Analysis
-
max time kernel
93s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00284.7z
Resource
win7-20240903-en
General
-
Target
RNSM00284.7z
-
Size
13.9MB
-
MD5
e20f6ad9e266cbabca31feedc697cfa5
-
SHA1
be955cbc02286ea800dd11887f63a624a25a8013
-
SHA256
312fdde51aed90d23843d50649032290c89b8af4661d61f5baa032b03ba870db
-
SHA512
112fcb80fa932efe1bf09cdf7c32350634e3ab6ed1ceb0ce66fed93830ecc47b7397b5d404cc2d20dad8368ddbd4c0d25d11b4dd144d46ecad4963ef893f58ab
-
SSDEEP
393216:vzae+bw+rVeYq6BywWZSh7T3M6ZEWu8inEOiCR+zqQ97r6oaKh:qBBdq60wWE1E5bjiCR+zqQ97r6oa6
Malware Config
Signatures
-
Cerber 7 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process 21404 taskkill.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe Mutant created shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe Mutant opened shell.{E385D267-F6A9-1D3E-E203-B9E38A459CB6} Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe -
Cerber family
-
Gozi family
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (1111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe -
Executes dropped EXE 57 IoCs
pid Process 1020 HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe 568 HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe 2968 HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 600 HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe 588 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 1488 Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe 2016 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 1656 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1056 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 1988 Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe 1664 Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe 2144 Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 2432 Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe 820 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 2532 Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe 1640 Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe 2956 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 1936 anetu.exe 2064 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 2112 Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe 1364 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe 992 anetu.exe 2988 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 1668 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 2272 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 1264 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 2908 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 1856 svchost.exe 3048 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 2780 dimsssec.exe 3004 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 2456 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe 3012 dimsssec.exe 2360 Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe 1996 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 1500 Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe 996 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 1104 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 1976 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 1736 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 6788 Isass.exe 1776 Isass.exe 7808 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 8688 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 17064 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 8104 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 9676 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 8456 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 8808 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 7620 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 4936 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 7580 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Loads dropped DLL 37 IoCs
pid Process 1056 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 1056 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2016 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 2016 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 820 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 1288 taskmgr.exe 2064 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 2064 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 1288 taskmgr.exe 2956 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 1988 Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe 1364 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe 1988 Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe 660 cmd.exe 2780 dimsssec.exe 2780 dimsssec.exe 2780 dimsssec.exe 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 2360 Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe 2988 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 2988 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\clbcnect = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cmdinput\\dimsssec.exe" Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\_cancer~45557 = "C:\\Users\\Admin\\Desktop\\00284\\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\_cancer~60788 = "C:\\Users\\Admin\\Desktop\\00284\\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA Update-Backend = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\NvBackend.exe" HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Update-Backend = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\NvBackend.exe" HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AB6A70CB-897F-7C53-408C-7559B489DDA8} = "C:\\Users\\Admin\\AppData\\Roaming\\Orzia\\anetu.exe" taskhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_cancer~71381 = "C:\\Users\\Admin\\Desktop\\00284\\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\_cancer~51947 = "C:\\Users\\Admin\\Desktop\\00284\\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\B9oBmLC = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\bqbpzxn.exe" iexplore.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File created C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\Chess\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\Hearts\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\x: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\b: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\u: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\n: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\w: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\z: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\i: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\m: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\y: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\a: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\h: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\j: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\k: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\l: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\o: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\p: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\q: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\e: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\g: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\t: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\F: Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened (read-only) \??\r: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe File opened (read-only) \??\s: Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2432-196-0x0000000000C00000-0x0000000000D30000-memory.dmp autoit_exe behavioral1/memory/2432-389-0x0000000000C00000-0x0000000000D30000-memory.dmp autoit_exe behavioral1/memory/2360-2830-0x0000000000C00000-0x0000000000D30000-memory.dmp autoit_exe behavioral1/memory/2432-2863-0x0000000000C00000-0x0000000000D30000-memory.dmp autoit_exe behavioral1/memory/6788-7584-0x00000000011F0000-0x0000000001320000-memory.dmp autoit_exe behavioral1/memory/1776-7307-0x00000000011F0000-0x0000000001320000-memory.dmp autoit_exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:/Users/Admin/AppData/Local/ewwwwww~cancer.png" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
pid Process 1112 taskhost.exe 1112 taskhost.exe 1112 taskhost.exe 1112 taskhost.exe 1160 Dwm.exe 1160 Dwm.exe 1160 Dwm.exe 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 992 anetu.exe 2156 DllHost.exe 2156 DllHost.exe 2156 DllHost.exe 2156 DllHost.exe 1004 DllHost.exe 1004 DllHost.exe 1004 DllHost.exe 1004 DllHost.exe 2148 vssadmin.exe 992 anetu.exe 2148 vssadmin.exe 992 anetu.exe 2148 vssadmin.exe 992 anetu.exe 2148 vssadmin.exe 992 anetu.exe 592 conhost.exe 592 conhost.exe 2744 conhost.exe 592 conhost.exe 2744 conhost.exe 592 conhost.exe 2744 conhost.exe 2744 conhost.exe 6828 DllHost.exe 6828 DllHost.exe 6828 DllHost.exe 6828 DllHost.exe 15564 DllHost.exe 15564 DllHost.exe 15564 DllHost.exe 15564 DllHost.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 2812 set thread context of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 1936 set thread context of 992 1936 anetu.exe 64 PID 2064 set thread context of 2988 2064 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 63 PID 2956 set thread context of 1668 2956 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 69 PID 820 set thread context of 2272 820 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 71 PID 2696 set thread context of 1264 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 72 PID 2016 set thread context of 2908 2016 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 73 PID 588 set thread context of 3048 588 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 76 PID 3048 set thread context of 3004 3048 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 83 PID 1364 set thread context of 2456 1364 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe 84 PID 2780 set thread context of 3012 2780 dimsssec.exe 85 PID 1488 set thread context of 2940 1488 Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe 86 PID 2940 set thread context of 2844 2940 svchost.exe 89 PID 3012 set thread context of 2640 3012 dimsssec.exe 88 PID 2640 set thread context of 1200 2640 svchost.exe 21 PID 3048 set thread context of 1996 3048 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 90 PID 1656 set thread context of 1976 1656 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 95 PID 480 set thread context of 1736 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 97 -
resource yara_rule behavioral1/files/0x0006000000018be7-105.dat upx behavioral1/memory/2432-196-0x0000000000C00000-0x0000000000D30000-memory.dmp upx behavioral1/memory/1668-350-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1264-361-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2432-389-0x0000000000C00000-0x0000000000D30000-memory.dmp upx behavioral1/memory/1668-547-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1668-562-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1264-556-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2360-591-0x0000000000C00000-0x0000000000D30000-memory.dmp upx behavioral1/memory/6788-2827-0x00000000011F0000-0x0000000001320000-memory.dmp upx behavioral1/memory/2360-2830-0x0000000000C00000-0x0000000000D30000-memory.dmp upx behavioral1/memory/2432-2863-0x0000000000C00000-0x0000000000D30000-memory.dmp upx behavioral1/memory/1776-3244-0x00000000011F0000-0x0000000001320000-memory.dmp upx behavioral1/memory/6788-7584-0x00000000011F0000-0x0000000001320000-memory.dmp upx behavioral1/memory/1776-7307-0x00000000011F0000-0x0000000001320000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belem Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Internet Explorer\pdm.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hebron Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll.sig Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\ Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe Explorer.EXE File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1644 1976 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 49 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dimsssec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dimsssec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
NSIS installer 6 IoCs
resource yara_rule behavioral1/files/0x0007000000016c89-65.dat nsis_installer_1 behavioral1/files/0x0007000000016c89-65.dat nsis_installer_2 behavioral1/files/0x0006000000018d7b-88.dat nsis_installer_1 behavioral1/files/0x0006000000018d7b-88.dat nsis_installer_2 behavioral1/files/0x00060000000174f8-70.dat nsis_installer_1 behavioral1/files/0x00060000000174f8-70.dat nsis_installer_2 -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2148 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 21404 taskkill.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCD0F.bmp" Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication DllHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "DllHost.exe" DllHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus DllHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" DllHost.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.php Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sln\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cancer Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tmp\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.docm\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vb\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xls\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open\Command Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.db\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.docx\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sln Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ico\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tmp Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dat\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.php\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.java\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sql\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cancer\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER\Shell\Open\Command\ = "C:\\Users\\Admin\\Desktop\\00284\\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe \"%1\"" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "CANCER" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CANCER Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 24 IoCs
pid Process 1020 HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe 568 HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe 2968 HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 600 HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe 480 Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe 588 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe 1488 Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe 2016 Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe 1656 Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe 1988 Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe 1640 Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe 1664 Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe 2144 Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe 2956 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 2432 Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe 2064 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe 820 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 2112 Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe 2532 Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe 1364 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1200 Explorer.EXE 1288 taskmgr.exe 3048 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2956 Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe 820 Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe 2696 Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe 1364 Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe 1488 Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe 3012 dimsssec.exe 2640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeRestorePrivilege 3040 7zFM.exe Token: 35 3040 7zFM.exe Token: SeDebugPrivilege 1288 taskmgr.exe Token: SeSecurityPrivilege 3040 7zFM.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 2988 Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeBackupPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeSecurityPrivilege 1984 Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe Token: SeDebugPrivilege 3048 Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe Token: SeDebugPrivilege 1816 Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Token: SeDebugPrivilege 1020 HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 1500 Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3040 7zFM.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 3040 7zFM.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe 1288 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 568 HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe 2532 Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe 2744 conhost.exe 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1020 1864 cmd.exe 35 PID 1864 wrote to memory of 1020 1864 cmd.exe 35 PID 1864 wrote to memory of 1020 1864 cmd.exe 35 PID 1864 wrote to memory of 1020 1864 cmd.exe 35 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 568 1864 cmd.exe 36 PID 1864 wrote to memory of 2968 1864 cmd.exe 37 PID 1864 wrote to memory of 2968 1864 cmd.exe 37 PID 1864 wrote to memory of 2968 1864 cmd.exe 37 PID 1864 wrote to memory of 2968 1864 cmd.exe 37 PID 1864 wrote to memory of 2812 1864 cmd.exe 38 PID 1864 wrote to memory of 2812 1864 cmd.exe 38 PID 1864 wrote to memory of 2812 1864 cmd.exe 38 PID 1864 wrote to memory of 2812 1864 cmd.exe 38 PID 1864 wrote to memory of 600 1864 cmd.exe 39 PID 1864 wrote to memory of 600 1864 cmd.exe 39 PID 1864 wrote to memory of 600 1864 cmd.exe 39 PID 1864 wrote to memory of 600 1864 cmd.exe 39 PID 1864 wrote to memory of 480 1864 cmd.exe 40 PID 1864 wrote to memory of 480 1864 cmd.exe 40 PID 1864 wrote to memory of 480 1864 cmd.exe 40 PID 1864 wrote to memory of 480 1864 cmd.exe 40 PID 1864 wrote to memory of 588 1864 cmd.exe 41 PID 1864 wrote to memory of 588 1864 cmd.exe 41 PID 1864 wrote to memory of 588 1864 cmd.exe 41 PID 1864 wrote to memory of 588 1864 cmd.exe 41 PID 1864 wrote to memory of 1488 1864 cmd.exe 42 PID 1864 wrote to memory of 1488 1864 cmd.exe 42 PID 1864 wrote to memory of 1488 1864 cmd.exe 42 PID 1864 wrote to memory of 1488 1864 cmd.exe 42 PID 1864 wrote to memory of 2016 1864 cmd.exe 43 PID 1864 wrote to memory of 2016 1864 cmd.exe 43 PID 1864 wrote to memory of 2016 1864 cmd.exe 43 PID 1864 wrote to memory of 2016 1864 cmd.exe 43 PID 1864 wrote to memory of 1816 1864 cmd.exe 44 PID 1864 wrote to memory of 1816 1864 cmd.exe 44 PID 1864 wrote to memory of 1816 1864 cmd.exe 44 PID 1864 wrote to memory of 1816 1864 cmd.exe 44 PID 1864 wrote to memory of 1656 1864 cmd.exe 45 PID 1864 wrote to memory of 1656 1864 cmd.exe 45 PID 1864 wrote to memory of 1656 1864 cmd.exe 45 PID 1864 wrote to memory of 1656 1864 cmd.exe 45 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 2812 wrote to memory of 1056 2812 HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe 46 PID 1864 wrote to memory of 1988 1864 cmd.exe 47 PID 1864 wrote to memory of 1988 1864 cmd.exe 47 PID 1864 wrote to memory of 1988 1864 cmd.exe 47 PID 1864 wrote to memory of 1988 1864 cmd.exe 47 PID 1864 wrote to memory of 1640 1864 cmd.exe 48 PID 1864 wrote to memory of 1640 1864 cmd.exe 48 PID 1864 wrote to memory of 1640 1864 cmd.exe 48 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1112 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Interacts with shadow copies
PID:2148
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00284.7z"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exeHEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:568
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exeHEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2968
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exeHEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exeHEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1936 -
C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"C:\Users\Admin\AppData\Roaming\Orzia\anetu.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_673e08b6.bat"5⤵
- System Location Discovery: System Language Discovery
PID:644
-
-
-
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exeHEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe3⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:600
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exeTrojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:480 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exeTrojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe4⤵
- Executes dropped EXE
PID:1736
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exeTrojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:588 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exeTrojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe" /stext C:\ProgramData\Mails.txt5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe" /stext C:\ProgramData\Browsers.txt5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exeTrojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:1488 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exeTrojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2016 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exeTrojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\35B2\1DE.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE""5⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE""6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:660 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\Cmdinput\dimsssec.exe" "C:\Users\Admin\Desktop\00284\TROJAN~4.EXE"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:3012 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2640
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exeTrojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1816 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Documents\Temp\CANCER~6887.exe"4⤵
- Executes dropped EXE
PID:17064
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Pictures\Temp\CANCER~87255.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8104
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Shared\Temp\CANCER~15899.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9676
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\CANCER~60671.exe"4⤵
- Executes dropped EXE
PID:8456
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Local\CANCER~6148.exe"4⤵
- Executes dropped EXE
PID:8808
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\AppData\Roaming\CANCER~33585.exe"4⤵
- Executes dropped EXE
PID:7620
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Program Data\CANCER~89709.exe"4⤵
- Executes dropped EXE
PID:4936
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\zzz_Cancer\CANCER~29930.exe"4⤵
- Executes dropped EXE
PID:7580
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Files\_\CANCER~17627.exe"4⤵PID:6776
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Programs\Eww\CANCER~99196.exe"4⤵PID:15596
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\XLIN\CANCER~17078.exe"4⤵PID:15428
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Windows\D-Link\Media\CANCER~26033.exe"4⤵PID:15400
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Temp\Cached\CANCER~57722.exe"4⤵PID:15384
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\CANCER~52532.exe"4⤵PID:15364
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Program Data\CANCER~60017.exe"4⤵PID:2764
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exeTrojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1656 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
PID:996
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
PID:1104
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2005⤵
- Loads dropped DLL
- Program crash
PID:1644
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exeTrojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Windows\system32\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7EC1.tmp"4⤵PID:620
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exeTrojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1640
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exeTrojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1664 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵PID:18136
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:18136 CREDAT:275457 /prefetch:25⤵PID:8648
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵PID:18880
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys86AD.tmp"4⤵PID:19020
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exeTrojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵PID:10080
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵PID:11112
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC429.tmp"4⤵PID:13468
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exeTrojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2144 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵PID:12048
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\DesktopOSIRIS.bmp"4⤵PID:17476
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys5419.tmp"4⤵PID:17584
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exeTrojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:2956 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exeTrojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exeTrojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:2696 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exeTrojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exeTrojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2432 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exeC:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\Isass.exe":Zone.Identifier5⤵PID:3984
-
-
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6788 -
C:\Users\Admin\AppData\Roaming\Isass.exeC:\Users\Admin\AppData\Roaming\Isass.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exeTrojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2064 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exeTrojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe4⤵
- Cerber
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_EYEY6_.hta"5⤵
- Executes dropped EXE
PID:7808
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe"C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_YT543_.txt"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:20964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe"6⤵
- Cerber
- Kills process with taskkill
PID:21404
-
-
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exeTrojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:820 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exeTrojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe4⤵
- Cerber
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exeTrojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2112
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exeTrojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2532 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exeTrojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe4⤵
- Cerber
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exeTrojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:1364 -
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exeTrojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe4⤵
- Cerber
- Executes dropped EXE
PID:2456
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1440
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1302882154-1818028051093790043-1770298503-120566053816624992562034640893417455455"1⤵PID:1824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8691233731722743608-16039759401459726247196649821411198501828253431841236147313"1⤵PID:2584
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4867871061683322829-21186686931187872054-1105586769-150273517314707487347924672"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1004
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "548002949-1496628644-1055361255-107219823984446616-188655823620620435441476897889"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2744
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6828
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:16284
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:15668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:15564
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:220
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵PID:17908
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:3788
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5e81⤵PID:6592
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5f01⤵PID:20104
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5f41⤵PID:22060
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x6041⤵PID:14248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7B
MD544f601e6b6d1113354b901483b2e624c
SHA1f39912a200b8a49c8ea43ec7085f498cae4324c7
SHA2564dde4c53d78e3e01233b0019370fcdba1e04acf2070f83e843f990a7f6d941b3
SHA51298d3dcc0a164d2cc56079d38fc0fb6a1de6113bc1451f2603c187c43b265e0884dc842956327340a5299536a5fe4234b11a5aed1b48da69b62788200578cf8e4
-
Filesize
8KB
MD59ad08cb43bc9838e9891fc218d8b96cd
SHA11849bfeefb3134680bb23fd6b98ed206a40abe43
SHA256140122d24a0436df02bce876332c8a4c6d9241f53916a5a38fd9334cc071c602
SHA512663225f94913a9121f529bc87fe2c67b6ede0175ffdae187450b479970107c664f1320f269465c1d5ce63235de44ff6029f50545f73e5c43d8772955d9562c38
-
Filesize
8KB
MD57876196e374738d70a6ebc1921ed5b49
SHA18e76a4407f8ec1374234716975c9c1eb92cdbe43
SHA256c8cd06585a2fc2c0eac9739200263f3a6cfb602ba84c4240690c5d77a7ac997a
SHA5125484a1db3199b6c3ca833f359df5546ab3b935299e554cb9d1618b8ef0d7d19043fe0be247e3b18a19203ea645a8318dbdd4fad33eea2730cbab6e2dc9ca8cc9
-
Filesize
9KB
MD5f301d34832fe2e9cd765dc6508a7fe92
SHA1b65c1a9b0a62c8c5542afc36939f39d5726f665d
SHA256b23ea288cb2211df2874ec2b4c3544a9a34fc986613cf2a364ca755474e076f2
SHA512f3f457a803334a81d3fcc1fb232e3df339afae831d34f03a7c9e4400bcd801de7c273500c1f9da98c16ccdde7dabeb14b71684397d27e029d573613ac26229b2
-
Filesize
112B
MD5d3ba78ab4c862936257294dd2c947816
SHA107a5e7f01b7c0b3aced48183095de495c797b00c
SHA25612c2cc2fa19f0230fde0ff150285fee992358d7cb8027649b846d4292c50c545
SHA5128bff939cf4bc164b41437e1e8c92878ee044d6d521c87ffc888505816eb400469266971ad433e3db8593574853b3be5b34b1d089493657965246e365c584b7f3
-
Filesize
8KB
MD5e0be013e69b55b08c6fb06a4cdd26bb9
SHA17e33f6a08cc7e4917960de7cbfc8734e1ed1472e
SHA2561bab4ebf3e8c368f58fd683ff078a7d6941885ff46c115f0814f56968bdce2f9
SHA5123b9da4947be3474e3fd7d25a1351d92c45267c661aa0f6928eb1dc670116a2d7e9fb1c201fe76191be913cba11fea9c1d40a09edb821a12aa66cbec99fc62a97
-
Filesize
105KB
MD5af1991a884db5eecd55241d859d11021
SHA1a560421bd55eed8ef52bfd3a07003ef32f1c417b
SHA256c8f29fe24718c0664a8deea759b39b2e951a80cab2568599ed77b2e1eb7b60e4
SHA512c40c9c09844d244540e4589e48265e7fc4da18e1c5bc6052b0ff17d842bb221822aea1beaae2a50066e2acd64fa6a58aa08671eb7f0c12052b7dc12443ad4564
-
Filesize
51KB
MD55945b457e6a22704f1715c12d96d97e6
SHA1a0346b93dbe83e5b3b6f0d5ac1e91697ad84823e
SHA25644ef29461edd58480464f5b9a8a2d68ce061f6792cdf0621b02b4106189b2378
SHA51283030e5b7bc9a8d10a18313c105445741dca35e7cd1efb7787ca959c30c76399c1572af86999f6ea90a3b9d6c5be063c714134b5ac1759d535f44d6307b33394
-
Filesize
7KB
MD5614cf2d306f66b3635b27eeda61a56ff
SHA10585341ee37857422fba8faac7c8de250a801fed
SHA2564043bd7ac630ecca22a91987086948b2a8df87bdafcccb3efce198c01a1a6f3b
SHA512fc3009f33d820889632453dde343f4a979ef44292a2287d2344a0892dc3a4f8db739e37125b4eac75e8d000c8aabccab1d78dd017c31aa6695ad89dfb9a15e64
-
Filesize
3KB
MD5fb424c74c8f4efaf76ae6aa153cd9da9
SHA177a02556e59b14f86ad206a21f14619dfe33d31a
SHA256bda503202f603ff9f32d06627b26a85954b5dca0b3bfb8f8944bff4a87058b7e
SHA512eb2b1bfe7ced1623dd7789b00b25ef2b21a4344d4a06e667fd0c43e9f8ca007a917b3da6571854c047aabc9c63b41ff75a8f2ca6892e27a3ceb05247e9937ea3
-
Filesize
18KB
MD552efabdab8b4f0e23d4f4de2a0efba91
SHA14c78d905fa9225c8e7ce4f482be0490b3e2519d2
SHA256818538cde0338c2935ace15543d3e5160836d13925bf5f5b92e6e1596db35d9e
SHA51278d5efd108911bd44fb0e9eb82b72b03e6f4f1b595d4cbea4b11ca52a63f565e36541925895c0bd81cb48f650a63adf9d88103edd34dc5e3d1ff3d97c4f87164
-
Filesize
364B
MD5e9364ca2b956f270c98d3e80ad1fcba6
SHA1f572fdc9a3e445f440c45699ba2782c870205221
SHA25625eacf3b2a66f75c69eb09d4b8d2a1de6dcffdb0158dcc94c9a959eeeab901f0
SHA512459021c36db31be5bcf89dcb0f56f21b7f27f8c025ed073fdbf03745821fc69ae4ea95bcb8433fbdb4981900baddc52803b477537b3585fa7a1ff5f6833d39ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_CB9BAC2A7DD34BED8C239BA9B7372F23.dat
Filesize940B
MD5b2f1e30e15a4d4b2e098222c92d909cb
SHA1022d7bd3a250d37834d0d6fbd27f63d97cbb71cc
SHA256510889c9be43c0c8d7803dc5af97b2560beb781377bac0f4ee039f2bff8ef561
SHA51218a4ac4e89703e0bd247feda54eb5d87f684ebaae1fd88b9ecfb6eb905c7b8c26f5d7a681bd8fab847e5470c0c666e860ea1bf8f84b259425dec417f3c8f23b8
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.MSIL.Agent.gen-fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc.exe
Filesize207KB
MD58027c5d23113279e2590281319119728
SHA1a6545cc8149b2624a731270204af0a2f2cd5ce12
SHA256fb8769784b31275e40a5095bfdcbae98a529e0055cc6ae71d7d3295c7825ebdc
SHA5120f912b5077b5f3db5b8f227e3098481306680c4d7219e6f7fbcd718683c98ca80397c4c8b9bbb8609421ba8809fa0869cf9e9dc1909bc463e4e806377871dadd
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.gen-80ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac.exe
Filesize3.1MB
MD500a350897132e68bf9d6b1b6d11acb88
SHA1035de4fbcc6b3f0f1436046b43fc9caa275593e5
SHA25680ff7a0cd359ecd7ba5c5938d72f5bcb8d25a59580f230cb5ef622bc42c04dac
SHA512adfa8de360769fd258ec42069434713bd10a53d23e0f6ea5e9da5a130ab1383d15c59f9349c7adec0ec73ac5ba336a6242b9a1c9fa95aa1259d5c0ee1a221117
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Foreign.vho-b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290.exe
Filesize249KB
MD5a788815bbdd4495cb3dbfc532b5ead93
SHA14852539c0f33f3edf694751f58a7899f492d257d
SHA256b129043616d6771e6cb5f4343e9c3ac3308251a5e5ba97d4c3d2750b65c84290
SHA512475cf0e19ac027ece932c82e0bfb378b0d960d53525508980105594c7423ddf7ec59853b97fcdfc8d1ad746b0387916de441d4e681fa25e1b335d31da0ad3657
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Generic-58ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b.exe
Filesize184KB
MD58254a63ed8b2e0001f58b4922637c4a4
SHA1d3c414410c1feb8c2cd8660c1aa08d9780aed3d9
SHA25658ecd6b9e87f80026e3b063750f46166cf1fe21a5021f43fefce930376a2c26b
SHA512ba36d888af961015679e7e4d7e7089dc5709ae4386615a525519c6f24e2589bbd261185a4f257272f58178d7ae19b3481926724ed3a1da2962d6d6bd862667d5
-
C:\Users\Admin\Desktop\00284\HEUR-Trojan-Ransom.Win32.Zerber.vho-c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9.exe
Filesize259KB
MD5a64bc28d08d5375a5d3fd3b36cf2e700
SHA17428aae3ab1f695ec4dfd54dc6c40770edd30e2a
SHA256c9c68614f632f4059f51fce30fa7168253d741d978c4d7b74cca1dcef2819bc9
SHA512dbb6cc006357d4a3edd6a3a6f4bf2312fc32774540e8c1d961a253a78a6f1e81bf4739fe06e4a83d56293e4b122492059ea2ca10aa23e3472224abc3d9f6cec5
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.NSIS.Zerber.abe-64b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae.exe
Filesize756KB
MD5a438050c49aced04ae3b2e2086657a8d
SHA1ae9bc0298bcb80327b1621f1169ccf3882865189
SHA25664b2284a54aa668dbc01b3a290f53370231f9551094f4d41de429804656a8aae
SHA51298e2b33187bcb361faa42e8ab4a29524eee5d56ffa8bf503993f8c2682e118c97c3e9af639b196663d261e1744a84c695886cc9d8b059cdfc1e0b66beca10366
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Blocker.jybg-c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae.exe
Filesize1.3MB
MD5af0b3041efa3c657b235c06bae94fa39
SHA1ea8e11bf1fa17c845883562c7fb8f1c990c9b869
SHA256c638a00a3353e475b1f411274cc7f2d2983f60e36cff5ef724176bcd795c97ae
SHA512fcd159fa9b9e432f56c7e5c0c1ae407fe97e030ae37719c7aa1645b2c9762dfa1adaf3b6e31b136dcbc75122e7319b3517223489d6c40d2b2d85bd59332c104d
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.njli-c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2.exe
Filesize443KB
MD507484140601b38187c94784180760bfa
SHA17e7f357debc701b26493fb240d6e99e1eee4f976
SHA256c2b0f00850007b801b9c4f5ad65768bba99412923ec0ddd33a99bcb5d146a1c2
SHA512f16d7ef0241415d5ff4e863ab3fcc0d0a1fc3423306aca1657a3f3eba2c8921c62149ffef7d7e330c3e6d2c1308fab5eda46046a31fb445933291695542ccf26
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Foreign.nyyz-e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e.exe
Filesize350KB
MD57168523b8e0a72e147e6f443ed98b1f9
SHA16a267bc830cf3a75b6e250321119e18a3ef4f92c
SHA256e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e
SHA512997f8cc642a513a04ae00b78f75172c0d50a499882d115eafebd0ba63bbf212bd4e07307811e375d3e376d5f0b789adaba7519ae080d920639dfac27c7f47f3a
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Gen.cgg-30616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760.exe
Filesize6.8MB
MD5b5bae1ed2fde118e256ede9d86affe42
SHA14870df80763feae4870e674a93515a2635637748
SHA25630616f6c488fa16ccdcbfd6273e7ac8604c82bc1468fc1a70b2a43661b674760
SHA51200c871aaf12b9690d99ec2797758e69a7513da378cf6d7a2f7e0d3c2095267b346aee5fd7585121bdd5c3ff112f832d810367788136c5bb68758675c4eec5bfa
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.aam-07f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced.exe
Filesize213KB
MD5db579e92844d6b5d1281488dee6d85c4
SHA1f970da464c7e0afec247dd9d66a5a59c9db58e60
SHA25607f399154fcd8861ecfabee5ecf7de637b5a0191b8fdb29ab22302e159001ced
SHA512dfc7e0cfe6dc7fa2d1f4de95cee83df652363e24dc60134cf7c3f63031ee8dbcadae74b2cdcc648fe3c67b28f72829a6ae0ededc692f06dc6acf824149aa12b0
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.b-5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe
Filesize204KB
MD5e1a9b6f7285a85e682ebcad028472d13
SHA11347b810ac90c13154908f7cf45b11913c182e44
SHA2565e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
SHA51235e6adb72faba256c94a7abe205ff14752f46c830292905e24605a479d15b6aa6b4ccfcc6d4937dfad8698cfa8da4a4cd68b38ded5c14ed24127f605c6fe6874
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.sg-d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111.exe
Filesize264KB
MD53c89456ba5ab540e445a632ccfbbb958
SHA1c0d239bb3761a9b4e6024f6d970f3a495fe6a04b
SHA256d2954337252fb727b01a7e2a8e4c4b451cb00c9abe6dec34b8b143d845a00111
SHA512e935ad2d98c915a92ddc0a4f878a8aaf94f6c54f1b58c1499fa07d6558271eb6ff56c79313d691737dd524d31ba0119bbac58129dd7dc51de3d7c024ca7a38f2
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xfj-b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489.exe
Filesize364KB
MD5a38cd976b7f15d2460c8f70bc8c490aa
SHA1f360212f78618c9b346a8a39fc266d1a16fd9051
SHA256b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489
SHA51260f6b6852788d086dac1005027ae5323d2c27a30ab2de823fe1c757f0c55ea718d93e6500e05fcf4ea64889c24f591d18d8db15a2bc7408174801081d8201802
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xlf-60e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29.exe
Filesize368KB
MD56dd36d14d55910872f3397c9cacd7a9b
SHA105d160838a5b483f7d7dc486806ac9de9f9c3a82
SHA25660e67e18aecf1be2974966e38f4b179c2643953a27be20da69032fb38f529e29
SHA51280fbee206898f724441bec122fcbbba16d4a8bfc71e6668538ce4932937355e618d61aa46a3ee266d79e869c51ec73e064baeab8720180d8c9a46a63538e6dea
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Locky.xpc-f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8.exe
Filesize431KB
MD5f133d6277367fba390651559b8953cd4
SHA146d03119cb031dda1491fcde3fa8f37995d99c9c
SHA256f76b705326288636963dd42819ce4705615cbb5a34ce6e9fca3a5419d66ba1f8
SHA5121191522b852d1f4e46f01cb8461ee7dd33620f555719665441f82e5590176e7c95846da9e7347230e6392bd889e0ee1aa42f2dfb8e675ca206a384cc718b7b70
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.ljz-8afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490.exe
Filesize914KB
MD55c619b94a2b4ad02fb777c6453d20ceb
SHA18f7e88ee168af1e25dff8d36976796b24a427bb8
SHA2568afb1aea361d8097f47f263b6c777155fda1d485943e7fa0d7de24bfb7db8490
SHA512ea85575959ec0afeda9f3f6add74ab2981e08eb7990112ebb6dc764588062e02740ff5f71e296d602268df9cb2945fbd94ad083c7883c0b75eca4afd57012b53
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Shade.low-9d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac.exe
Filesize916KB
MD5b01c53a635e7b760f539a7ff6065f683
SHA10b23b9fc48f7797fca3d50fdb1c273b8cf6db6be
SHA2569d9ea2fc9705bc38323cc006742d98f97b6f1093dc1042bcd69daa06be7445ac
SHA5122d6e1b14822d40b3727d297cce7a79fdbefc32c8a1730a702b20d161e35372071f7fcfbe786925acc1321d7664480cde9e3d1fb8d165f1cc131d7439f6a506ac
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Snocry.cvs-e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5.exe
Filesize520KB
MD5f48627a8c7e00d587076a55ae48b2c4f
SHA11677c116fafd6817ea8291643aca078bf38196ae
SHA256e1c59c0eb434fb93001c0d766b6cb3191f6143c693b11bde5151d495a1834fb5
SHA5127d05e88eccc323d25b719bb377b7341457453e15c067e1982e151f7e6209a50f1b9f2dd86a0902a0d9a19c290d22d248b95286ad3caf619e602d4fc93f5d96eb
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.dass-fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89.exe
Filesize239KB
MD5bb36503c806b72e51bbaa4b320ea4703
SHA1381d1f3108eaf39884f6ea3a101e99fdf84c81bd
SHA256fd4a9100bf1ee71981dc4538cccb5fd5f68db8c1b51d3d12412bb6c392e59c89
SHA512655391b75c9b615162873c07ca8487b232b42107ba28b17124926bfa5d54698e7b65474f65c7dbc80885eb92c35e6e3df9e84dc290e1298a25649482354a9d80
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fbbx-f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415.exe
Filesize318KB
MD5ed962e1325c3b9e3765949fda7a6b5ad
SHA14a46bc5f1721d293077d611e0583d827081b6445
SHA256f33ce56c4ae43ce0f52ad3530fc6b8394e47d28d5c6981f1722b419673771415
SHA5128a02daf5c3d484cc55c8f0961b9994cf5e397ce4e89095124cdbe414f0cc30ebec3ccdb71701ca38874e7c21e095f07a2e2a6c3bcddffe437c54645f5e78efb0
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.fxnh-f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762.exe
Filesize248KB
MD50fde16ced64b74b7fde8d3ed67c22f7e
SHA1ea02fa337265bc904fccda2d66813ec9b2227a58
SHA256f0e7364a7569254b85a977c07c65ba668e7e188bab5af80250daeb5e29610762
SHA512495e01738afdd010494413fdcd24e749e07323200d045733739e90242975edfdab961274fe7c5b85a7dd0d2d7b0e0a935e2188033d1b4c45dacfb3a74339e49d
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.gdwr-07da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5.exe
Filesize180KB
MD5d6ccad707bcdc93f762f650495baf984
SHA1a0a42addb66f6fc8b329d7644df067565a6cf207
SHA25607da34d4b85beffa8f28af3116ee5dd7c9fe430c0792b1f5d3ef146a855eb2c5
SHA512c697a7e357ede162f48e6ad54eb0841591f53393fc6f57ec2e96948a47d2cbf80b210d6551cf09b0f9468accef37de226a31930b31f400ab6ec62d3e91d3bc70
-
C:\Users\Admin\Desktop\00284\Trojan-Ransom.Win32.Zerber.qkw-b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288.exe
Filesize264KB
MD57a4b785cc67a8d94e8f64b2897fce7e1
SHA171c2516426c4640da4ae39233fec2a0c2d43670c
SHA256b980472da4a223c4c07d406b1f86b0d9705a01bacab56930c6ffcb27e3c85288
SHA512cf38168d124bf6da0a93f48d29c25625c021a6a178628fb44b701b26fc3ecf656a146ff9adfc52b43d5a00405d3a78fa9545f4a99723661a86b91d9ef782ed61
-
Filesize
64KB
MD566f1bb40619895bffa812c7b6f79464b
SHA166f7a731c62014a5a622072c90b75e80298cabe6
SHA25636e626f9949d4b75f2bc07f3e321ece3b29973ce96ab255f025744d1fadf5002
SHA512946475b74afed276459e7b0326c3ef004ac9403ba10351b7254f5c4b0fcfef102073410d18ae64fefc442e304527d1ab790064129670c4d215c7b1412e59742b
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
44KB
MD55198e9f75dc3d5431cf063a4e9b21983
SHA1e53a625109801a9a44d3663d496860ddcca8e483
SHA256dcf1ebca9072074a34766077ed677bfc950d01bbe3307e0befd1165514aa8c6f
SHA512ca91012a49a410fbc2c47ccb795c0cdd8098f34bc1d93eabbe5c125887d09717a989c2ff6eece4fcb817555c5354b6e6627eb20feb6277883cdc767f9c322265
-
Filesize
67KB
MD50101165c186a281b471f7198a342759e
SHA1e36b03bb943067b57e66df692ee9ee1228fce37f
SHA256e394ca66d3fd35e7bbbaba4a729391fdb01579c16d5c76a18aa90dd5c0a5e9bf
SHA512e69ca2491af71116ddf5630997b7e43eab7e4fc8a63f9be971dfee825c1776ec1a315cf5c11c13ad79c9032520ff334cbde556c2c0f80ee120eb2c49387e257f