gozi | 67c46af78643577175e2b0529cc9f6d4e90ee1dcb57db0a427cd8f648fb67d14

Analysis

max time kernel
45s
max time network
57s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00281.7z
Size

8.3MB
MD5

b3cbda3981676b194a7913ac174b3051
SHA1

5945bbb76d5c488f49775e009cd44bbbc469ed09
SHA256

67c46af78643577175e2b0529cc9f6d4e90ee1dcb57db0a427cd8f648fb67d14
SHA512

bca3e77ce210be97098a7ca4878aa77689c5147a0f41cf70df11cf093aae866837455af2156bf8ee10fb756e103d15493e07767b854741de6f1cb0b65db604b3
SSDEEP

196608:gqeLVyehU5T52aFW+wBr3+O27mzaWD/5W+EFal9erizC3:SnhCTPwBKZ9Wr5qIHmiw

Score

10^/10

gozi banker bootkit defense_evasion discovery isfb persistence spyware stealer trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi
Contacts a large (7699) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
920	HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe
1332	HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe
2976	Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
3032	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
3000	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
2144	Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
908	Trojan-Ransom.Win32.Locky.bil-7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95.exe
548	Trojan-Ransom.Win32.Blocker.gnku-0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4.exe
1440	Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe
1296	Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe
1912	Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe
2260	Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
3012	Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe
2996	Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe
1432	Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe
1764	Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
2184	Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe
2656	Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
1636	Trojan-Ransom.Win32.Zerber.tne-0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e.exe
1096	Trojan-Ransom.Win32.Zerber.kzs-26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963.exe
1552	Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe
912	fcyjbj64.exe

Loads dropped DLL 6 IoCs

pid	Process
3000	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
3000	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
3000	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
3032	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
3032	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
884	verclsid.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000193df-58.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2496	3032	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe	60

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3288	2996	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3400	cmd.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000018739-51.dat	nsis_installer_1
behavioral1/files/0x0006000000018739-51.dat	nsis_installer_2
behavioral1/files/0x0006000000018704-50.dat	nsis_installer_1
behavioral1/files/0x0006000000018704-50.dat	nsis_installer_2
behavioral1/files/0x0006000000018744-53.dat	nsis_installer_1
behavioral1/files/0x0006000000018744-53.dat	nsis_installer_2

Suspicious behavior: CmdExeWriteProcessMemorySpam 22 IoCs

pid	Process
920	HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe
1332	HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe
3032	Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
2976	Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
3000	Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
2144	Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe
548	Trojan-Ransom.Win32.Blocker.gnku-0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
1440	Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe
908	Trojan-Ransom.Win32.Locky.bil-7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95.exe
2996	Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe
1296	Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe
1432	Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe
1912	Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe
1764	Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
2260	Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
2184	Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe
3012	Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe
2656	Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
1096	Trojan-Ransom.Win32.Zerber.kzs-26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963.exe
1636	Trojan-Ransom.Win32.Zerber.tne-0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e.exe
1552	Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1628	7zFM.exe
Token: 35	1628	7zFM.exe
Token: SeSecurityPrivilege	1628	7zFM.exe
Token: SeDebugPrivilege	2808	taskmgr.exe
Token: SeDebugPrivilege	2992	Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
Token: SeShutdownPrivilege	1764	Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1628	7zFM.exe
1628	7zFM.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2260	Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 920	2456	cmd.exe	36
PID 2456 wrote to memory of 920	2456	cmd.exe	36
PID 2456 wrote to memory of 920	2456	cmd.exe	36
PID 2456 wrote to memory of 920	2456	cmd.exe	36
PID 2456 wrote to memory of 1332	2456	cmd.exe	37
PID 2456 wrote to memory of 1332	2456	cmd.exe	37
PID 2456 wrote to memory of 1332	2456	cmd.exe	37
PID 2456 wrote to memory of 1332	2456	cmd.exe	37
PID 2456 wrote to memory of 3032	2456	cmd.exe	38
PID 2456 wrote to memory of 3032	2456	cmd.exe	38
PID 2456 wrote to memory of 3032	2456	cmd.exe	38
PID 2456 wrote to memory of 3032	2456	cmd.exe	38
PID 2456 wrote to memory of 2976	2456	cmd.exe	39
PID 2456 wrote to memory of 2976	2456	cmd.exe	39
PID 2456 wrote to memory of 2976	2456	cmd.exe	39
PID 2456 wrote to memory of 2976	2456	cmd.exe	39
PID 2456 wrote to memory of 3000	2456	cmd.exe	40
PID 2456 wrote to memory of 3000	2456	cmd.exe	40
PID 2456 wrote to memory of 3000	2456	cmd.exe	40
PID 2456 wrote to memory of 3000	2456	cmd.exe	40
PID 2456 wrote to memory of 2144	2456	cmd.exe	41
PID 2456 wrote to memory of 2144	2456	cmd.exe	41
PID 2456 wrote to memory of 2144	2456	cmd.exe	41
PID 2456 wrote to memory of 2144	2456	cmd.exe	41
PID 2456 wrote to memory of 548	2456	cmd.exe	42
PID 2456 wrote to memory of 548	2456	cmd.exe	42
PID 2456 wrote to memory of 548	2456	cmd.exe	42
PID 2456 wrote to memory of 548	2456	cmd.exe	42
PID 2456 wrote to memory of 2992	2456	cmd.exe	43
PID 2456 wrote to memory of 2992	2456	cmd.exe	43
PID 2456 wrote to memory of 2992	2456	cmd.exe	43
PID 2456 wrote to memory of 2992	2456	cmd.exe	43
PID 2456 wrote to memory of 1440	2456	cmd.exe	44
PID 2456 wrote to memory of 1440	2456	cmd.exe	44
PID 2456 wrote to memory of 1440	2456	cmd.exe	44
PID 2456 wrote to memory of 1440	2456	cmd.exe	44
PID 2456 wrote to memory of 908	2456	cmd.exe	45
PID 2456 wrote to memory of 908	2456	cmd.exe	45
PID 2456 wrote to memory of 908	2456	cmd.exe	45
PID 2456 wrote to memory of 908	2456	cmd.exe	45
PID 2456 wrote to memory of 2996	2456	cmd.exe	46
PID 2456 wrote to memory of 2996	2456	cmd.exe	46
PID 2456 wrote to memory of 2996	2456	cmd.exe	46
PID 2456 wrote to memory of 2996	2456	cmd.exe	46
PID 2456 wrote to memory of 1296	2456	cmd.exe	47
PID 2456 wrote to memory of 1296	2456	cmd.exe	47
PID 2456 wrote to memory of 1296	2456	cmd.exe	47
PID 2456 wrote to memory of 1296	2456	cmd.exe	47
PID 2456 wrote to memory of 1432	2456	cmd.exe	48
PID 2456 wrote to memory of 1432	2456	cmd.exe	48
PID 2456 wrote to memory of 1432	2456	cmd.exe	48
PID 2456 wrote to memory of 1432	2456	cmd.exe	48
PID 2456 wrote to memory of 1912	2456	cmd.exe	49
PID 2456 wrote to memory of 1912	2456	cmd.exe	49
PID 2456 wrote to memory of 1912	2456	cmd.exe	49
PID 2456 wrote to memory of 1912	2456	cmd.exe	49
PID 2456 wrote to memory of 1764	2456	cmd.exe	50
PID 2456 wrote to memory of 1764	2456	cmd.exe	50
PID 2456 wrote to memory of 1764	2456	cmd.exe	50
PID 2456 wrote to memory of 1764	2456	cmd.exe	50
PID 2456 wrote to memory of 2260	2456	cmd.exe	51
PID 2456 wrote to memory of 2260	2456	cmd.exe	51
PID 2456 wrote to memory of 2260	2456	cmd.exe	51
PID 2456 wrote to memory of 2260	2456	cmd.exe	51

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00281.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\Desktop\00281\HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe
  HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:920
- C:\Users\Admin\Desktop\00281\HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe
  HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1332
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
  Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3032
- - C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
    Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe
    3⤵
    PID:2496
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
  Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2976
- - C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
    Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe
    3⤵
    PID:3508
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
  Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3000
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe
  Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Blocker.gnku-0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4.exe
  Trojan-Ransom.Win32.Blocker.gnku-0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:548
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
  Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- - C:\Users\Admin\AppData\Roaming\alFSVWJB\fcyjbj64.exe
    C:\Users\Admin\AppData\Roaming\alFSVWJB\fcyjbj64.exe
    3⤵
    - Executes dropped EXE
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00281\TR541A~1.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3400
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1968
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2836
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2848
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:788
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2820
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2700
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2264
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2856
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2172
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1028
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2632
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2404
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2396
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2860
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2080
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1628
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2708
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2796
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2724
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:604
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2720
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1916
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:288
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1576
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2340
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2196
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2220
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2760
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2092
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2772
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3040
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3056
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3036
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1744
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2872
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2368
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1448
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1344
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2020
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2116
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2428
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2228
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3068
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2128
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2204
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2276
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2160
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2284
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2460
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2112
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2148
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:908
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1148
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3060
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2616
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:640
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:708
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:556
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2584
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:768
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:2972
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:1160
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3080
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3088
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3108
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3120
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3128
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3144
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3148
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3156
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3164
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3172
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3180
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3188
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3196
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3204
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3212
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3220
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3340
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3352
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3360
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3368
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3376
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3384
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3432
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3440
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3460
- - C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe
    "C:\Users\Admin\Desktop\00281\trojan-ransom.win32.blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe"
    3⤵
    PID:3456
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe
  Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1440
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.bil-7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95.exe
  Trojan-Ransom.Win32.Locky.bil-7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:908
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe
  Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 352
    3⤵
    - Program crash
    PID:3288
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe
  Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1296
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe
  Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys95CA.tmp"
    3⤵
    PID:3932
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe
  Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1912
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
  Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
  Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:2260
- - C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe
    "C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe" g
    3⤵
    PID:2880
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe
  Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2184
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe
  Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3012
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
  Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2656
- - C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
    Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe
    3⤵
    PID:1656
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.kzs-26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963.exe
  Trojan-Ransom.Win32.Zerber.kzs-26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1096
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.tne-0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e.exe
  Trojan-Ransom.Win32.Zerber.tne-0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1636
- C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe
  Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1552
- - C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe
    Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe
    3⤵
    PID:3900

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {7007ACC7-3202-11D1-AAD2-00805FC1270E} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\US91F-A7RRT-XRTZT-HGTXX-ETFEY.html

Filesize
16KB

MD5
732d2c70c17fdc0344832a354bfabded

SHA1
2c88fc66c7f6b257c68662366da3d1f29e8c2904

SHA256
0e762a22bc0450c298afdb72eac7f3e9344b413a6661622fe049a30963a7cb2b

SHA512
41fcc264cac11cd26b177bd8cfb969de2c1ccefce22552f3918fef7a461abd8a4cfd72c291a207b866de4065d8feebfd4756544bed4d1d256e724ba2bc376fb2

Download Submit
C:\Users\Admin\Desktop\00281\HEUR-Trojan-Ransom.Win32.Spora.vho-c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87.exe

Filesize
76KB

MD5
391506a17d74b700a74dd33f508c42db

SHA1
9b56f1e045af44c5ee69b284c7b9b2e2b835168a

SHA256
c7650e8add808204d50532ff775a8479d8740c844e8338a34dc8fa7c11e6ea87

SHA512
9180aafd84b921d74abfa3bb6dcdfff39e22fd79e6fbb57650c3707d711895418b57f66fcc373cfa65868d2cf6de805e5a646ecbbcadbb42bed2c53e3786cdef

Download Submit
C:\Users\Admin\Desktop\00281\HEUR-Trojan-Ransom.Win32.Zerber.vho-30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c.exe

Filesize
333KB

MD5
1791e5788d09d620b3b4135ccb0cabad

SHA1
b5d949a50d3422e5db0d5b7b9fc491d6547850c9

SHA256
30a4be2f3ad0c1d2f239dfa5dd988e32cbab5669bbf2e66e2ef97f54777afa0c

SHA512
9a586eb390c56839698e8261132813a5d0a0a6dd63212be5a8ba3e59926829207a0f57d43cef28c7052fa811e1ea7a9761cf02726de046eb0e1c32a7f9f46584

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Onion.phq-d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1.exe

Filesize
131KB

MD5
0d3615414093fc033f452add7526b41d

SHA1
23935850e2cd6b5685788747a817b08354a71712

SHA256
d41fa3b6f94eda772d0ad969c4ea13490ccdc36d8e397b7744057d734dce2bc1

SHA512
bf8c14071621d7a08a547641a450472c4523ca3ef3990611ee1c420b466459c0ab8f32dd3deed62e3ddbf70a1649e268d129f29637e3bedfa77b087aec2d10a6

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Xamyh.axq-e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03.exe

Filesize
147KB

MD5
92f03d38a30e64698895e5782f3c66d8

SHA1
dac7bc9086cf509981902d944628b24f4875c2b6

SHA256
e20c6fce463a0e004b2c395941b8342dbbfdc5787e546902c6ab41a400543a03

SHA512
1d439b94cad6fdc659535cd3662ea238fc43c9f87d221ddb1f9c3a648ed36a31c35a193a0f0f2f61be19b9ea6355b5590d851e472336b823570870785fb74ff2

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.NSIS.Xamyh.gjq-7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7.exe

Filesize
2.9MB

MD5
7dd16425039b1926616e29adb705ba0a

SHA1
9f821a677f09610f8806275a33fe5aaa221c861d

SHA256
7877c1397f34aa285003c48abf040d743d9a438b9a9f4f87d81e6369b549d2f7

SHA512
31426e091cf9a91c2c4d64907ec7d09b2b32dc79efdf2896bdc98aa65f2e02d2980cabc88a273b24bbff5813ed4be361e3362cd001345bb388251bbdd0932402

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Bitman.iwr-80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0.exe

Filesize
604KB

MD5
9f446ea48f041d9593f880aabc56d51e

SHA1
e1bb4d2a85ad4a65d2f79df289a537dc5899f242

SHA256
80c5cf44704683bf2a027e9ebea5f44ac1c637465f4135356165fa346bcde9c0

SHA512
59104e28bab5058e5b639a01863332f69ff758d251b4a3051c29b93e2901a15228ef86ca61cbf051f8a620e4adc1e758079764dc43ce3449c573920b8dca51e8

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Blocker.gnku-0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4.exe

Filesize
1.6MB

MD5
7cf6eff82dca8615f3f6e441a3b1a802

SHA1
b804a79c6fe46d68bfbc412660b546f48025b3a6

SHA256
0a776c9247fceda9c29be44ff60d2c2f2e08d16ee046dbd874bbb26e42d22cb4

SHA512
ca5e251ff759a341397b9555a47ce388a93867f69595408236879def7a1f23c27729a5111cdc1db5fad31586f0ec6796e416cb37033ef3da390aead283a3a6fa

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Blocker.jxiy-32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7.exe

Filesize
240KB

MD5
b01babbdecb8cacb336adb0f5fce3bf2

SHA1
aaae6813ad1f9dbc3bbedb211e03081d30bd297b

SHA256
32786dda55c75c278cf3126cc9fbb000ad3d6c432100620c20c4ff353e34bde7

SHA512
645adc449a8aecc2c548a873b280902578ca71889218e985b120a02db5da23462cd79219450699e326f1865b7f09175de23d99d183ca359cd30b5d28d2172d05

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Foreign.nkip-85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f.exe

Filesize
536KB

MD5
7582f6281d32204011f8086d22a91153

SHA1
55058c53c9548f6e7977a6ab763956dd9102b177

SHA256
85dfcbf04716703dacb5428a4d498201e2c01db7e4f08830d5157c197b725a8f

SHA512
ac4da324ab7cafd2c45d5096d3ff5e063fd09f4355c83e1be84ce4385ac207191bdde611753ad294691e13111b740491131a82ce5b9ac5d9cbc3617b12bb362d

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.bil-7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95.exe

Filesize
244KB

MD5
7d0fa583d8108a20da9953867a160463

SHA1
587061ae9abed9d976c814df57d96266592e7ef0

SHA256
7ecdc01b62b1a03120b433a678c92f9d40850adf1b27be2e2a51bc056998ec95

SHA512
c43bdf4bca576ef010f8eaca23954d914df1267958f04560534e8a62a401992785729a8338cfbfd906c44b34dd4b3632c5f6147fe0cfff77e8369b65b2bf50bc

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xes-6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30.exe

Filesize
387KB

MD5
5f1876a7bae2c459fb5cb66e91e443df

SHA1
0582564c5d9d54fffc4049fe4782313b5e882308

SHA256
6723c76fd186cb2f6777e01a2d576dd460a8ef17724d07c2ec93b6936e7daa30

SHA512
116bcf03ec0a201dbfe508ada5308525aa60075b596b84dc4e4890f66a9b47812dacac6d0718c37566ad87d9eeda9242b821dcd3aea5ec1eaa3542a5ad9cc865

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xmw-c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105.exe

Filesize
399KB

MD5
2cf2b1e3d784f1dc8c15f9365e42b574

SHA1
315e9ea1d7f1d1c1ca9b7e490158fb7729b8a347

SHA256
c64b2edb6727e305638e0f58887a4d2a05daab14e0b5b8bacbbfdfc6070e1105

SHA512
069d735ff2a352b25ce332ae78d3d95b87a914cc7004b0b7d1566f67c6d107b654f8bc1540c77e85b6dbdc4098c903dfd01aaddc05be192af6eddecd7bd60688

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.xnl-718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc.exe

Filesize
449KB

MD5
07f799cfcd7ca681d76e637a3cc9e64a

SHA1
a9101d799d58fcd1159cbf466428931421a8ecb0

SHA256
718f6fcbb022f2d4d5c8578967723dd9c9615b318d49234ded794adb2517fefc

SHA512
6f0aa40ac9a5065b46b5ee8fad137869e2ec32b1bd20fafe7a23cdb1c116a5e7fdc0bde9b87e1255eec37023054a8b144c656c4e5003fe5f25b6670629aca1cc

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Locky.yr-8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9.exe

Filesize
177KB

MD5
8f4501809d93e3a45553710e9223f7e3

SHA1
56956bf48afdb38a9b50c9d131342a7938b17624

SHA256
8db246e02feabb5b9ff737235845c524a9682d17c59b7005f9ca7f0c6ccb27b9

SHA512
01a93a13f6afd304fecba3fe1ccd48fffdfe9e649b81f664ba16f841f5855c32005e0c860cffb31a5222accb1e5cbe145cac84e094cb9696fc1b17d155c5a8ca

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Petr.l-4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

Filesize
788KB

MD5
a92f13f3a1b3b39833d3cc336301b713

SHA1
d1c62ac62e68875085b62fa651fb17d4d7313887

SHA256
4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c

SHA512
361a5199b5a6321d88f6e7b66eaad3756b4ea7a706fa9dbbe3ffe29217f673d12dd1200e05f96c2175feffc6fecc7f09fda4dd6bfa0ce7bef3d9372f6a534920

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.b-50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b.exe

Filesize
344KB

MD5
4bbc2b40ca476c9d2dae44c86258ae80

SHA1
02b03ccc8c392eacfd41f7cbc4906c6b453aee58

SHA256
50624b1338349dcab4ad8345e0100ea75d3b643ef1e3a487b32fd711418b281b

SHA512
448eda5897c96a5968953bf65eba4686f660aed37f959b8d81168761764eafe95625cce819c66569d971e43daa23bf81455e8eab6942ce529b1795de7ad78eaa

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.SageCrypt.ha-9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb.exe

Filesize
241KB

MD5
64895eda6405cab9d6e711ec7249f005

SHA1
f168c21827cf20da6d303cb4e972505ddc1bd00c

SHA256
9488baddbbc57ca926aba95ef5ac633ac45f7691bb8ae2c813f7d08a02953afb

SHA512
38a1f6771aab6f41b48efca91eaf44dd655eff7a0f1f084540ac4838e7fdbd464ad97d157637aac075128715b8d33ff8daf0ec290a7f6613fd7144ff9c41adca

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Shade.xn-c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69.exe

Filesize
1.0MB

MD5
63c74dffd5d3fffbdf6300340c827218

SHA1
4418400db344da5ae0a17664d623c4e8a9adddcb

SHA256
c196b338ccf99642dcf4ce6d349fdd357ec5c6b565182c6fe54049e8d2934a69

SHA512
9485c3f65917aa7c199b23938de555921b2173a2b4385e3d1c74fac0e491db69a7e446d612b8ecc097cb8dcc2994e142516fe9f6f98579ccc620518e1d13da5a

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.fayn-7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137.exe

Filesize
259KB

MD5
0ea0cb4af85da624873eef0f456aa9cc

SHA1
605960a436d4351e649ce2a1e706d2b1648ab628

SHA256
7bad201c0c201f5353e13f95d247acdf2a173158d74a2f6a39424850b4fa3137

SHA512
8effeb907c589f73b430f9eace04f4c942cc0ee83042d1229a5db9d6f5a7b27a7b656e2b8cc0f34fa82b81eb9652f5663125a9919148cfb70db3757e63543253

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.kzs-26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963.exe

Filesize
268KB

MD5
1fb1834770c3200cac9d09263f19c00c

SHA1
34f7b3c5d730f30cb45922f4c7e66369262040e4

SHA256
26a42036068b25ae72396c08a4101234d6103037c631c153c8c229eaaa54f963

SHA512
6697c072cf998a9997febd8ca80b6e6a34ac2d7399d73784462c3ad31eea4cbcf22ada20689806d81aa2f00bf6fdc8727ee987c74fbfe25e1f08c3e6890715d9

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.tne-0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e.exe

Filesize
287KB

MD5
45bf024dd6a116701a125de1e53bf303

SHA1
6216d15cdf97d4dee47397e4bdac472bec3a7f8a

SHA256
0fb707698709e822773843d9fecfc91c41ff43deb19e2f813795506a14c8fc2e

SHA512
3f185ad881eb4aad55673a6ba1499028c7716cfaf7c12b66edb2535b71fd738501729db5d385f03d80ca62e31c084dba01a833d75732be570a55988c06099081

Download Submit
C:\Users\Admin\Desktop\00281\Trojan-Ransom.Win32.Zerber.wjw-8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa.exe

Filesize
256KB

MD5
770100126326d2f2b0fe78a3dbdb01b4

SHA1
5f46293e71f9ef1fb34ad8c638d508e27608b806

SHA256
8524cb65e82474498a8b54e3d7bd6c1c172305120bae207ad9d54a48d9c7a5aa

SHA512
04c580ce8a1e02c2c17a0ce7f602cb53c45bb3aca0af035867da4f218a82d5405eebfff5209610f3d83be0120c7a6d346ea8934876f45a3d04109df335ece587

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
29KB

MD5
19eb36e009e1c3d8041d579245029e51

SHA1
1b02ac6a5648e985a1b8aee3ffa77d5ce3de000d

SHA256
2c30432b13795e9fcd89d1c97f4ea8d6cd8bf3ea7d69eb838caa13ce4083a142

SHA512
2a26bfcfbf5ab64272f19b939ebdf680b8b03bf5af3363b5eb07ed4c9b4bdbdf0bc0321f8cbf71318442c36362e3db1c48916acd63f9f31bbd149e4fde4f931e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj85C5.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nsj97BE.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nso8410.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nst6A49.tmp\System.dll

Filesize
10KB

MD5
0ff5120f1afd0f295c2baa0f7192d3f8

SHA1
bde842d5d11005dcb4ff1d4ea97da31865477697

SHA256
4ca5bf1beb4b802914c4d3e2f37861f6ba5ecf969cfeadf5855edf58f647a721

SHA512
e049ffd7aace8d136eee007ee4f8dbc2ae8f3dce79d1c633d9654392240f8215787df8a6d08085257db51f28ff2a8023a13333dda3ea7f9bdc8b9c57b605f0a0

Download Submit
\Users\Admin\AppData\Local\Temp\nst7408.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\IP.dll

Filesize
60KB

MD5
8d74894e2548bcfa0203e617e5cddb8e

SHA1
1c338b54f35433337a7b5acf5321388754b2a711

SHA256
7ed97c7751d77d1681d3bbb970b0b7aa5691c6d5c7f5f620581f6cc2a9bd828a

SHA512
72652bd4f89e036ba6cd64826b41888cc667dd9c3bdece39ab4703e5e388047e67602b51b0ebaf9daa77ef9087ea4237519aae7010ea0005a40c97d73f3e561d

Download Submit
\Users\Admin\AppData\Roaming\SetCursor.dll

Filesize
27KB

MD5
d470d0d12977701edf8b03d78f4fba1f

SHA1
14d876c046b54a13bf5a59bdd38d600612939944

SHA256
b035da03e8a004845a1c59dd338da0e17ab6b5d47fd9c1403b50f892e221e1e0

SHA512
d13cc475c2b447714674e4edcd1b2fd8edb4879b69978dd3e9802edf4a4b6baaf74c2046993b17d20927fa351dec45b2ac30d3c4208cb2a50824f5d0cee0d15e

Download Submit
\Users\Admin\AppData\Roaming\high.dll

Filesize
32KB

MD5
78235d73bbed759b3867e1dcbb2e6286

SHA1
cda2c84bccc4a61ff4988660b999d47178415f11

SHA256
b15f29395810ece2b55cba07a5272a8a478e899f9baa856f9e7e9c94c790fafc

SHA512
f940d9be6422a8d87b99c4fc80ec229a00c8d2def53df2c0a9fd1fb193b9d734bdfd8e89fb7973a009a7c95c1810d43695cd34538329837dee3a3082543ccc28

Download Submit
memory/908-103-0x0000000000CF0000-0x0000000000D2F000-memory.dmp

Filesize
252KB

Download
memory/920-543-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/920-98-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1332-96-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1332-95-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1332-544-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1432-618-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1432-552-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2260-114-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2260-113-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2260-145-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2496-132-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2496-142-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-140-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2496-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2496-136-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2496-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2496-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2808-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2808-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2808-45-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2976-545-0x0000000000450000-0x000000000045F000-memory.dmp

Filesize
60KB

Download
memory/2992-546-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3032-129-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download