Analysis
-
max time kernel
93s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-11-2024 18:36
General
-
Target
RNSM00284.7z
-
Size
13.9MB
-
MD5
e20f6ad9e266cbabca31feedc697cfa5
-
SHA1
be955cbc02286ea800dd11887f63a624a25a8013
-
SHA256
312fdde51aed90d23843d50649032290c89b8af4661d61f5baa032b03ba870db
-
SHA512
112fcb80fa932efe1bf09cdf7c32350634e3ab6ed1ceb0ce66fed93830ecc47b7397b5d404cc2d20dad8368ddbd4c0d25d11b4dd144d46ecad4963ef893f58ab
-
SSDEEP
393216:vzae+bw+rVeYq6BywWZSh7T3M6ZEWu8inEOiCR+zqQ97r6oaKh:qBBdq60wWE1E5bjiCR+zqQ97r6oa6
Malware Config
Signatures
-
Cerber 7 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass 3 TTPs 3 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (1111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 57 IoCs
-
Loads dropped DLL 37 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 10 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
-
Suspicious use of SetThreadContext 18 IoCs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 6 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry class 48 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Interacts with shadow copies
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00284.7z"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exeHEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exeHEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exeHEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exeHEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_673e08b6.bat"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exeTrojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exeTrojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exeTrojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exeTrojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe" /stext C:\ProgramData\Mails.txt5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe" /stext C:\ProgramData\Browsers.txt5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exeTrojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exeTrojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exeTrojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\35B2\1DE.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE""5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE""6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exeTrojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Documents\Temp\CANCER~6887.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Pictures\Temp\CANCER~87255.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Shared\Temp\CANCER~15899.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\CANCER~60671.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Local\CANCER~6148.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Roaming\CANCER~33585.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Program Data\CANCER~89709.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\zzz_Cancer\CANCER~29930.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\_\CANCER~17627.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Programs\Eww\CANCER~99196.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\XLIN\CANCER~17078.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\D-Link\Media\CANCER~26033.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Temp\Cached\CANCER~57722.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\CANCER~52532.exe"4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Data\CANCER~60017.exe"4⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exeTrojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2005⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exeTrojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7EC1.tmp"4⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exeTrojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exeTrojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:18136 CREDAT:275457 /prefetch:25⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys86AD.tmp"4⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exeTrojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC429.tmp"4⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exeTrojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys5419.tmp"4⤵
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exeTrojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exeTrojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exeTrojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exeTrojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exeTrojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exeC:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\Isass.exe":Zone.Identifier5⤵
-
-
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exeTrojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exeTrojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe4⤵
- Cerber
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_EYEY6_.hta"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_YT543_.txt"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe"6⤵
- Cerber
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exeTrojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exeTrojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe4⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exeTrojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exeTrojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exeTrojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe4⤵
- Cerber
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exeTrojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exeTrojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe4⤵
- Cerber
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1302882154-1818028051093790043-1770298503-120566053816624992562034640893417455455"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8691233731722743608-16039759401459726247196649821411198501828253431841236147313"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4867871061683322829-21186686931187872054-1105586769-150273517314707487347924672"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "548002949-1496628644-1055361255-107219823984446616-188655823620620435441476897889"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5e81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5f01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5f41⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x6041⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7B
MD544f601e6b6d1113354b901483b2e624c
SHA1f39912a200b8a49c8ea43ec7085f498cae4324c7
SHA2564dde4c53d78e3e01233b0019370fcdba1e04acf2070f83e843f990a7f6d941b3
SHA51298d3dcc0a164d2cc56079d38fc0fb6a1de6113bc1451f2603c187c43b265e0884dc842956327340a5299536a5fe4234b11a5aed1b48da69b62788200578cf8e4
-
Filesize
8KB
MD59ad08cb43bc9838e9891fc218d8b96cd
SHA11849bfeefb3134680bb23fd6b98ed206a40abe43
SHA256140122d24a0436df02bce876332c8a4c6d9241f53916a5a38fd9334cc071c602
SHA512663225f94913a9121f529bc87fe2c67b6ede0175ffdae187450b479970107c664f1320f269465c1d5ce63235de44ff6029f50545f73e5c43d8772955d9562c38
-
Filesize
8KB
MD57876196e374738d70a6ebc1921ed5b49
SHA18e76a4407f8ec1374234716975c9c1eb92cdbe43
SHA256c8cd06585a2fc2c0eac9739200263f3a6cfb602ba84c4240690c5d77a7ac997a
SHA5125484a1db3199b6c3ca833f359df5546ab3b935299e554cb9d1618b8ef0d7d19043fe0be247e3b18a19203ea645a8318dbdd4fad33eea2730cbab6e2dc9ca8cc9
-
Filesize
9KB
MD5f301d34832fe2e9cd765dc6508a7fe92
SHA1b65c1a9b0a62c8c5542afc36939f39d5726f665d
SHA256b23ea288cb2211df2874ec2b4c3544a9a34fc986613cf2a364ca755474e076f2
SHA512f3f457a803334a81d3fcc1fb232e3df339afae831d34f03a7c9e4400bcd801de7c273500c1f9da98c16ccdde7dabeb14b71684397d27e029d573613ac26229b2
-
Filesize
112B
MD5d3ba78ab4c862936257294dd2c947816
SHA107a5e7f01b7c0b3aced48183095de495c797b00c
SHA25612c2cc2fa19f0230fde0ff150285fee992358d7cb8027649b846d4292c50c545
SHA5128bff939cf4bc164b41437e1e8c92878ee044d6d521c87ffc888505816eb400469266971ad433e3db8593574853b3be5b34b1d089493657965246e365c584b7f3
-
Filesize
8KB
MD5e0be013e69b55b08c6fb06a4cdd26bb9
SHA17e33f6a08cc7e4917960de7cbfc8734e1ed1472e
SHA2561bab4ebf3e8c368f58fd683ff078a7d6941885ff46c115f0814f56968bdce2f9
SHA5123b9da4947be3474e3fd7d25a1351d92c45267c661aa0f6928eb1dc670116a2d7e9fb1c201fe76191be913cba11fea9c1d40a09edb821a12aa66cbec99fc62a97
-
Filesize
105KB
MD5af1991a884db5eecd55241d859d11021
SHA1a560421bd55eed8ef52bfd3a07003ef32f1c417b
SHA256c8f29fe24718c0664a8deea759b39b2e951a80cab2568599ed77b2e1eb7b60e4
SHA512c40c9c09844d244540e4589e48265e7fc4da18e1c5bc6052b0ff17d842bb221822aea1beaae2a50066e2acd64fa6a58aa08671eb7f0c12052b7dc12443ad4564
-
Filesize
51KB
MD55945b457e6a22704f1715c12d96d97e6
SHA1a0346b93dbe83e5b3b6f0d5ac1e91697ad84823e
SHA25644ef29461edd58480464f5b9a8a2d68ce061f6792cdf0621b02b4106189b2378
SHA51283030e5b7bc9a8d10a18313c105445741dca35e7cd1efb7787ca959c30c76399c1572af86999f6ea90a3b9d6c5be063c714134b5ac1759d535f44d6307b33394
-
Filesize
7KB
MD5614cf2d306f66b3635b27eeda61a56ff
SHA10585341ee37857422fba8faac7c8de250a801fed
SHA2564043bd7ac630ecca22a91987086948b2a8df87bdafcccb3efce198c01a1a6f3b
SHA512fc3009f33d820889632453dde343f4a979ef44292a2287d2344a0892dc3a4f8db739e37125b4eac75e8d000c8aabccab1d78dd017c31aa6695ad89dfb9a15e64
-
Filesize
3KB
MD5fb424c74c8f4efaf76ae6aa153cd9da9
SHA177a02556e59b14f86ad206a21f14619dfe33d31a
SHA256bda503202f603ff9f32d06627b26a85954b5dca0b3bfb8f8944bff4a87058b7e
SHA512eb2b1bfe7ced1623dd7789b00b25ef2b21a4344d4a06e667fd0c43e9f8ca007a917b3da6571854c047aabc9c63b41ff75a8f2ca6892e27a3ceb05247e9937ea3
-
Filesize
18KB
MD552efabdab8b4f0e23d4f4de2a0efba91
SHA14c78d905fa9225c8e7ce4f482be0490b3e2519d2
SHA256818538cde0338c2935ace15543d3e5160836d13925bf5f5b92e6e1596db35d9e
SHA51278d5efd108911bd44fb0e9eb82b72b03e6f4f1b595d4cbea4b11ca52a63f565e36541925895c0bd81cb48f650a63adf9d88103edd34dc5e3d1ff3d97c4f87164
-
Filesize
364B
MD5e9364ca2b956f270c98d3e80ad1fcba6
SHA1f572fdc9a3e445f440c45699ba2782c870205221
SHA25625eacf3b2a66f75c69eb09d4b8d2a1de6dcffdb0158dcc94c9a959eeeab901f0
SHA512459021c36db31be5bcf89dcb0f56f21b7f27f8c025ed073fdbf03745821fc69ae4ea95bcb8433fbdb4981900baddc52803b477537b3585fa7a1ff5f6833d39ab
-
Filesize
940B
MD5b2f1e30e15a4d4b2e098222c92d909cb
SHA1022d7bd3a250d37834d0d6fbd27f63d97cbb71cc
SHA256510889c9be43c0c8d7803dc5af97b2560beb781377bac0f4ee039f2bff8ef561
SHA51218a4ac4e89703e0bd247feda54eb5d87f684ebaae1fd88b9ecfb6eb905c7b8c26f5d7a681bd8fab847e5470c0c666e860ea1bf8f84b259425dec417f3c8f23b8
-
Filesize
207KB
MD58027c5d23113279e2590281319119728
SHA1a6545cc8149b2624a731270204af0a2f2cd5ce12
SHA256fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc
SHA5120f912b5077b5f3db5b8f227e3098481306680c4d7219e6f7fbcd718683c98ca80397c4c8b9bbb8609421ba8809fa0869cf9e9dc1909bc463e4e806377871dadd
-
Filesize
3.1MB
MD500a350897132e68bf9d6b1b6d11acb88
SHA1035de4fbcc6b3f0f1436046b43fc9caa275593e5
SHA25680ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac
SHA512adfa8de360769fd258ec42069434713bd10a53d23e0f6ea5e9da5a130ab1383d15c59f9349c7adec0ec73ac5ba336a6242b9a1c9fa95aa1259d5c0ee1a221117
-
Filesize
249KB
MD5a788815bbdd4495cb3dbfc532b5ead93
SHA14852539c0f33f3edf694751f58a7899f492d257d
SHA256b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290
SHA512475cf0e19ac027ece932c82e0bfb378b0d960d53525508980105594c7423ddf7ec59853b97fcdfc8d1ad746b0387916de441d4e681fa25e1b335d31da0ad3657
-
Filesize
184KB
MD58254a63ed8b2e0001f58b4922637c4a4
SHA1d3c414410c1feb8c2cd8660c1aa08d9780aed3d9
SHA25658ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b
SHA512ba36d888af961015679e7e4d7e7089dc5709ae4386615a525519c6f24e2589bbd261185a4f257272f58178d7ae19b3481926724ed3a1da2962d6d6bd862667d5
-
Filesize
259KB
MD5a64bc28d08d5375a5d3fd3b36cf2e700
SHA17428aae3ab1f695ec4dfd54dc6c40770edd30e2a
SHA256c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9
SHA512dbb6cc006357d4a3edd6a3a6f4bf2312fc32774540e8c1d961a253a78a6f1e81bf4739fe06e4a83d56293e4b122492059ea2ca10aa23e3472224abc3d9f6cec5
-
Filesize
756KB
MD5a438050c49aced04ae3b2e2086657a8d
SHA1ae9bc0298bcb80327b1621f1169ccf3882865189
SHA25664b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae
SHA51298e2b33187bcb361faa42e8ab4a29524eee5d56ffa8bf503993f8c2682e118c97c3e9af639b196663d261e1744a84c695886cc9d8b059cdfc1e0b66beca10366
-
Filesize
1.3MB
MD5af0b3041efa3c657b235c06bae94fa39
SHA1ea8e11bf1fa17c845883562c7fb8f1c990c9b869
SHA256c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae
SHA512fcd159fa9b9e432f56c7e5c0c1ae407fe97e030ae37719c7aa1645b2c9762dfa1adaf3b6e31b136dcbc75122e7319b3517223489d6c40d2b2d85bd59332c104d
-
Filesize
443KB
MD507484140601b38187c94784180760bfa
SHA17e7f357debc701b26493fb240d6e99e1eee4f976
SHA256c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2
SHA512f16d7ef0241415d5ff4e863ab3fcc0d0a1fc3423306aca1657a3f3eba2c8921c62149ffef7d7e330c3e6d2c1308fab5eda46046a31fb445933291695542ccf26
-
Filesize
350KB
MD57168523b8e0a72e147e6f443ed98b1f9
SHA16a267bc830cf3a75b6e250321119e18a3ef4f92c
SHA256e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e
SHA512997f8cc642a513a04ae00b78f75172c0d50a499882d115eafebd0ba63bbf212bd4e07307811e375d3e376d5f0b789adaba7519ae080d920639dfac27c7f47f3a
-
Filesize
6.8MB
MD5b5bae1ed2fde118e256ede9d86affe42
SHA14870df80763feae4870e674a93515a2635637748
SHA25630616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760
SHA51200c871aaf12b9690d99ec2797758e69a7513da378cf6d7a2f7e0d3c2095267b346aee5fd7585121bdd5c3ff112f832d810367788136c5bb68758675c4eec5bfa
-
Filesize
213KB
MD5db579e92844d6b5d1281488dee6d85c4
SHA1f970da464c7e0afec247dd9d66a5a59c9db58e60
SHA25607f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced
SHA512dfc7e0cfe6dc7fa2d1f4de95cee83df652363e24dc60134cf7c3f63031ee8dbcadae74b2cdcc648fe3c67b28f72829a6ae0ededc692f06dc6acf824149aa12b0
-
Filesize
204KB
MD5e1a9b6f7285a85e682ebcad028472d13
SHA11347b810ac90c13154908f7cf45b11913c182e44
SHA2565e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
SHA51235e6adb72faba256c94a7abe205ff14752f46c830292905e24605a479d15b6aa6b4ccfcc6d4937dfad8698cfa8da4a4cd68b38ded5c14ed24127f605c6fe6874
-
Filesize
264KB
MD53c89456ba5ab540e445a632ccfbbb958
SHA1c0d239bb3761a9b4e6024f6d970f3a495fe6a04b
SHA256d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111
SHA512e935ad2d98c915a92ddc0a4f878a8aaf94f6c54f1b58c1499fa07d6558271eb6ff56c79313d691737dd524d31ba0119bbac58129dd7dc51de3d7c024ca7a38f2
-
Filesize
364KB
MD5a38cd976b7f15d2460c8f70bc8c490aa
SHA1f360212f78618c9b346a8a39fc266d1a16fd9051
SHA256b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489
SHA51260f6b6852788d086dac1005027ae5323d2c27a30ab2de823fe1c757f0c55ea718d93e6500e05fcf4ea64889c24f591d18d8db15a2bc7408174801081d8201802
-
Filesize
368KB
MD56dd36d14d55910872f3397c9cacd7a9b
SHA105d160838a5b483f7d7dc486806ac9de9f9c3a82
SHA25660e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29
SHA51280fbee206898f724441bec122fcbbba16d4a8bfc71e6668538ce4932937355e618d61aa46a3ee266d79e869c51ec73e064baeab8720180d8c9a46a63538e6dea
-
Filesize
431KB
MD5f133d6277367fba390651559b8953cd4
SHA146d03119cb031dda1491fcde3fa8f37995d99c9c
SHA256f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8
SHA5121191522b852d1f4e46f01cb8461ee7dd33620f555719665441f82e5590176e7c95846da9e7347230e6392bd889e0ee1aa42f2dfb8e675ca206a384cc718b7b70
-
Filesize
914KB
MD55c619b94a2b4ad02fb777c6453d20ceb
SHA18f7e88ee168af1e25dff8d36976796b24a427bb8
SHA2568afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490
SHA512ea85575959ec0afeda9f3f6add74ab2981e08eb7990112ebb6dc764588062e02740ff5f71e296d602268df9cb2945fbd94ad083c7883c0b75eca4afd57012b53
-
Filesize
916KB
MD5b01c53a635e7b760f539a7ff6065f683
SHA10b23b9fc48f7797fca3d50fdb1c273b8cf6db6be
SHA2569d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac
SHA5122d6e1b14822d40b3727d297cce7a79fdbefc32c8a1730a702b20d161e35372071f7fcfbe786925acc1321d7664480cde9e3d1fb8d165f1cc131d7439f6a506ac
-
Filesize
520KB
MD5f48627a8c7e00d587076a55ae48b2c4f
SHA11677c116fafd6817ea8291643aca078bf38196ae
SHA256e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5
SHA5127d05e88eccc323d25b719bb377b7341457453e15c067e1982e151f7e6209a50f1b9f2dd86a0902a0d9a19c290d22d248b95286ad3caf619e602d4fc93f5d96eb
-
Filesize
239KB
MD5bb36503c806b72e51bbaa4b320ea4703
SHA1381d1f3108eaf39884f6ea3a101e99fdf84c81bd
SHA256fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89
SHA512655391b75c9b615162873c07ca8487b232b42107ba28b17124926bfa5d54698e7b65474f65c7dbc80885eb92c35e6e3df9e84dc290e1298a25649482354a9d80
-
Filesize
318KB
MD5ed962e1325c3b9e3765949fda7a6b5ad
SHA14a46bc5f1721d293077d611e0583d827081b6445
SHA256f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415
SHA5128a02daf5c3d484cc55c8f0961b9994cf5e397ce4e89095124cdbe414f0cc30ebec3ccdb71701ca38874e7c21e095f07a2e2a6c3bcddffe437c54645f5e78efb0
-
Filesize
248KB
MD50fde16ced64b74b7fde8d3ed67c22f7e
SHA1ea02fa337265bc904fccda2d66813ec9b2227a58
SHA256f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762
SHA512495e01738afdd010494413fdcd24e749e07323200d045733739e90242975edfdab961274fe7c5b85a7dd0d2d7b0e0a935e2188033d1b4c45dacfb3a74339e49d
-
Filesize
180KB
MD5d6ccad707bcdc93f762f650495baf984
SHA1a0a42addb66f6fc8b329d7644df067565a6cf207
SHA25607da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5
SHA512c697a7e357ede162f48e6ad54eb0841591f53393fc6f57ec2e96948a47d2cbf80b210d6551cf09b0f9468accef37de226a31930b31f400ab6ec62d3e91d3bc70
-
Filesize
264KB
MD57a4b785cc67a8d94e8f64b2897fce7e1
SHA171c2516426c4640da4ae39233fec2a0c2d43670c
SHA256b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288
SHA512cf38168d124bf6da0a93f48d29c25625c021a6a178628fb44b701b26fc3ecf656a146ff9adfc52b43d5a00405d3a78fa9545f4a99723661a86b91d9ef782ed61
-
Filesize
64KB
MD566f1bb40619895bffa812c7b6f79464b
SHA166f7a731c62014a5a622072c90b75e80298cabe6
SHA25636e626f9949d4b75f2bc07f3e321ece3b29973ce96ab255f025744d1fadf5002
SHA512946475b74afed276459e7b0326c3ef004ac9403ba10351b7254f5c4b0fcfef102073410d18ae64fefc442e304527d1ab790064129670c4d215c7b1412e59742b
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
44KB
MD55198e9f75dc3d5431cf063a4e9b21983
SHA1e53a625109801a9a44d3663d496860ddcca8e483
SHA256dcf1ebca9072074a34766077ed677bfc950d01bbe3307e0befd1165514aa8c6f
SHA512ca91012a49a410fbc2c47ccb795c0cdd8098f34bc1d93eabbe5c125887d09717a989c2ff6eece4fcb817555c5354b6e6627eb20feb6277883cdc767f9c322265
-
Filesize
67KB
MD50101165c186a281b471f7198a342759e
SHA1e36b03bb943067b57e66df692ee9ee1228fce37f
SHA256e394ca66d3fd35e7bbbaba4a729391fdb01579c16d5c76a18aa90dd5c0a5e9bf
SHA512e69ca2491af71116ddf5630997b7e43eab7e4fc8a63f9be971dfee825c1776ec1a315cf5c11c13ad79c9032520ff334cbde556c2c0f80ee120eb2c49387e257f
-
Filesize
804KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
1.0MB
-
Filesize
92KB
-
Filesize
452KB
-
Filesize
1.2MB
-
Filesize
124KB
-
Filesize
636KB
-
Filesize
232KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
6.9MB
-
Filesize
24KB
-
Filesize
6.8MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
1.2MB
-
Filesize
804KB
-
Filesize
636KB
-
Filesize
124KB
-
Filesize
1.0MB
-
Filesize
68KB
-
Filesize
44KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
3.4MB
-
Filesize
5.0MB
-
Filesize
624KB
-
Filesize
5.4MB
-
Filesize
5.4MB
