xtremerat | a4e94a78ab31afc40468da08add417199669e94dd05cfb4d6c3eb1dae8f6490d

Analysis

max time kernel
47s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 18:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

RNSM00286.7z
Size

7.5MB
MD5

e9447647726a88a70f0dc67ae416e17b
SHA1

d644e20c30052bf957d3d0171f61c2f32e85a265
SHA256

a4e94a78ab31afc40468da08add417199669e94dd05cfb4d6c3eb1dae8f6490d
SHA512

9bcadcfed393d25f0ae302c73aba97f18ea4c653613709269fdbab2dc5264e40299db8dfc1d7df8fe56671b414f60f63ce1f557b24c311781631f57411e4fed4
SSDEEP

196608:uMeUa1P4CIExcOre/z4fDjpkKltFce1hUPjE8ab:NeUat1IwcJ/zUP7lseXd8ab

Score

10^/10

xtremerat defense_evasion discovery evasion execution impact persistence ransomware rat spyware upx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ihhcj.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/7B574CE5AE5C6BD 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD Your personal pages TOR Browser xlowfznrg4wf7dli. onion/7B574CE5AE5C6BD

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD

http://xlowfznrg4wf7dli.onion/7B574CE5AE5C6BD

Extracted

Family

xtremerat

flashplayerupdate.sytes.net

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+aqg.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB 2. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB 3. http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB !!! Your personal page Tor-Browser: yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB !!! Your personal identification ID: BAC3B4B424FB5DAB

URLs

http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB

http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB

http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB

http://yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lwocl.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB 2. http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB 3. http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/BAC3B4B424FB5DAB 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/BAC3B4B424FB5DAB *-*-* Your personal identification ID: BAC3B4B424FB5DAB

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB

http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB

http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB

http://fwgrhsao3aoml7ej.onion/BAC3B4B424FB5DAB

http://fwgrhsao3aoml7ej.ONION/BAC3B4B424FB5DAB

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	3752	2976	WerFault.exe	87

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1148	bcdedit.exe
2244	bcdedit.exe
764	bcdedit.exe
1604	bcdedit.exe
2332	bcdedit.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2968	netsh.exe
2844	netsh.exe

Executes dropped EXE 22 IoCs

pid	Process
2944	HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2932	HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
2988	HEUR-Trojan-Ransom.Win32.Zerber.vho-20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c.exe
1320	Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
236	Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
1732	Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
1800	Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
1724	Trojan-Ransom.Win32.Blocker.jypg-1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989.exe
1788	Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe
520	Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe
2020	Trojan-Ransom.Win32.Bitman.qmf-bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697.exe
1992	Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe
2880	Trojan-Ransom.Win32.Locky.bil-a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733.exe
1444	Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
2324	Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
2012	Trojan-Ransom.Win32.Blocker.jyor-135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835.exe
1940	Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe
1780	Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe
2376	UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe
1856	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
1884	Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe

Loads dropped DLL 3 IoCs

pid	Process
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
1856	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
1856	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	128.199.248.105
Destination IP	83.96.168.183
Destination IP	185.14.29.140
Destination IP	95.85.9.86
Destination IP	178.17.170.133
Destination IP	178.63.145.236
Destination IP	37.187.0.40

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ipecho.net

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2324-104-0x0000000000930000-0x0000000000A6A000-memory.dmp	autoit_exe
behavioral1/memory/1944-132-0x00000000010C0000-0x0000000001204000-memory.dmp	autoit_exe
behavioral1/memory/2324-284-0x0000000000930000-0x0000000000A6A000-memory.dmp	autoit_exe
behavioral1/memory/1944-309-0x00000000010C0000-0x0000000001204000-memory.dmp	autoit_exe
behavioral1/memory/2648-731-0x0000000000930000-0x0000000000A6A000-memory.dmp	autoit_exe
behavioral1/memory/3164-1100-0x00000000010C0000-0x0000000001204000-memory.dmp	autoit_exe
behavioral1/memory/3164-1189-0x00000000010C0000-0x0000000001204000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 1856	2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe	45

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019fd4-87.dat	upx
behavioral1/memory/2012-105-0x00000000012C0000-0x00000000012EE000-memory.dmp	upx
behavioral1/memory/2324-104-0x0000000000930000-0x0000000000A6A000-memory.dmp	upx
behavioral1/memory/2932-103-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/files/0x00050000000197fd-101.dat	upx
behavioral1/files/0x0005000000019e92-100.dat	upx
behavioral1/files/0x0007000000018b28-71.dat	upx
behavioral1/memory/1944-132-0x00000000010C0000-0x0000000001204000-memory.dmp	upx
behavioral1/memory/2324-284-0x0000000000930000-0x0000000000A6A000-memory.dmp	upx
behavioral1/memory/1944-309-0x00000000010C0000-0x0000000001204000-memory.dmp	upx
behavioral1/memory/2648-418-0x0000000000930000-0x0000000000A6A000-memory.dmp	upx
behavioral1/memory/2932-690-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/1268-713-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2648-731-0x0000000000930000-0x0000000000A6A000-memory.dmp	upx
behavioral1/memory/1268-759-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3164-1100-0x00000000010C0000-0x0000000001204000-memory.dmp	upx
behavioral1/memory/3164-1189-0x00000000010C0000-0x0000000001204000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1544	2560	WerFault.exe	121
3752	2976	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2884	cmd.exe
3172	cmd.exe
2876	cmd.exe
2280	cmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000018b59-61.dat	nsis_installer_1
behavioral1/files/0x0009000000018b59-61.dat	nsis_installer_2
behavioral1/files/0x0008000000018b64-73.dat	nsis_installer_1
behavioral1/files/0x0008000000018b64-73.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1960	vssadmin.exe
1664	vssadmin.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 27 IoCs

pid	Process
2944	HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
2932	HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2988	HEUR-Trojan-Ransom.Win32.Zerber.vho-20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c.exe
1800	Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
1320	Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
1788	Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe
236	Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
2020	Trojan-Ransom.Win32.Bitman.qmf-bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697.exe
1732	Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
2012	Trojan-Ransom.Win32.Blocker.jyor-135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835.exe
1724	Trojan-Ransom.Win32.Blocker.jypg-1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989.exe
520	Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe
1884	Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe
1992	Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe
2608	Trojan-Ransom.Win32.Foreign.nlyv-023c31792377e93fb5c4edbecc6f1e1e3af7946d8e20dea2b3b2fe9276354174.exe
2880	Trojan-Ransom.Win32.Locky.bil-a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733.exe
2808	Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe
1444	Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
560	Trojan-Ransom.Win32.Shade.mjj-92b405e874858caf9bd1d382e3d23ae80aca3499f459d848cd7381b5743c9f65.exe
2324	Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
1944	Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe
1940	Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe
1964	Trojan-Ransom.Win32.Zerber.ealb-56cd5bd76e17421e79b63bcc40098e7d4a322d1d00945135f6868b6e2247d3ca.exe
1780	Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe
2192	Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe
2376	UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2220	7zFM.exe
Token: 35	2220	7zFM.exe
Token: SeSecurityPrivilege	2220	7zFM.exe
Token: SeDebugPrivilege	2616	taskmgr.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2220	7zFM.exe
2220	7zFM.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe
2616	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
236	Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2944	2336	cmd.exe	33
PID 2336 wrote to memory of 2944	2336	cmd.exe	33
PID 2336 wrote to memory of 2944	2336	cmd.exe	33
PID 2336 wrote to memory of 2944	2336	cmd.exe	33
PID 2336 wrote to memory of 2932	2336	cmd.exe	34
PID 2336 wrote to memory of 2932	2336	cmd.exe	34
PID 2336 wrote to memory of 2932	2336	cmd.exe	34
PID 2336 wrote to memory of 2932	2336	cmd.exe	34
PID 2336 wrote to memory of 2972	2336	cmd.exe	35
PID 2336 wrote to memory of 2972	2336	cmd.exe	35
PID 2336 wrote to memory of 2972	2336	cmd.exe	35
PID 2336 wrote to memory of 2972	2336	cmd.exe	35
PID 2336 wrote to memory of 2988	2336	cmd.exe	36
PID 2336 wrote to memory of 2988	2336	cmd.exe	36
PID 2336 wrote to memory of 2988	2336	cmd.exe	36
PID 2336 wrote to memory of 2988	2336	cmd.exe	36
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1800	2336	cmd.exe	37
PID 2336 wrote to memory of 1320	2336	cmd.exe	38
PID 2336 wrote to memory of 1320	2336	cmd.exe	38
PID 2336 wrote to memory of 1320	2336	cmd.exe	38
PID 2336 wrote to memory of 1320	2336	cmd.exe	38
PID 2336 wrote to memory of 1788	2336	cmd.exe	39
PID 2336 wrote to memory of 1788	2336	cmd.exe	39
PID 2336 wrote to memory of 1788	2336	cmd.exe	39
PID 2336 wrote to memory of 1788	2336	cmd.exe	39
PID 2336 wrote to memory of 236	2336	cmd.exe	40
PID 2336 wrote to memory of 236	2336	cmd.exe	40
PID 2336 wrote to memory of 236	2336	cmd.exe	40
PID 2336 wrote to memory of 236	2336	cmd.exe	40
PID 2336 wrote to memory of 2020	2336	cmd.exe	41
PID 2336 wrote to memory of 2020	2336	cmd.exe	41
PID 2336 wrote to memory of 2020	2336	cmd.exe	41
PID 2336 wrote to memory of 2020	2336	cmd.exe	41
PID 2336 wrote to memory of 1732	2336	cmd.exe	42
PID 2336 wrote to memory of 1732	2336	cmd.exe	42
PID 2336 wrote to memory of 1732	2336	cmd.exe	42
PID 2336 wrote to memory of 1732	2336	cmd.exe	42
PID 2336 wrote to memory of 2012	2336	cmd.exe	43
PID 2336 wrote to memory of 2012	2336	cmd.exe	43
PID 2336 wrote to memory of 2012	2336	cmd.exe	43
PID 2336 wrote to memory of 2012	2336	cmd.exe	43
PID 2336 wrote to memory of 1724	2336	cmd.exe	44
PID 2336 wrote to memory of 1724	2336	cmd.exe	44
PID 2336 wrote to memory of 1724	2336	cmd.exe	44
PID 2336 wrote to memory of 1724	2336	cmd.exe	44
PID 2336 wrote to memory of 520	2336	cmd.exe	46
PID 2336 wrote to memory of 520	2336	cmd.exe	46
PID 2336 wrote to memory of 520	2336	cmd.exe	46
PID 2336 wrote to memory of 520	2336	cmd.exe	46
PID 2336 wrote to memory of 1884	2336	cmd.exe	47
PID 2336 wrote to memory of 1884	2336	cmd.exe	47
PID 2336 wrote to memory of 1884	2336	cmd.exe	47
PID 2336 wrote to memory of 1884	2336	cmd.exe	47
PID 2972 wrote to memory of 1856	2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe	45
PID 2972 wrote to memory of 1856	2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe	45
PID 2972 wrote to memory of 1856	2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe	45
PID 2972 wrote to memory of 1856	2972	HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe	45
PID 2336 wrote to memory of 1992	2336	cmd.exe	48

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00286.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2944
- - C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
    3⤵
    PID:1124
  - - C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
      "C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe" /stext C:\ProgramData\Mails.txt
      4⤵
      PID:2660
  - - C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe
      "C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe" /stext C:\ProgramData\Browsers.txt
      4⤵
      PID:2868
- C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
  HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2932
- - C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
    C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe
    3⤵
    PID:1268
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1364
- C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
  HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
    HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1856
  - - C:\Users\Admin\AppData\Roaming\Izas\kogi.exe
      "C:\Users\Admin\AppData\Roaming\Izas\kogi.exe"
      4⤵
      PID:2380
    - - C:\Users\Admin\AppData\Roaming\Izas\kogi.exe
        
        "C:\Users\Admin\AppData\Roaming\Izas\kogi.exe"
        5⤵
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_4e186c59.bat"
      4⤵
      PID:2132
- C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Zerber.vho-20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c.exe
  HEUR-Trojan-Ransom.Win32.Zerber.vho-20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2988
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:2968
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:2844
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
  Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1800
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
    Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe
    3⤵
    PID:3204
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
  Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1320
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
    Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      PID:2172
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe
  Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1788
- - C:\Users\Admin\AppData\Roaming\ullttdc.exe
    C:\Users\Admin\AppData\Roaming\ullttdc.exe
    3⤵
    PID:2304
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} bootems off
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1148
  - - C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
      4⤵
      Interacts with shadow copies
      PID:1664
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} advancedoptions off
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2244
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} optionsedit off
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1604
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:764
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} recoveryenabled off
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00286\TROJAN~4.EXE
    3⤵
    PID:2060
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
  Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:236
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
    Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe
    3⤵
    PID:1692
  - - C:\Windows\vjrlunfighhi.exe
      C:\Windows\vjrlunfighhi.exe
      4⤵
      PID:2260
    - - C:\Windows\vjrlunfighhi.exe
        
        C:\Windows\vjrlunfighhi.exe
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00286\TRDC1E~1.EXE
      4⤵
      PID:1252
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.qmf-bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697.exe
  Trojan-Ransom.Win32.Bitman.qmf-bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2020
- - C:\Windows\ftsxyqdprchr.exe
    C:\Windows\ftsxyqdprchr.exe
    3⤵
    PID:468
  - - C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00286\TR1874~1.EXE
    3⤵
    PID:2248
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
  Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1732
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
    "C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe" /stext C:\ProgramData\Mails.txt
    3⤵
    PID:1292
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe
    "C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe" /stext C:\ProgramData\Browsers.txt
    3⤵
    PID:2884
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jyor-135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835.exe
  Trojan-Ransom.Win32.Blocker.jyor-135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2012
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jypg-1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989.exe
  Trojan-Ransom.Win32.Blocker.jypg-1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1724
- - C:\Users\Admin\AppData\Roaming\alFSVWJB\jevgr.exe
    C:\Users\Admin\AppData\Roaming\alFSVWJB\jevgr.exe
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      /a /c netsh advfirewall firewall add rule name="alFSVWJB" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\alFSVWJB\jevgr.exe"
      4⤵
      PID:936
  - - C:\Users\Admin\AppData\Roaming\alFSVWJB\jevgr.exe
      "C:\Users\Admin\AppData\Roaming\alFSVWJB\jevgr.exe"
      4⤵
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00286\TRAEF4~1.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2280
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe
  Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:520
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe
  Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1884
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe
  Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\A1AC\30.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Comr8030\Deviclnt.exe" "C:\Users\Admin\Desktop\00286\TRE866~1.EXE""
    3⤵
    PID:1608
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nlyv-023c31792377e93fb5c4edbecc6f1e1e3af7946d8e20dea2b3b2fe9276354174.exe
  Trojan-Ransom.Win32.Foreign.nlyv-023c31792377e93fb5c4edbecc6f1e1e3af7946d8e20dea2b3b2fe9276354174.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2608
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Locky.bil-a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733.exe
  Trojan-Ransom.Win32.Locky.bil-a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2880
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe
  Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    PID:1840
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe
    C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe
    3⤵
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe
      "C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        
        PID:2212
    - - C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe
        
        C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe
        5⤵
        
        PID:2560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 180
        6⤵
        Program crash
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp140c747a.bat"
      4⤵
      PID:1748
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
  Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1444
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
    Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Roaming\ZF9lYlJZXFxfXgxx\abgrcnq.exe
      C:\Users\Admin\AppData\Roaming\ZF9lYlJZXFxfXgxx\abgrcnq.exe
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\cmd.exe
      /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00286\TR81BA~1.EXE"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2876
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.mjj-92b405e874858caf9bd1d382e3d23ae80aca3499f459d848cd7381b5743c9f65.exe
  Trojan-Ransom.Win32.Shade.mjj-92b405e874858caf9bd1d382e3d23ae80aca3499f459d848cd7381b5743c9f65.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:560
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5C6D4E98.rtf"
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1196
      4⤵
      Process spawned unexpected child process
      Program crash
      PID:3752
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
  Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2324
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe
    C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"
    3⤵
    PID:2648
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe
  Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1944
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe
    C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\delph1.dat"
    3⤵
    PID:3164
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe
  Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1940
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ealb-56cd5bd76e17421e79b63bcc40098e7d4a322d1d00945135f6868b6e2247d3ca.exe
  Trojan-Ransom.Win32.Zerber.ealb-56cd5bd76e17421e79b63bcc40098e7d4a322d1d00945135f6868b6e2247d3ca.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1964
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe
  Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2884
- - C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\wusa.exe
    "C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\wusa.exe"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3172
- C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe
  Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2192
- - C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe
    Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe
    3⤵
    PID:984
- C:\Users\Admin\Desktop\00286\UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe
  UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2376

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+aqg.html

Filesize
12KB

MD5
c81cd509e4516ec1c68b7599ffacaa81

SHA1
9eafd3a40b6c01fcb521531f448b030350135cbe

SHA256
95d7b4f343e3a62c373a75264df85c36b1c1407637cd94ecf79f80c25631d705

SHA512
5d92e8c35373f17ef0196a473a6af6158aeefc17aee34ec52ce9d9886ff8986c85340431931a1e70954293db999c49820b80e091a8a99ba39b4ef14eca9b4f8a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+aqg.png

Filesize
66KB

MD5
8f10454591db77aed23f4208e0372a8c

SHA1
00c644aa2d4fe679655c77c7f950e8ded0770ddf

SHA256
b026a721f0bb884280b4d23f509d6f92126893a51f393a69be611c3c9bdd0711

SHA512
33d59a229a52184c0967d268e74689c93a7a93068ef9b696d63dfe33b674f55c458a63d22f371f8783d60ab2e9f40a54a4b51a39bf2778f462deb902f7b3e8ca

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+aqg.txt

Filesize
2KB

MD5
51596d2cb3dbea9c8180381744a52d5b

SHA1
d41ac12279a97777848c480536a10cec1017df55

SHA256
5ed6af56de0774b4b0a8091d6157ab18f2c44cf6010e5a16c06338621751427d

SHA512
cfd547a0ac98b7acec98c85657451273fd65faadb3094c8b589fc3db9dc081135256efbbc1181297d7f705e3cb12267f52e621b077e7efa6affca05a4992b6a0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lwocl.html

Filesize
9KB

MD5
f9b60fd0ce7e9b6728a357e4b7f12465

SHA1
70ea6070a52ba3576b0bf2d8c6f266b466e539e6

SHA256
bc307d4b72bd8b98d910750dbefa4abcc29ff0a2811663251445152eb3e97d4f

SHA512
c969a91c164444c7809cd61b18dada6b865269bd4d28d52ee6887395ce73a1e1e99f401e5f5fde97d3112ec3fe7f66c18a3cd095b712295b26857fde9677d306

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lwocl.txt

Filesize
2KB

MD5
4379771e164958f382e6fe1df037e8ff

SHA1
0de21f764df45b4946ea43bfbc9cee4c69653ca0

SHA256
61382589a18ddc7ee63c29109a88703dbb4e9d2a2b84825a14842ce1045c7a48

SHA512
27aad98130c9324eb81c85fe96f4dd2e4f08e83658883b342130b23c82da5c3206f8ce5627178cd89ad151f72222015e1fadfcac8aff9b8493243fda374d7d67

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ihhcj.html

Filesize
12KB

MD5
1498eb8225c4377e5a3bbf8679392006

SHA1
b5a7a29e3ca24b58df762930e4c305ccfc8a2431

SHA256
aa11ee8917bd93f9bfe8b8eb711f3ce48c7021fb8abf4af8464c31e4404fe059

SHA512
8d1e0fb1bed85557d5fd8ec5d2ccaf5782d656a9b2858eae09c4c724bd9371e210872e878e683bbd0fab1b53e3addeff80a7a946fbba2b7e34446a8742fb257d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ihhcj.png

Filesize
63KB

MD5
2ba7c681043ff673cb2e9cdc10f659b6

SHA1
2ca3e9bef7146a2eedc542c850aaf67b790cadc7

SHA256
94ea1dcbdb0779f69ab89b0324bb4d871fe5e1d268cab4e89f7fe8627153fd9d

SHA512
6a5460393d0362189315196f184e2baa94e3601861b25545dee433c6ede3f9b7b294a11f651e04e2e56b4e86f1b328499c15f32328506308de6b6ab548917e73

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ihhcj.txt

Filesize
1KB

MD5
625fed71209a6e5eb417358e21604fea

SHA1
e142a6ee53d5306f902ec210f71bffe59fea5d3c

SHA256
2ae33316b44148fc0c9dc60c989f75d35415f623872cd4227303dbca3eff1dfc

SHA512
046d2794925e273c0fc4933ae3ded29ad0032d4176a29dd28181386b01c2302b110806041cd6fa51fde9301f57b3a04dafdd5f26f918b96940faeedf5cc91ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1AC\30.bat

Filesize
112B

MD5
d217fc2b8823a10194bb626b2c878b8e

SHA1
b7f10b612d00dc555fbff1b813e13d2147e4031c

SHA256
4eb81b070d9ec5f9a3c459c7247cb10fde89af62dc3d57db9b458be41401a0c9

SHA512
74531dc33259455dcedac22d50c05c99ce2dd4477242942aed9f2eb56ce59a851e3a84f45c4022353144a0ebf0051f95f1f526c60e05e9855174f45b99639e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8C67.tmp

Filesize
9KB

MD5
f683d49827063a836b2affe48f9db13b

SHA1
aea173bc8ba8b05815df965faefd662ece9de2f8

SHA256
58903cf6630a15d5362b2d1b7532df83dcfb134ab59fdbf627505e445690fc44

SHA512
ebe4b1670d5ee48019b5bb2931b85faaadd7fdb4061990da5f3fd063238c12fe1cccf961850cea496f2d5a7cd579de6ecf33e592d6ec8f6203529ce3c278d06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\delph1.bin

Filesize
108KB

MD5
021e80e47ad50e3587c14dcda5f856eb

SHA1
a7cdc71bb343c74876b59d22230778cf65908fb7

SHA256
7537da51affc021b43f3f2a4db484017eec3f16156d1d8fc6cf4209b042dc2b9

SHA512
fa00c831c13cebbe82c48530ba1c35151889946c9ce7f6d8e50d5b08dadce053e5a6bd4dba2bea4ad80d5faccf858a8e824cebd1bfef471df5fd95a9f465dfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6624.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pd4ta.bin

Filesize
4KB

MD5
025266a4b9d4f1be443a6d3bb5171949

SHA1
d5d477e498ceba6a48618842c1d84f8193004db6

SHA256
22b908654d9d9bf4b0bc0b9706ceaa8b67eaa9d62f2427658b4ab37ffc9c7416

SHA512
52a83c71fc28f9ac0a06f9f567b2f80eabd7d58c4657926c8eda73a7e5ae7e083570e9b8a1c0987e676f61a42f90d686c6dc8b101e573cc63cadbf4640136ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvswnbt

Filesize
52KB

MD5
6dc571990c3fcd036bcb7839879e3501

SHA1
64e2e4c766fa34d356327e87e8655b35dc587056

SHA256
9dd5f2e51ca3c685984b4dcabe6afca0a24c1437cb20cd28d41999a9bc56af4f

SHA512
cdd1cd5a3186fdbff2f2d8bb9b64109d6abaf56349f305be7fad5a0ad3af774c87a125ec06a45d95f80e05192e94f37b74e903809d44a61deadaa23f4141f223

Download Submit
C:\Users\Admin\AppData\Roaming\Ononcuvaywa\yleqpoygaqi.exe

Filesize
361KB

MD5
c676490a4bb8ba202e9957c08cff0caf

SHA1
30eb03d2141570c33b991e8a5fa808fd9587ed19

SHA256
62240ed5395cbdfecf9a6f8b6669579ad01442b2fcd255da8d7f2f286629d9e2

SHA512
004b73f3b8823d5c606b41b4e15f86d59218d1dd0b333df006bf0a8d0e873642d88508a81df7eaee4f49b3658de25fdff361a6aab9df9ca9a287536cdab6a90a

Download Submit
C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Blocker.gen-cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0.exe

Filesize
1.4MB

MD5
994f8bf8e39f86244e295ce2b8faabd3

SHA1
217cab5281a073da13cff431be56ecf701483d99

SHA256
cbf6de4adab2235b450edc3bc7525ce4481527fd4262df5c369399b81d76a7b0

SHA512
070d53b6feae4322076442a0e1c20389b51c2a37e52c366abea83288c8138ffcea468b13357f77c77931e75c43e3fb2cb188a6fd9983a1d9c86a1bc0f97de89a

Download Submit
C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Foreign.gen-4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3.exe

Filesize
145KB

MD5
3428b11495e46541c0f769a2cb377388

SHA1
d525194bc1f41dbba86d5fb9b75088e51e652e8d

SHA256
4729fa9296519c12130fae07294d1918cb6d1ae3ba76fb9c9a8752ec210235c3

SHA512
286ff0f5b2bdb24207c801ce73058cfd6fe1fc56c81898abdbcd7b3b83bc0ef20df86561f0e3a6709aa3ba623ce1a887eeebe09954073fd83f122a905cded34c

Download Submit
C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Generic-efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d.exe

Filesize
184KB

MD5
c7628a76072c4fad1d3e7e9dd894eaa1

SHA1
42cb5b9a9922a8605d337c64821d919769d400a3

SHA256
efaf478f3cca09abd54078395a3100f5f836bfeb45dac06ad58b38b4d0ffe34d

SHA512
250df91263ca4bebf67f6de59cd5806fa8da9be15f110fa4b62e7c19227bfb37dfbb9a53de3708878c03092d33421e8f845ec686c5869a5755637611e97aa118

Download Submit
C:\Users\Admin\Desktop\00286\HEUR-Trojan-Ransom.Win32.Zerber.vho-20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c.exe

Filesize
254KB

MD5
a090fe3a2fe12e0286172781b76c3fb6

SHA1
5ab2efe735ee8dd090e070cb4c40b41657e6facc

SHA256
20d2bef4e06ec962c871f247694e5336c0e20c84c03dcfb7be84370dcbc8172c

SHA512
04d35c57521e64564236a15584087ec06e65b61c3960e752ba61b4e05d7875cb7b3733c4782c8a71ecae57a81b70a30d82ff085a47eda0e892a4a34d4ee93b2b

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Agent.v-1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d.exe

Filesize
369KB

MD5
2f65914b8f13f69a854dcb5375914849

SHA1
a9d341f653c5a551d503b4f5f92788dcbd4bd816

SHA256
1bee4cee3ae07cd166dde3ac8cc1b0d92a043cca6396045cdd5db11e96a3df6d

SHA512
7f9b1b829661ad04a58849e5e6b98210683475c6aa277f03e537bb3bba400d9d7549fe3a1235d19f7faefd18fdd1d660bd8cdad96031ee85b21fc944043bbde3

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.NSIS.Xamyh.obv-981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476.exe

Filesize
393KB

MD5
4ff74d240c97143601d23c3d7ae99728

SHA1
8104aec352736732def0ae5f9bb455b0cb7c490c

SHA256
981fab1db1413ce2bb15be35b4579eff50e640cb8a9fec63bcd09e03ece78476

SHA512
50c467b6fbac0930bcbd140bc22a165ff01b53e468691414388fa66d697c01b650d6e121bdd8dc62b2a298e922f8d853ed61591cd4386baeaae7bd86db2230b8

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.iue-cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f.exe

Filesize
263KB

MD5
a3834f17c1b428b3773dee4b95281417

SHA1
b8102b4c7b931ec28065b41d63b1cb932fabae43

SHA256
cc323432a54803afaa2f6513cfd2ab199781cac7d9cba163440a58d2b5a6460f

SHA512
b908b2c3a9e68e0ac57e97e373c62e95d767abc5170a2366e16b42e79d2bd0ecdfcf5432f5a393cce4dbb787cadaa8a0e9d7826c58bdf593fe1e9d0199426082

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.lez-e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229.exe

Filesize
384KB

MD5
22333f8b2a512305f312bc7cca1d1085

SHA1
442925f39df2c9f352ffb8c0c1078b9b39483ba5

SHA256
e2c893fc7f3a45083b9452aa495df981da553b1cdfa92411554711cbd450a229

SHA512
48ae56213c4dee67666fe469a1b2d07ceb912aff0401f2bcbebbc1cc4382aa0bec09424e1ca291c8a858ed70f6f88ad120fdd520286aa370f9fd32dd6b88fd42

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Bitman.qmf-bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697.exe

Filesize
395KB

MD5
4f9dde576a24ea5e29b0773c38c96c32

SHA1
6b5b781a650ebef63b28cfa4beacd541db5d9cb5

SHA256
bdcb0eea393e620d08ea5dad0c10f2ad6990cdaddbaff4da701a40be21879697

SHA512
da3f7adc98c2b46a5eceb82e140e099e63fff384e970a46a37fa55ceaca88bf523b85f84399bb38320b90bc3e821f23b7736f8b3d086d48144550339865405b4

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jycx-4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84.exe

Filesize
488KB

MD5
b71cb80396c311a1e5216685ade351da

SHA1
5b37ebc1acdaf3ecbc38ea982475435db47043a4

SHA256
4f74d7303c01aea8908f77183596887cf33513214a76d4a9c8ca58c9cf3fab84

SHA512
8c59d205dfdaa4178cc368ed9988f808f861e9774a8bbade09ed4b710189743ab6bc86375a3e1ceacdd7eb2487a67be71e5a7fef5b29c1b06982a28af6844ca6

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jyor-135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835.exe

Filesize
151KB

MD5
f357bcefccf490c128146b3ff32a96f6

SHA1
74a1cb5790fdd5087899c5ef3009dcd1075f2df6

SHA256
135ca32af8140119fc922b3a2b90067d54cd88b666dc6251f29c6ec164186835

SHA512
efd480cc05cea7e8b6cf68957ddfb0353658ad71feecdcd2cd5d7e565390e07640842c12822222c456f69d968dbf4a2126d104d1dabc23635bc9cb8ac200ed41

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Blocker.jypg-1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989.exe

Filesize
172KB

MD5
835099a6bba63d154b9061df3f860861

SHA1
f0e2e32649678d150eb47d89482214020eb86525

SHA256
1c8131d9fb6dd0ab2d3018fb05442d18c3cad7661d6aa79f3b9f0f8ebb54c989

SHA512
9b588cf9e1af17f7520d943130858c1ddab465462deee98ac07c56ebc8bf2e451348ec7045f131d7b81903d1b2224eace50bdbe843cce8fea98b659f05f29773

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.njqa-5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f.exe

Filesize
309KB

MD5
c67a1208bcb948fe8c6c086f40647904

SHA1
7d0f3b32c5fa26e00ef6e6fa3befb7aa205d8cc7

SHA256
5f8443c0f7054d9497d4b9012444bee6ff1c45e8e9d7e16c91c3f96787a4c52f

SHA512
c56bb001ea56c01ad478fce5b54496ad55354ad7e400e32343083681c5e9faeeb8068c9fb6b06a8e8b19544724690de802c0121c198db35757b47fc3c70197e9

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nksb-2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1.exe

Filesize
447KB

MD5
ff38b0885297ce98518fc479a00f12c8

SHA1
47c5e697519abb1c0474ee90c48553820d395baf

SHA256
2a1a83db7c3ab3b38b7309b74e1e439f71fbd3ff889cc2ad275bae0b7fd8f1d1

SHA512
0990bcbcb80c1adc3c11c7f04fbdbb9454741afae356a0e459b5e28350115be0a9abc0353e7c9cd60c5ae6273ab2a6f100e28f1436d8b49463e3bcb2958f3d79

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nlqr-cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece.exe

Filesize
479KB

MD5
1ff12aab13045315d34d8d1cb835b262

SHA1
5fb4c7b270e9ef6ce701963a676a5e36cecc2bcf

SHA256
cc8b0fbfce10364d69a8ac6cec01d52bfcf4b45803349bf510d5bf2db63a1ece

SHA512
c441dabd6b6e36998489c1b88bbb5f0f4b42c4d27154e562e44508dd756d1d7abfe73e4ddbd425ad76e9a9e190cee6bc14be9a9eec268aceb74520b7df4a5126

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Foreign.nlyv-023c31792377e93fb5c4edbecc6f1e1e3af7946d8e20dea2b3b2fe9276354174.exe

Filesize
496KB

MD5
fd28f05f90b3ea110f6a975b61e5d74c

SHA1
12bdb367b78f0c0aca48e0e97945cfe192cb7f8a

SHA256
023c31792377e93fb5c4edbecc6f1e1e3af7946d8e20dea2b3b2fe9276354174

SHA512
9baac3950257f7986a937d2ad7719390e5946dc44808f229b073d60aa0192572f584ef76892e49e7396ce8bbcbd8d888874d2ed1e6130a6d64a1afec3dd22ecf

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Locky.bil-a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733.exe

Filesize
244KB

MD5
a1ffd239e3f4f9182007a87469cba9c1

SHA1
697a86598ff57aa13bdebf99bb9e7d9b552155a6

SHA256
a493fd0778619e4e077248cbecd4c024fadf0038d913c25dccfb0e7e4e402733

SHA512
b412ae6f4a1f7170850b5bcc3e884e2502084b5fea35e76b01edb8998994ffc9b40b5bb2717749897d5d2042cf293cc7dfa980c30eafce6a203306ff00b0a47f

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.lpx-904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326.exe

Filesize
361KB

MD5
ac79e347287414d4b16d5de3086e2104

SHA1
39f14c4420595250b97c7da76b8b0e9f1bb46652

SHA256
904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326

SHA512
99ca1263667b7761940818f74c021b6269f045ac109fd2d664f45d60a893c1ed7a404d434d9bde65d4367324308881c89a2ec27a70e400e04c14b642578f9510

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.mfg-5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408.exe

Filesize
243KB

MD5
cb2418965ca39356c05f6876b9e87469

SHA1
773801770aff90e7fbf3b52da983c77740c8f8a9

SHA256
5c3df52c37291820dde2b0be39a723c77e63865a9d7517b37aa654fbf4f2b408

SHA512
5100eb1ee672a677fcfd5021f1f4c08078ea8d3f1d931a743a26acd7816827348d473e2a6a40a91c04258fb86cb5b47ce845261eb10f8652d6e4fe1f54bc9438

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Shade.mjj-92b405e874858caf9bd1d382e3d23ae80aca3499f459d848cd7381b5743c9f65.exe

Filesize
1.2MB

MD5
94dec1690f1b0ee4df5876a5fde5fda9

SHA1
afaa4e5663d8386f95b216f962244850089d529f

SHA256
92b405e874858caf9bd1d382e3d23ae80aca3499f459d848cd7381b5743c9f65

SHA512
804c91f92488c5a41be7cd104df702acd56d3249adca23b8d772d1ee01d82c2bc45426b839b6ea5be2fcdbe43aa837f5f6aab6b45c31bf1d40b48954d3d8bda3

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cwp-4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0.exe

Filesize
539KB

MD5
70c032329cc7bd1c6d27e1a5f0da6333

SHA1
de170bde1a51db3785f6768beadd0edfeb1f3bf9

SHA256
4262b1c6ea0d11fbaabaef6412b0b520317b26cb40688ade6619cac647ec35b0

SHA512
10d6fbf02c0447784f0ded5f927575a0b6fe133ab7e750419ea8cac85b61293f875a6d408d9924bdc56c1d456a2b2df94c3140c6e86dc3022690a0aca1972090

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Snocry.cxd-2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c.exe

Filesize
559KB

MD5
0a380f789a882f7c4e11a1b4f87bb4fd

SHA1
448c93e79bf0741798ed99bb3108d1ceb90b6901

SHA256
2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c

SHA512
21d3c303d9851c2c00240824718d44c1fc928bceb7d4d591260073d8f4288b7fc6497a24aeb1dd43af82c53d53697019bb4ed078294e67646eb57a974a2c81f8

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.doyt-1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0.exe

Filesize
432KB

MD5
747ec17e49788d889614f0bdd838bb96

SHA1
1b60ce84bf2e75e5fa07674f17f6b2068568cc07

SHA256
1ff56ca8aa7a31a7f681020b45ce50b2f3d571b7baad5845e91d68167767d0e0

SHA512
5963ee5966ba5156a69c955a9c2c5fa53c3904b017c57cd257f60a5c506b7200b4b0c7ee21b8d17225f653e2fde35ce7aa4207dea6977dcf30c198bfdaebea2c

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ealb-56cd5bd76e17421e79b63bcc40098e7d4a322d1d00945135f6868b6e2247d3ca.exe

Filesize
536KB

MD5
7bf9efcc7104b2bcaa537f7e4da99558

SHA1
2d001950f20703fd24665d925f7d7ba46b488e1a

SHA256
56cd5bd76e17421e79b63bcc40098e7d4a322d1d00945135f6868b6e2247d3ca

SHA512
6ab4ce055a63acdad5c20f6b1b45fd5b18e1a20790dec56fe3884178794788576925b4aea78e765501ad5614bbaf487e074b0ab8ed20c9cc22b8f02b2165b606

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.ebm-9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f.exe

Filesize
320KB

MD5
522bdb7f53b9d3aceff64cdb026998b1

SHA1
6f6cfddd2e206bec19a872080a48687970f82c80

SHA256
9c92f94214c949a10e312df401821f76496ff4926340a60ea899d537c4ce4f7f

SHA512
e67de0810b5ab9fe6718a2fcac0d5cce426ba9e2801961a30556f2f28cc2c8c8629900250277ddd4716761bc3bed5f50e2068d6ecb55423b62a3a9ff7b660e18

Download Submit
C:\Users\Admin\Desktop\00286\Trojan-Ransom.Win32.Zerber.sqx-c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c.exe

Filesize
255KB

MD5
3c5d51b402c23a614ada18a66a65104c

SHA1
126f1a04393b7a2d5160b6bb07e4b98172c74d16

SHA256
c7e74d477c1439a192ff4167e224de9c484181bcabcc3bc7d06158ebf4604e6c

SHA512
2b90769f24e0146e50a897dd2a986bb849fe2590eadf3639f5fa5294e6f71768140b0c30e130da883ab3480e28b209ea80575bd4b91c4fd70669d3fb7f21ce65

Download Submit
C:\Users\Admin\Desktop\00286\UDS-Trojan-Ransom.Win32.Zerber-289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb.exe

Filesize
266KB

MD5
4e501616f5aa6e00a27da227d57b34d4

SHA1
ee8d6730ca166190c588f8967c956434101ae4f6

SHA256
289892e9e56337804a9419f1de6567ea822d35f74271adf5e04672fafa68b3bb

SHA512
87b200fada5085a4fbdc2b25119110df3cd40fa4238547e0e235d3424dcac40c23c1ca0fe7192413461ee68fea2e1e62062cd1916a455790193f48efb902216e

Download Submit
\Users\Admin\AppData\Roaming\Izas\kogi.exe

Filesize
67KB

MD5
8a5bdf0f61d5b08877a7ce190fa09985

SHA1
ebdbe16a8bbd054e4acc6259d132e2e140880427

SHA256
c4d101158173a86341e3ea568fd7820c88ef74d2a44bc855007d0fff3bfee1df

SHA512
438217b75e35a68131fa9eae975fae99eaec23e6fb834078cdeaffe11cbd2ae13ad0d028f1edaa5bc937ff317ef61c7d1a3860aedb7f4ea1fb15ad02aac7c9b7

Download Submit
memory/1108-196-0x0000000001B10000-0x0000000001B27000-memory.dmp

Filesize
92KB

Download
memory/1108-190-0x0000000001B10000-0x0000000001B27000-memory.dmp

Filesize
92KB

Download
memory/1108-192-0x0000000001B10000-0x0000000001B27000-memory.dmp

Filesize
92KB

Download
memory/1108-194-0x0000000001B10000-0x0000000001B27000-memory.dmp

Filesize
92KB

Download
memory/1124-886-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1164-201-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/1164-203-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/1164-199-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/1220-206-0x00000000028E0000-0x00000000028F7000-memory.dmp

Filesize
92KB

Download
memory/1220-208-0x00000000028E0000-0x00000000028F7000-memory.dmp

Filesize
92KB

Download
memory/1220-210-0x00000000028E0000-0x00000000028F7000-memory.dmp

Filesize
92KB

Download
memory/1244-213-0x0000000001F30000-0x0000000001F47000-memory.dmp

Filesize
92KB

Download
memory/1244-215-0x0000000001F30000-0x0000000001F47000-memory.dmp

Filesize
92KB

Download
memory/1244-217-0x0000000001F30000-0x0000000001F47000-memory.dmp

Filesize
92KB

Download
memory/1268-713-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1268-759-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1724-184-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1788-181-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1856-119-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1856-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1856-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1944-309-0x00000000010C0000-0x0000000001204000-memory.dmp

Filesize
1.3MB

Download
memory/1944-132-0x00000000010C0000-0x0000000001204000-memory.dmp

Filesize
1.3MB

Download
memory/2012-105-0x00000000012C0000-0x00000000012EE000-memory.dmp

Filesize
184KB

Download
memory/2020-182-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2040-189-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/2040-157-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/2040-159-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/2040-158-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/2040-161-0x0000000002130000-0x0000000002239000-memory.dmp

Filesize
1.0MB

Download
memory/2040-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-156-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/2040-155-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2040-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2324-284-0x0000000000930000-0x0000000000A6A000-memory.dmp

Filesize
1.2MB

Download
memory/2324-104-0x0000000000930000-0x0000000000A6A000-memory.dmp

Filesize
1.2MB

Download
memory/2336-220-0x0000000000110000-0x0000000000127000-memory.dmp

Filesize
92KB

Download
memory/2336-222-0x0000000000110000-0x0000000000127000-memory.dmp

Filesize
92KB

Download
memory/2376-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2376-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2380-137-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/2380-135-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/2380-136-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/2380-143-0x0000000002140000-0x0000000002157000-memory.dmp

Filesize
92KB

Download
memory/2380-134-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/2380-138-0x0000000000AA0000-0x0000000000BA9000-memory.dmp

Filesize
1.0MB

Download
memory/2616-56-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2616-54-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2616-55-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2648-731-0x0000000000930000-0x0000000000A6A000-memory.dmp

Filesize
1.2MB

Download
memory/2648-418-0x0000000000930000-0x0000000000A6A000-memory.dmp

Filesize
1.2MB

Download
memory/2880-148-0x0000000001280000-0x00000000012BF000-memory.dmp

Filesize
252KB

Download
memory/2932-103-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2932-690-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2944-178-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2980-588-0x00000000021A0000-0x0000000002205000-memory.dmp

Filesize
404KB

Download
memory/2980-845-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-666-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-635-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-636-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-665-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-663-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-639-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-637-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-638-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-598-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-844-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-852-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-854-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-855-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-853-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-851-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-850-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-849-0x0000000003F80000-0x00000000040C4000-memory.dmp

Filesize
1.3MB

Download
memory/2980-641-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-842-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-843-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-841-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-840-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2980-839-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2980-838-0x00000000021A0000-0x0000000002205000-memory.dmp

Filesize
404KB

Download
memory/2980-837-0x00000000021A0000-0x0000000002205000-memory.dmp

Filesize
404KB

Download
memory/2980-600-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-587-0x00000000021A0000-0x0000000002205000-memory.dmp

Filesize
404KB

Download
memory/2980-591-0x0000000003F80000-0x00000000040BA000-memory.dmp

Filesize
1.2MB

Download
memory/2980-589-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2980-590-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2988-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-1100-0x00000000010C0000-0x0000000001204000-memory.dmp

Filesize
1.3MB

Download
memory/3164-1189-0x00000000010C0000-0x0000000001204000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads