8dadd05a4941a3d70752dfa

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERqmvin.txt

Filesize
2KB

MD5
7827450dde17e835faca67a5dc8cafe7

SHA1
d75f12a4b51e742306a8fe47b7a726859ab4020c

SHA256
b30aed75b82b1598acee00bb2e9235c7685f11d7fb12adaa53bb1748b548dfa7

SHA512
e5eb592a691ff4b74259dd132297647d8e3130322490181a2e76f5c24bfc14e5648ef02a82ad5c59a3709b15db348fea693a887fb31ea571c5e49b68f89e385f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ibuju.html

Filesize
9KB

MD5
62aeb38b798ffa08d3e9f1c26b4b29cd

SHA1
ffad156ff760bb30493f944461f8a5a1ac0383bc

SHA256
3459594fbda497bc21b4ffffbb57cd5648b8112d9938b6085aa12f583e9edff2

SHA512
9a74661257c3f6386cba6c2a27faf028e2a39fa6f55e1adcf4be3e3eaff5371e6b55009b098dd937cff22324ebda21b23d858037ee4a17c9cbafc19dd2a7e040

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ibuju.png

Filesize
68KB

MD5
90876d0e7676e57c2ec2524a6d7a9e48

SHA1
396545d133029dba6a143fdd51fe163dcab5cf13

SHA256
4e8783f5e2fd6a0e2ad8281b796b1a118423876041711cbed5786b5d19a76adf

SHA512
b7328aed3ee3dd918499a07b558b89e360f05bc759db49d50524da5d9484444495e28848db87d20d1fca39f30fcf2b5e33ac954c3825ba8648501a77189394d5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ibuju.txt

Filesize
2KB

MD5
36144b4b16f683cdc062a3bf0bf40636

SHA1
b16d06b6e5f81e8efeb517347d5dc7e1766908e7

SHA256
40b285c20fb217eaa298a8e8a6693021ff15973745616a435bee46539ad42f68

SHA512
b88eba07a3e82c29987e674d343a656e3e61d314ad4a541c1220ddd8f4a0c83519c320009a109c3ee68399ef523818ebb9359961b8b7cafbae2febb7e5e0ace7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+iabol.html

Filesize
11KB

MD5
d2ffda6d93455e8fc0ca067c6b7ffdcb

SHA1
d840fb17601c3ef594f7c478774112406aabcbc7

SHA256
4c97fc2933f7f8ce16de2324ddc8d3829d006fd2ae87206118a93e39cf3e3f9b

SHA512
321d22d0b4bcddb56243845d57bb746e36d8f3c0408713d661bd351f74fe1a75bd048dbac6724ed176f888db20f1a24e41141192a13c294ad5da748bcbc8c974

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+iabol.png

Filesize
62KB

MD5
a985580156ceb7f02f6733c822ee8565

SHA1
83d4ca1e094220ece44ae9e1838e4a924f2a93fb

SHA256
333156eaf80a27c13b73584d4ce95f78323a3379b138ed72510df79672f59f57

SHA512
e850f7158db1c87a52962fa40635762de141b3513e0836c071452775cb1adafda6aaf31483a8cf54708bc69daa02491ad8ba99aa4a7afe06e185dce1120bcfe1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+iabol.txt

Filesize
1KB

MD5
d4e67e805aa92915364d5d47524ad630

SHA1
ff44ff54b63bcc80501bb897debbef92ba3e6d71

SHA256
f45948d46ba2254dd29481c041a83dafefa6d0e0fabba3d880a816c3969638e1

SHA512
da049f1f435e3c0d4d81b82f0ae690459dab068ab019a8e3f48f6ceaafb1f6b142532fc0b0b4ae226b664908f473c110aa8e5924585f43bc831cbd58ee677413

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
2abc5bc4353f2bf18ec55b63e2b4defa

SHA1
b35e48adedb39523dd2b7b83e802ca4e3ae6de84

SHA256
8e6871f635e53129610979cbe81938a6d38e9cd99e809352196275f71e273e37

SHA512
c87148d5be688e075923c8b29fae8faeb08c1eb0a4d1b0b90478daea5b11da23eec2b247b65f788129ed2802c7eb62a7fa52123735f8011e75450efd9dae655c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B14C1C8.cmd

Filesize
198B

MD5
84b0e3690444b0a441c55dee57d94092

SHA1
f67c644a06886abee4c28f3e5e1b0f6db93af8d5

SHA256
316fa1eec2091dec828b8936cc36accf5585bca1a15482ae2d2f4351c1d63aa9

SHA512
c3fca7a13109aa6acbcebc8854b1676648b6bb91916c1c7b5c72eacbc452c0567be150ce0a73e88781c631ac1f2ee6c6c2befd91ee349bf11f02ec0156092f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut586D.tmp

Filesize
9KB

MD5
77d45da97617c672538dad546a05748a

SHA1
785fe1093cf9cc2be8a1db7f79efa8490a320f6f

SHA256
03a972e8855e355f7cfb379da67b44d0eb45d076b35e57f1eb3cd18d84dddb2b

SHA512
d1dd2096ce669def6dd5c09fd403492472216b0f782fd20305b96ebe7044087e0a508d585d6943477c5647c2c681f9dc197bd3557fac6baeabd00a1737f95c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\delph1.bin

Filesize
108KB

MD5
62525c14d6d47f74aa1edd0185c76e99

SHA1
0ec064c3057f19e3b8103a19d3ea24437c901e06

SHA256
505d56c1c6490575a445685596bf2442730883054821cfe856c6761d80129efe

SHA512
7f903250903f592ec57e73e73ed5e5c548df778640fbc93ece6953707b55150ffebd32a98e30f25b383129468f7dc2d3c3957f510fabc7be8fc564be55db4310

Download Submit
C:\Users\Admin\AppData\Local\Temp\drkqaeg

Filesize
49KB

MD5
4548111720326b6f66e6e17bc6750d99

SHA1
27d5ada93cc30f6e97fe6598e41666c334033f8a

SHA256
19fa6a6715cc597fecb48b6e51cd40ea554b1241c3cf4957eede1b8aaa0e27e7

SHA512
677970db1ac6e6943af304a33aaae026542b5a25fdc839f7787c520bd765beb9be73da412860fc29dc167891df232dc1c9cda1340b29f4238952ff4b2b2e77aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kidvsop

Filesize
19KB

MD5
605560409ea9a2b17865ab4004e8e749

SHA1
ea149de5a167ed5550202ae93beded081f214ffc

SHA256
fb4ca9a4bfbb82725ac48e6bfa61309e55ab5a275ccbd8d9db6d4e3d11feb8da

SHA512
7f4b58276b1c29be93154c164e604595f52ba9e33d87ddc0c7ca6aeaa8624d4e3dc8c1c020c81e88762f148f4e731b297e14459c8d295aa9ceb648cc412e58d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5295.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\pd4ta.bin

Filesize
4KB

MD5
1eefe4a9a29bacba5dc32f36102c4ce9

SHA1
482d71dca6148a4c4a05b2ea4395c481478c961c

SHA256
799d4532b788656b1dfe8a0f1ffbb5970ef393bc7fcf015f19699e58dc9fa9ae

SHA512
37bd2f4e3a69f48b869b8ec14ae1ae01ea7cf7c2d7020b3224210edd53fbb7c4ea1f30780c394d518b81eb7af420f43ec773a789c34e743c313cb11e6d400943

Download Submit
C:\Users\Admin\AppData\Local\Temp\pd4ta.dat

Filesize
5KB

MD5
10c0ec7ed77302d8c7b5ca5cd15a7fb3

SHA1
5fdb2608ab136e712c0e929e6ef8a4294d32b55a

SHA256
19b2701fc2edff3debe61129b402d8e4aba7fa37f76146ca91edb060c5d4c46c

SHA512
8169694e865cfb073b15fd5fbc387092e366ccbce63ea7f675ee425927a296ecf48fde62c0eaa26ba71c389b9b093e25085011dfc0bbe56c7b1a789ac04c9189

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF04C91D5F33B33F94.TMP

Filesize
16KB

MD5
1de7ccfd0a2c763d6395515608931f40

SHA1
8455caaab02dd6761e6f8ef97434b9aeb3e0d11a

SHA256
da49b93ed7479cd236de41a1f2b5180807499e7d5293a9c1f44424554a68dea1

SHA512
6e883584bd88a306110cf9a62c1d34ceb70165a7a86659d3743347fa293284c28e30232f769acf12d8c3cf0a5120df75be019e212a711c972ba5643036642375

Download Submit
C:\Users\Admin\AppData\Roaming\481EE7640F9AAE4A192A4196ECE75234

Filesize
53B

MD5
f32acc491d3a8d278a691d4f0b07570b

SHA1
14cd7c2f93b7682c953f9053dd6957762e4ed2d7

SHA256
c9f18085eaea446a4910a70f332577267d3f483ca71c8bf63dd1c208efd5fb3c

SHA512
7b32a62037441e182d04aeb7f3863e629a135f6f3e14128b18ef825aee7436bd9d004ce2beeeca4c6c7f0406faf4d79874506cd6c5b592faf5be858f4f6854fa

Download Submit
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Agent.gen-d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1.exe

Filesize
910KB

MD5
2236aeb7f5985071cee2b60b264cd8e8

SHA1
a9a20b337fe2c2343454394bc40369ae5c403c78

SHA256
d8026055611c844ffdb477ddcadbed3ce65c8d748acb3d09bc4b9eb3423bb9c1

SHA512
8064871a2c89795a7a5eec5b9f742061ce998e0eb867100c3228224d5ff6d96568bf8cfbc06bff07ee7e07d568e4529c625cbd693f1b84f405eac4b7f1160f96

Download Submit
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Bitman.gen-948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec.exe

Filesize
389KB

MD5
b941ae3f452dda3bb26ebeff6f8a57db

SHA1
d3055fbad0e8bb5a8e3962c6c82a053767a27711

SHA256
948343ce59134ef502437c3b75c35e5f373add857143ee7ad7398cc69029deec

SHA512
fd50e63c068bb8328ac2e3a1d7322a4fdda7b31c4733d50f942580409c9808d42c062c347792d88e5a98d95ef468ea48f7fcc8556405e39302df6591dc8d5ab4

Download Submit
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Blocker.gen-02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014.exe

Filesize
1.3MB

MD5
c6e1a30ebb4c046784174a6d87dd8c72

SHA1
e38cc57374c7063c678086c1f35079530962b446

SHA256
02d3c40798dd1a9622efa4803b22b34c017a032bf84736f7c852a090d0c18014

SHA512
4b6e5ca679ea56d9d797ce832fa1e8dd17caa21b4dec493d658989807242ff9a138f367cf734e97d2ae6468cf406f78758d4153ad72b3d1eaa93a48ed4fac0fe

Download Submit
C:\Users\Admin\Desktop\00290\HEUR-Trojan-Ransom.Win32.Zerber.vho-0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5.exe

Filesize
266KB

MD5
ad4daa19df6b79f3f579f70734e069ff

SHA1
0e40b186007eae5431f2cd37db397df8a4ebe4d7

SHA256
0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5

SHA512
d23469a3d8e87fa192ce427b835a934450d7e3c7311cf664c2b452c202e700df751a16f60b0f60ccca35f5ab5e294a278ae3eb83bb7fd24bf548a1a3bccd9239

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.NSIS.Onion.afyn-5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6.exe

Filesize
117KB

MD5
f14f1e4ca341f809487027fdc99fcfda

SHA1
aac84cb19f3a37ab8be1470c0d93bb582b92ab23

SHA256
5c99a4190d70292980bb85844ab1eae7da0cc5bc7990c88c6be38b10e98907e6

SHA512
c0bebe5aa19b19239cd12ad2c999a0960c66ebf853b83263bc4c5e35a0e8aa313aa17eb9f89cf2e5e56024cd8421adcbb969c8b82fdd10b69a832a936b00f167

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.jzf-e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea.exe

Filesize
380KB

MD5
4982c3d01df0abd18e149a74824d272c

SHA1
1e0ab928d0ef465f6bf5e1712f4f7e9e8a37cbf2

SHA256
e1e53cc03c6dc2c48fbc59943d1b7eb58e5b784bace95a6ff50699a3fd2ca1ea

SHA512
23492feb43c7ba2f4ce309f766ef6be0cfce62c06a8f3db3319029b167935668f86b3a305bab60629691258b83981f6cda25f461b79b5fdb8dbd0b7f61d4db7a

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.kmw-7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239.exe

Filesize
372KB

MD5
878ab2ec640b2afd7f34ab598a6c35de

SHA1
a44db3cb6e3140b520cc4f6c812d4cc61eda0930

SHA256
7f78975adcaa1d0225ebd25bd055126aa1fb9bbfb5ff50879fd3eb77f7bd7239

SHA512
c84dc8def5b9ab9cb42afc4851b5bc4ea46fd85f18f2770d3c136914a6a3f82c541e10dee36e91b6becde76101b5c96e675a1a55d38b290be46704e1978610fd

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Bitman.lff-7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911.exe

Filesize
369KB

MD5
a5e1ef215cb67914ab3ecc4003beee7c

SHA1
40c44d5fcdf2a0a7731827251e98397509be250d

SHA256
7a2f830bb2076cd13fb80c7dcd7d372c0e2c68f3decebe8a3b74dc9cccf02911

SHA512
f3a42313795d5232b672f89cadd807d0c215797403bd52ef09af176b194667f4a9ac375ada45df6a23a256b70cc7856e3be1c3a24190ebf15169457b3371888d

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Blocker.jzvu-7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375.exe

Filesize
756KB

MD5
fade5d31ec3f2c4ad7ef39cb3cfa535c

SHA1
f39cf39945ee95e93014ee9b57f2e750c9202c24

SHA256
7ce97ffd28a983ced022ca9ca7915d79577748cde37d40a39d93588326736375

SHA512
81f51e6a5a877d39170dc887ef6751450c95d4caebe42ec89124945963bab2990d53efe6f94d9eb4c55d68d79cd4b4bd1c36dc2bacf20932042a3c22165b6ccb

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Foreign.nocl-65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16.exe

Filesize
266KB

MD5
70c6ac0dfd6972a4d89880c1120fef8c

SHA1
d362171859c71dd248450604522bc64df78c9e33

SHA256
65f4744d55ae3a61b314896ddf565cc0b56db07cbf1b58ddf377610af7eb3c16

SHA512
c425394ff39ece1878759243149096f9b3cd889ce9dd923f0c62684798710406f21775e56ae3d26777a9f782e6f76620c17e3760a3dad32b86297d006c5e65e2

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.bil-8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e.exe

Filesize
244KB

MD5
e4ffdf2c2cc044b334637de0ae662e25

SHA1
de80c1e08a11e23c7670affbe47de13d711b3e07

SHA256
8d67bcaf55bd13e35b6fe39843d296f004b0615f88988ad26b42264ccebd3c9e

SHA512
7097bf1456c621df282cbafaaf80325f218a738398c54dd40171890a720c7d64583d58afe6edebad088e8feb5968b883929efe61c44b7aeedb500c3371c37485

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.ch-c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5.exe

Filesize
188KB

MD5
4da52f86774c4ee7010c5671b106db40

SHA1
76c4ef9b7e64d87e5c582da74eca2c3f8c176f99

SHA256
c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5

SHA512
8c527cd09f703465ba94be805f4add2f5b8f4df18ba0db646fd1dcce6ca1f432cd4150e92e7c28a155198b6e099c10ea87b14d727cb21d2ab0c2372e2446618f

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Locky.uu-c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba.exe

Filesize
133KB

MD5
caff8cc0aab0ea1e6a906f86df7777b3

SHA1
af96d30dd699822b43ae8c2c296b096eec4613f2

SHA256
c6960c64bcec5dd39190d65c0eaa7b98df06c99f8ebf7da200c89aa66f7846ba

SHA512
474fd1a9bf2b3d6003ab34e07b930a7de52e2640fa7cfbf9c40fb6d612fd015717b136921be6404732d51e9c767dee4d4a9ac4eb9b9f1571b95c297cf083aab9

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.au-6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac.exe

Filesize
392KB

MD5
f040c59616d56d58e1fcf9b5eeb7a90e

SHA1
cdbc10b25fbdec64f65e88523cff423ccc6d9550

SHA256
6d52470280615c112aa1cb043e9fd9b2a631ef61ae5526383523a0e7aad7c1ac

SHA512
749a529a67e54943dfc6bcc1133ce9f6c98960ede89af48e0a6c26494e1ed5bf675c61f7f399704f8ceb4be69403cd5380c7b452a5908b9d77cce45e501021aa

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Purgen.bv-6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7.exe

Filesize
224KB

MD5
f94474596c6c4b46345625583b8afc0d

SHA1
15e8daafefbef10d8cc7578ee70b0935e094ec96

SHA256
6b74523793ce3d41d0a6c31398870fcdbbeece873ec15fb3ad43d2ffd45812f7

SHA512
7fddf677cb6b817656fb1ead956de9e403ade2ddd5d15169a9951092922d34896b81812e681565640f85b385d55e35c2bf0e8e24ef36bbec2e550b34d85560f5

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Radam.d-93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499.exe

Filesize
154KB

MD5
e62d58a48f3aca29acd535c3ae4b7ce1

SHA1
e58d5804d3134b6e0557d2210253d8914320a35a

SHA256
93e7f890967b26fb1c19e92bd9340922871c1726e3416201cf0eac86e4cb3499

SHA512
3ec457a0f59534f5a263d5fd2ba9830df02ad0c2e1abf0caf9736f530f5e9e334c908265729040311dd23aa7eaed84a209ba5b58056ac025db42d7358369a340

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.ccz-d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f.exe

Filesize
379KB

MD5
ea4088cbab7961c194033e806c085bd1

SHA1
cc5a365c4f3305c097d37c08de12dcbb010ca4dc

SHA256
d52670e2499a873ed642344b1aaf170e17877e88e7a7b86fabbe0a7277d52b6f

SHA512
351797525eb4579efed85f87d615414226ab80323c20142baabbc901dfe7e5f1e912754f1c31dfaa2912ababbfa17d599e06d93eb9dbd1b15952c591dbf89207

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.SageCrypt.dpo-e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb.exe

Filesize
433KB

MD5
33812e0b232ea7bc5e691a8bd5efb275

SHA1
01c8b3189f1611de65b328241e641649805d71e1

SHA256
e120a56e547432e04e4fe42254f194e0e1d23f48af09f4ee1b96d17c24372ccb

SHA512
787459ac4a0f6b35dacd608bc876d0c50520266220bdbf937f7b5290f64b73e0d98c8cb7eeb4b1ab78485b69a16aded50c3b2606b9b54a3d7df663b8b4549597

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mwa-1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead.exe

Filesize
1.4MB

MD5
d3459166d75936ffff323e1f2bc972c1

SHA1
84ca1534b9c77b036f45960906af8f23bc562fcc

SHA256
1f40d28bffcfd9c436694319ee14a37719c46379881f2019b1d57557b98a0ead

SHA512
ebcc3434bccddcb903e2a228cf54349e11cd2b461397a69889ad75aed6096df3fb9b67be5c42f6623068cc796f6186e6031da08a5e51ac1a5bc87bb0fa725482

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.mzb-db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72.exe

Filesize
1.4MB

MD5
b254c18d227391401ef8f36051761c53

SHA1
413e9c98b45afd2c2e2e0b54cf1e5089c9954f66

SHA256
db3b70acd33d8089ee6071661736daa516a6a0073a86d2517c5db180709f2e72

SHA512
4fd9e70cfeef7e45e751e5da7e74123996c7742ffa27ebd9d3e511b1cdd8df69db70d7ff974c6af03885514fb0b5d28b1576a21dc5139b4004f398522e8f973a

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Shade.oyw-ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821.exe

Filesize
1.0MB

MD5
dfe7ba1e4812fe9219ec09d7f10465ac

SHA1
d793055f8b882bf05a6afb7eb4b9532441ba6276

SHA256
ffc12d202df7dafec54c766b24d0b817133b02985131d30b23f2ef6c86dc8821

SHA512
cdee7ae7ffda2f537e107b728fd4e56005fc44604c051ec950cc93626f0c6eb4a41c196105e405535e657ca6ea7c14abf4f284851966fe0c9f68d09f9ac84c32

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Snocry.dcq-1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e.exe

Filesize
683KB

MD5
156db6fa58faecd89712220972cc1f6e

SHA1
6614ce93d8c1bb21e3918b220c18571653671d85

SHA256
1a0d526589dc1b8f48df2d9f6f442bf7357f5bf61ca77ce924dc95b2b2c41e4e

SHA512
1f22915a8e91d2436cc54a2ebed4f89e6ac9fd2c4b1465f620fe3f9d0d289f36dbaef74689ffaa1d148add53ce3d1bb94091cfa72f0aa081a6880f67cb5b306a

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Wanna.zbu-4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee.exe

Filesize
3.4MB

MD5
82fd8635ff349f2f0d8d42c27d18bcb7

SHA1
c91b27f3ab872999a8f0a4ed96909d6f3970cb8b

SHA256
4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee

SHA512
d39555ffdbaede541fda01865f6923e126d4de5bb40e873298a44d55a83d9ed2188f972c2675276be7b1ffe020d88a73ae0bb661c49f6fd93f1d3dbd3c727ed5

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eajr-a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5.exe

Filesize
424KB

MD5
ed3c944314e63bb0924787ca31defef4

SHA1
89c1c471a203e30de39155d5d88323773b2f7480

SHA256
a54e58d1d012e053cd7ba6f6e36b4a3d9207f56aafc0f98ec2a507c2214086a5

SHA512
95fecc5df63ae23bca79cbdb727cf93e53560ff4daa080aa7161483f8459ce4ce64467dba8e548f7d7caa44cf150bcbfb221d6557114c34646e1c0ca6d24f667

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eaok-470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82.exe

Filesize
540KB

MD5
a33b0c0b35c798a6b794cfd74b0a14bd

SHA1
ee23f826b4f5efea03cb3c4248becabe35d11a01

SHA256
470a555b3e9bba12fb06928b2b021c824987ffe6b8e4fa9f5ee49ec026115b82

SHA512
21733c02e904e888816e7505b1f86e8ea892c69e4c060c2a8cf55f78c7c5c9b0a2a50cc252bab9ce25c8da385a9d5354ba705123e7c4ac95813883e4eb10d2e7

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.eatm-107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82.exe

Filesize
460KB

MD5
fc33bf1b25e08d1c5358cb5ecac65519

SHA1
d7dc88846e385b1a3f62084b6ce09ed75854f7e0

SHA256
107fc64f270e2bbe6d4b1b9af2bf22f04a17fbedcef2d6e7a0c502c1de7a1a82

SHA512
4024681128e59ef71d239c6d8d857ced70b6793836aff0f5507ad1eaa2cef2897682b495ba4b08215edfe243810388af95a4f3b7840a4a12d91168de5ec18888

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebdr-681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37.exe

Filesize
512KB

MD5
8c290a321dcb67e6c23a308c0fc6bdd8

SHA1
7501abfaa1ac9755b66f6966a90c1dc27fbfaf56

SHA256
681dd9f73db50422536b422e83d0dabfe172e9e94b483b6df5f6a09226856c37

SHA512
af8a6ce84bb2b5259b8bdbe5c0b9267626f276ef194892de26456fc3bdeb40654914f26e7935d73b4c50d158a025bfce6f209d4653c036884cd934eb393582d6

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebfa-d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363.exe

Filesize
580KB

MD5
ff2754cb8e71a2943059104917f4d39e

SHA1
fc57aa87d50b3306e23f32724a7159fab6d0a7c9

SHA256
d4d56569fe8bdf6d83b81bd6db3f89d0faf249be50e52446830048c854420363

SHA512
a39d7599566fd6144595181d7a2ee6de78ceb5c3264310ffc67bc13f0650355e3bd982c473358dbc275d72d6ac68ad8f5695d1925629174a657d9e6a25d33a34

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ebpf-9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6.exe

Filesize
355KB

MD5
966ea9bdba60a76ef2488433d0f548d6

SHA1
7d9957e7889b32744d5003f4f1e5986b1900aeda

SHA256
9cd4c03904bc1d4d022c6b6cd4f3bda5c33902a6c8d63dab07c7f3134c10ccc6

SHA512
eb2be0bbddc55524159282576dda11acd53aa8c60bab0b5eeb73d050cf7b5c52420f0b6a0b5009eb89cc6343cd02e9efc860eaaf238e712d276fa7af9c6e804a

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.flvg-8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90.exe

Filesize
336KB

MD5
a37993aac888dae0aee0ee2041a12ba5

SHA1
4ec03d3aa4140d66d00eccfd0ae6cb1c7843e12f

SHA256
8db2daa3a6a57e0ef7e01bc98095fc647f412b380b12487dc78ebb083e225b90

SHA512
59486f48152ece391e9d0712655ef8b4d5748d0f6db6a02431a5a236cf60ccc049d514fdb64cd0f7355c15dc0a00b2b184afb3040aa562c2f68311ef2b1a20d2

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.fqwn-9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe.exe

Filesize
269KB

MD5
575c95d590fd4ed1ee1052dd8d5f0b2d

SHA1
7e4682b652de8352dfc8de05967ae67941553070

SHA256
9301e7c9e468bb4ecb1b4fc159e2875e7ba06bce464be6d046df5b84f7e42efe

SHA512
e18e8dbc1ef709d907e090a4e04fb2968f4bfa12ccd5c1e66f408f536e948597a20d1ad9ffbadabc29f7a073001a71c6ee16198e33d483f916dc3ef4e35bd687

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.tpr-67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4.exe

Filesize
287KB

MD5
849fb8ec852a440d46ff8f91031d7f87

SHA1
3927903a6d8b4ab2cdb28cbba8b00447fba8e4c3

SHA256
67af6484c6d864b6030ead44a23ed397f6e755c60a79394e3fa586c578d09ed4

SHA512
1a3b26e707ce22cafe0f171929d49b75fb22291e22d6a205f3fcd2261fa3d0a008d7816dc3bd360978a13d16896c5255390b94aa8f2b31f2f8a0175e104b7a38

Download Submit
C:\Users\Admin\Desktop\00290\Trojan-Ransom.Win32.Zerber.ugz-6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1.exe

Filesize
284KB

MD5
e8dc3fc3df5e4cc0e11b7d9e77ee330b

SHA1
fd4b1f867e6cb1f2c239c28379b372908cf38973

SHA256
6016bc08b8eabed471a949b9dbc78b21cca4f0bef4e1838223e64c89309f22e1

SHA512
8c548fb6186d29b23303eca9ef7f9b10a34dba46d12cb7879a6a188e3b42dd710b7a53883ed969842fa7216f7fb967445db1d77d2983960aecdea1081fc5d5d3

Download Submit
C:\Users\Admin\Searches\!HELP_SOS.hta

Filesize
99KB

MD5
983917c5fbf117310297012a5d4c8d7f

SHA1
397bfb0564f75b91c9d226f0ab68167c4f6aa722

SHA256
7488dc6d3aec2cb0275f2d16a88f45383edc8fef5085753a134d7de6acfe49eb

SHA512
4602db4cb4d98582080ab230dc5ddd30cade732c9fa471d3e007e923bb55ffa2e3d91b24d84f6ec06a3f1872719485b4be469e52febd950af9666d69a382a6d4

Download Submit
C:\Users\Public\Videos\how_to_back_files.html

Filesize
4KB

MD5
c58f3350e0c3b471d28cf489e49d7ad4

SHA1
dad1408e526d96d6ae3dbcaa88691f941cc213f2

SHA256
68adc693daec87333e1815518fbac49bb9c3c87be3b35faba8aec447367fd6f7

SHA512
16ad246285054f07bfeaa15ad005bd665745139267f10e628b41931f0510acf8e382295e70df8a6f33ae4a8b19386ade94ef7eed9b1711e022b64346515a10db

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nso4684.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/480-291-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/480-331-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/488-7562-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/488-7294-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/620-2056-0x0000000000D90000-0x0000000000F12000-memory.dmp

Filesize
1.5MB

Download
memory/620-1959-0x0000000000D90000-0x0000000000F12000-memory.dmp

Filesize
1.5MB

Download
memory/708-181-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/816-258-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/816-310-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/908-319-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/908-332-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/908-320-0x0000000000590000-0x000000000060C000-memory.dmp

Filesize
496KB

Download
memory/908-314-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/908-315-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/988-298-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/988-287-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/988-285-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/988-283-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/988-289-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/988-288-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1076-266-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/1076-1999-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/1076-313-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/1076-1958-0x0000000004EF0000-0x0000000005072000-memory.dmp

Filesize
1.5MB

Download
memory/1104-2452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1264-2562-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1292-7831-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1300-173-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1376-4719-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1376-3793-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1392-6501-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1392-6875-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1444-284-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1632-2465-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1632-2544-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1676-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-14050-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1680-14074-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1764-306-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1764-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-183-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/1792-252-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/1828-1910-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-1395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1856-125-0x0000000000380000-0x0000000000442000-memory.dmp

Filesize
776KB

Download
memory/1868-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1868-242-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1868-260-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1868-269-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1876-2199-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-2045-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1912-2955-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1912-2791-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1920-255-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/1920-297-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/1936-14071-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1980-2805-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2056-2012-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2056-1938-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2064-940-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2064-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2076-262-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-67-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2084-66-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2084-68-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2104-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-286-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-290-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2112-2357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2112-2401-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2136-296-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2136-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2140-2641-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-2047-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-2418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-2015-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2244-9541-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2244-10695-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-2226-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-2197-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2292-126-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2292-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2324-2346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2324-2364-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-2224-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-2277-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2472-172-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2512-2306-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2512-2348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-7702-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2540-7579-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-1908-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-1941-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2600-2524-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2600-2772-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2600-2206-0x0000000000D90000-0x0000000000F12000-memory.dmp

Filesize
1.5MB

Download
memory/2600-2525-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2600-2790-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2600-2030-0x0000000000D90000-0x0000000000F12000-memory.dmp

Filesize
1.5MB

Download
memory/2624-6535-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2624-5637-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2696-12992-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2724-5209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2724-5643-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2748-254-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/2748-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2748-250-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-1397-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2756-911-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2788-308-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/2788-292-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/2796-5160-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2808-259-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2808-305-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2868-11320-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2948-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-182-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/3016-123-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/3016-2010-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/3016-265-0x0000000001320000-0x00000000014A2000-memory.dmp

Filesize
1.5MB

Download
memory/3076-7581-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3124-7126-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3124-6872-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3244-13551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3244-13021-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3340-3306-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3576-3379-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3640-3607-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3640-3734-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3692-8791-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3692-7887-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3828-9545-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3912-7296-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3912-7087-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3952-3809-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3964-11334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3964-12103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4056-3358-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4056-3619-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download