cerber | f7306cbeb88cd01a927374758e53359f458f7f8f4de50ca045513762731e48b6

Analysis

max time kernel
174s
max time network
179s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00273.7z
Size

1.8MB
MD5

e902a9e3042166e2419a5ce78dfec8ff
SHA1

3e6aeda063114473be594da5081e0c1d7308520f
SHA256

f7306cbeb88cd01a927374758e53359f458f7f8f4de50ca045513762731e48b6
SHA512

483be500b5b764001e9c753ba8930ff0235c4efd3b264c5215a0a9959efa06ed1cbe658929dbf8dff6b14b9e12bd6f1cad756d1bd6c55eb81747be66b9957d4a
SSDEEP

49152:3wVxTdE2himUuwVig4fWhOOmxZ1X+5zlzZQU9QvM:Ar1hcDslfZxZ1O5zlzZL9QU

Score

10^/10

cerber locky locky_osiris troldesh defense_evasion discovery evasion persistence privilege_escalation ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\_README_B1YN0_.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="CERBER RANSOMWARE: Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 2.5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a href="#" id="change_language" onclick="return changeLanguage();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't you find the necessary files? Is the content of your files not readable? It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware". It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor". Any attempts to restore your files with the third-party software will be fatal for your files! <hr> You can proceed with purchasing of the decryption software at your personal page: Please wait...<a id="megaurl" class="url" href="http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36</a> If this page cannot be opened  click here  to generate a new address to your personal page. At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you. <hr> If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://avsxrcoq2q5fgrw2.onion/A204-4753-2E4D-006A-5B36 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> Additional information: You will find the instructions ("*.hta") for restoring your files in any folder with your encrypted files. The instructions ("*.hta") in the folders with your encrypted files are not viruses! The instructions ("*.hta") will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://avsxrcoq2q5fgrw2.onion/A204-4753-2E4D-006A-5B36 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*.hta") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*.hta") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*.hta") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。 安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。 任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的！ <hr> 您可以在您的个人页面上购买解密软件： 请稍候...<a class="url" href="http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.x29u3i.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.zee0xr.top/A204-4753-2E4D-006A-5B36</a><a href="http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36" target="_blank">http://avsxrcoq2q5fgrw2.onion.to/A204-4753-2E4D-006A-5B36</a> 如果这个页面无法打开，请 点击这里 生成您个人页面的新地址。 您将在这个页面上看到如何购买解密软件以恢复您的文件。 您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。 <hr> 如果您的个人页面长期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器： <ol> <li>使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；</li> <li>在浏览器的地址栏输入或复制地址 <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> 并按 ENTER 键；</li> <li>等待站点加载；</li> <li>您将在站点上下载 Tor 浏览器；下载并运行它，按照安装指南进行操作，等待直至安装完成；</li> <li>运行 Tor 浏览器；</li> <li>使用“Connect”按钮进行连接（如果您使用英文版）；</li> <li>初始化之后将打开正常的上网浏览器窗口；</li> <li>在浏览器地址栏中输入或复制地址 http://avsxrcoq2q5fgrw2.onion/A204-4753-2E4D-006A-5B36 </li> <li>按 ENTER 键；</li> <li>该站点将加载；如果由于某些原因等待一会儿后没有加载，请重试。</li> </ol> 如果在安装期间或使用 Tor 浏览器期间有任何问题，请访问 <a href="https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8" target="_blank">https://www.baidu.com</a> 并在搜索栏中输入“怎么安装 Tor 浏览器”，您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。 <hr> 附加信息： 您将在任何带有加密文件的文件夹中找到恢复您文件(“*.hta”)的说明。 带有加密文件的文件夹中的(“*.hta”)说明不是病毒，(“*.hta”)说明将帮助您解密您的文件。 请记住，最坏的情况都发生过了，您的文件还能不能用取决于您的决定和反应速度。 </div> <div id="nl"> Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar? Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “Cerber Ransomware”. Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn. De enige manier om uw bestanden veilig te

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Locky family
locky
Locky_osiris family
locky_osiris

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fcyjbj64.exe

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1177	1716	mshta.exe
1179	1716	mshta.exe
1181	1716	mshta.exe

Contacts a large (602) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\protocol	fcyjbj64.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1996	netsh.exe

Executes dropped EXE 13 IoCs

pid	Process
2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
1240	scvhost.exe
2584	fcyjbj64.exe
2324	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
704	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
1400	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
908	fcyjbj64.exe

Loads dropped DLL 12 IoCs

pid	Process
2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.63.145.236
Destination IP	185.14.29.140
Destination IP	37.187.0.40
Destination IP	83.96.168.183
Destination IP	178.17.170.133
Destination IP	108.61.40.140
Destination IP	185.14.29.140
Destination IP	37.187.0.40
Destination IP	178.63.145.236
Destination IP	128.199.248.105
Destination IP	95.85.9.86
Destination IP	178.17.170.133

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcyjbj64.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Y1FjWAxx\\fcyjbj64.exe"	fcyjbj64.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\n:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\x:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\j:	scvhost.exe
File opened (read-only)	\??\k:	scvhost.exe
File opened (read-only)	\??\l:	scvhost.exe
File opened (read-only)	\??\w:	scvhost.exe
File opened (read-only)	\??\s:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\e:	scvhost.exe
File opened (read-only)	\??\p:	scvhost.exe
File opened (read-only)	\??\s:	scvhost.exe
File opened (read-only)	\??\x:	scvhost.exe
File opened (read-only)	\??\b:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\r:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\u:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\i:	scvhost.exe
File opened (read-only)	\??\z:	scvhost.exe
File opened (read-only)	\??\g:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\o:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\p:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\w:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\g:	scvhost.exe
File opened (read-only)	\??\h:	scvhost.exe
File opened (read-only)	\??\b:	scvhost.exe
File opened (read-only)	\??\o:	scvhost.exe
File opened (read-only)	\??\i:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\j:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\l:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\v:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\y:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\z:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\q:	scvhost.exe
File opened (read-only)	\??\r:	scvhost.exe
File opened (read-only)	\??\t:	scvhost.exe
File opened (read-only)	\??\u:	scvhost.exe
File opened (read-only)	\??\n:	scvhost.exe
File opened (read-only)	\??\v:	scvhost.exe
File opened (read-only)	\??\a:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\h:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\m:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\t:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\a:	scvhost.exe
File opened (read-only)	\??\m:	scvhost.exe
File opened (read-only)	\??\e:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\q:	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
File opened (read-only)	\??\y:	scvhost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/484-62-0x00000000013E0000-0x0000000001547000-memory.dmp	autoit_exe
behavioral1/memory/484-119-0x00000000013E0000-0x0000000001547000-memory.dmp	autoit_exe
behavioral1/memory/1240-391-0x00000000000A0000-0x0000000000207000-memory.dmp	autoit_exe
behavioral1/memory/1240-437-0x00000000000A0000-0x0000000000207000-memory.dmp	autoit_exe
behavioral1/memory/1240-440-0x00000000000A0000-0x0000000000207000-memory.dmp	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp9608.bmp"	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 1640 set thread context of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 1964 set thread context of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1196 set thread context of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 2584 set thread context of 908	2584	fcyjbj64.exe	55

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000156b8-61.dat	upx
behavioral1/memory/484-62-0x00000000013E0000-0x0000000001547000-memory.dmp	upx
behavioral1/memory/484-94-0x0000000002C20000-0x0000000002D87000-memory.dmp	upx
behavioral1/memory/1240-99-0x00000000000A0000-0x0000000000207000-memory.dmp	upx
behavioral1/memory/484-119-0x00000000013E0000-0x0000000001547000-memory.dmp	upx
behavioral1/memory/1400-121-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1400-126-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1400-125-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1400-124-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1400-123-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1240-391-0x00000000000A0000-0x0000000000207000-memory.dmp	upx
behavioral1/memory/1400-393-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1400-392-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1240-437-0x00000000000A0000-0x0000000000207000-memory.dmp	upx
behavioral1/memory/1400-438-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1240-440-0x00000000000A0000-0x0000000000207000-memory.dmp	upx
behavioral1/memory/1400-442-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_1N6F_.hta	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcyjbj64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcyjbj64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2244	cmd.exe
3004	PING.EXE
2920	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
2500	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "0"	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0"	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D629D191-A91C-11EF-875C-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 52003100000000007659fdae1020526f616d696e67003c0008000400efbe2359ad297659fdae2a000000ee01000000000200000000000000000000000000000052006f0061006d0069006e006700000016000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 7e0074001c004346534616003100000000002359ad29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ad292359ad292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 56003100000000007659f9ae16005931466a5741787800003e0008000400efbe7659f9ae7659f9ae2a000000838d01000000060000000000000000000000000000005900310046006a005700410078007800000018000000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3004	PING.EXE
2920	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
2772	taskmgr.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2684	7zFM.exe
2772	taskmgr.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	7zFM.exe
Token: 35	2684	7zFM.exe
Token: SeSecurityPrivilege	2684	7zFM.exe
Token: SeDebugPrivilege	2772	taskmgr.exe
Token: SeDebugPrivilege	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
Token: SeDebugPrivilege	2584	fcyjbj64.exe
Token: SeShutdownPrivilege	2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
Token: SeDebugPrivilege	908	fcyjbj64.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	908	fcyjbj64.exe
Token: SeDebugPrivilege	908	fcyjbj64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2684	7zFM.exe
2684	7zFM.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe
2772	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1716	mshta.exe
1716	mshta.exe
952	mshta.exe
952	mshta.exe
1596	iexplore.exe
1596	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 2644 wrote to memory of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 2644 wrote to memory of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 2644 wrote to memory of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 2644 wrote to memory of 2004	2644	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	38
PID 484 wrote to memory of 584	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	41
PID 484 wrote to memory of 584	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	41
PID 484 wrote to memory of 584	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	41
PID 484 wrote to memory of 584	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	41
PID 484 wrote to memory of 1240	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	43
PID 484 wrote to memory of 1240	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	43
PID 484 wrote to memory of 1240	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	43
PID 484 wrote to memory of 1240	484	Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe	43
PID 1640 wrote to memory of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 1640 wrote to memory of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 1640 wrote to memory of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 1640 wrote to memory of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 2016 wrote to memory of 2584	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	45
PID 2016 wrote to memory of 2584	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	45
PID 2016 wrote to memory of 2584	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	45
PID 2016 wrote to memory of 2584	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	45
PID 1640 wrote to memory of 2324	1640	Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe	44
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1964 wrote to memory of 704	1964	HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe	46
PID 1196 wrote to memory of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 1196 wrote to memory of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 1196 wrote to memory of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 1196 wrote to memory of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 1196 wrote to memory of 1400	1196	Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe	47
PID 2016 wrote to memory of 2244	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	49
PID 2016 wrote to memory of 2244	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	49
PID 2016 wrote to memory of 2244	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	49
PID 2016 wrote to memory of 2244	2016	Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe	49
PID 2244 wrote to memory of 3004	2244	cmd.exe	51
PID 2244 wrote to memory of 3004	2244	cmd.exe	51
PID 2244 wrote to memory of 3004	2244	cmd.exe	51
PID 2244 wrote to memory of 3004	2244	cmd.exe	51
PID 2584 wrote to memory of 2624	2584	fcyjbj64.exe	52
PID 2584 wrote to memory of 2624	2584	fcyjbj64.exe	52
PID 2584 wrote to memory of 2624	2584	fcyjbj64.exe	52
PID 2584 wrote to memory of 2624	2584	fcyjbj64.exe	52
PID 2624 wrote to memory of 1996	2624	cmd.exe	54
PID 2624 wrote to memory of 1996	2624	cmd.exe	54
PID 2624 wrote to memory of 1996	2624	cmd.exe	54
PID 2624 wrote to memory of 1996	2624	cmd.exe	54
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2584 wrote to memory of 908	2584	fcyjbj64.exe	55
PID 2004 wrote to memory of 952	2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	61
PID 2004 wrote to memory of 952	2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	61
PID 2004 wrote to memory of 952	2004	Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe	61

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00273.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2684

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2772

C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
"C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe
  "C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_VZ01_.hta"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1748
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2920

C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
"C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe
  "C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1400

C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
"C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe
  "C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2324
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys20.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:112

C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe
"C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\scvhost.exe":Zone.Identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:584
- C:\Users\Admin\AppData\Roaming\scvhost.exe
  "C:\Users\Admin\AppData\Roaming\scvhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1240

C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe
"C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe
  C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    /a /c netsh advfirewall firewall add rule name="Y1FjWAxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Y1FjWAxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1996
- - C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe
    "C:\Users\Admin\AppData\Roaming\Y1FjWAxx\fcyjbj64.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00273\TROJAN~1.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3004

C:\Users\Admin\Desktop\00273\HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
"C:\Users\Admin\Desktop\00273\HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\Desktop\00273\HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe
  "C:\Users\Admin\Desktop\00273\HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe"
  2⤵
  - Executes dropped EXE
  PID:704

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_README_K45ZF_.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSIRIS-8467.htm

Filesize
8KB

MD5
5fecc555aeffc3c31a1ca32e848b2478

SHA1
42d34e53d21c6080391f46507f218d96fd3676ee

SHA256
b4687defe6d624c1c578f78b6b4bc0d29e6a029439ce9479d0c9b869e2d1ba55

SHA512
9c78160f9a60be105801c19e4b6d8121df4046b86d3c33e1851ac83d9a69d6f7eae83ab7cb8aa04941245d8cef281d56ac66608a6f8ed5b11e3fab3d51fcb26f

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\_README_B1YN0_.hta

Filesize
66KB

MD5
a06df671268c64bcf9d819c002f43480

SHA1
c7ddd7d979aa44381cfe9e56d2630df902dc49b7

SHA256
c35c730f51db4c8dcf8de77e37e794e28663d6351a153f1038e6fbddf3138d51

SHA512
70884a2f333d48fc9ba8176875d2bec334179edb3180c22a623514335dc37c0e9b23ef933727205060d3d08aa90a135d1c86af7d48cbb593f23dd06e0e78e6ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
54d70c34c0a03c437860f7ad24b721b1

SHA1
1ce20fb174bd0fea0319a301ecf7f869ff213b8d

SHA256
922ac891c6917188c5fb815b7b5f2a0cc72a674b7c1ceabb2f0684d9df3b3967

SHA512
dbc1b50fb312ca3ffc5e7dd102364d4b1c09060e9ccba1f3100d02a3b9407325ea1e4b16c8423da2c88fd01a302783f63ed155a6dd1584ecac0ae61e0d1ffca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1567b652a0d738dc3c5aa168730c51

SHA1
1ddd71741071ed3c095206b8841c28f9c53e4c0e

SHA256
ac366104f3042782621108dc907688b18c5a204e87c7db24708d8d72494b5a82

SHA512
fd7dcf372d98eb41281a87028632d5afebe1c3a1c0c475af7a3984f730615b1f952cf3ceb93af2b6a919709d4285fec83ff30bb1af60137a4da02eb1c95a2dba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbd0715b19615d13f1aa76589443ea31

SHA1
3fc5c0e1da9a6d58fe66341b5d87f5132a7020e0

SHA256
d3a653d8eecd52a15061da81f67626cfa1f142ea4d5f6b41eb89e5e5c667f2d1

SHA512
c71b01ab2d53fc87091a525dcf76839566646d0d470851690a7f25b840ac2efdd85e0f4b9c70b1c15397d987a96594a6d4a2f90d9b48133edb4769cc743b6ab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
508fba47935efbde2fef8cfce3522136

SHA1
57677936456ff25d989d2a58f385fd9fb4c4a69d

SHA256
04b8c513b583c0da0ff43c993644a9e3ba7dae3fce368c691019cfa95b0d2e3e

SHA512
75aee720dfa83288af22974a6b6c8c8e9b2c67b46db0b42a73fa48473db04dff45d860c2925a234d5b7ea865ec595f1f3a59e7286f3d66f3c391b42534bfebff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d204f4dea9fe4e5f84982dc785fb60dc

SHA1
75dd28afe534179fb4b943e07508a6e2746637d0

SHA256
71266f03870b382c9db6ab2d1ec2ca8b4eb2725ccc3f74631355434acc295f0f

SHA512
86539996d3db256ceb1e2a48a28fb682a9993d87bdd4b4ae20f30be616bb58728c004a7c469924af43f7fefe13e8b26cb14f5f743541792aa9dbd137c5c66bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcaf08c0f1016cca1ed99e197904c2b0

SHA1
4ee416290f7884057613c42396be18b6d96f0855

SHA256
28a4e09186035c66d395ef61a5b600529c0290b3efbaccbc8a04a0460569e35a

SHA512
c80aa6c8a6e0c4571e053bc713cd6578ab1afea691a0c3bd6d689365f0507c3e8e5d647a151a877780b4460cee3fb77ded61d0be89c8cc29d2441bed565faa1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20e7188f87333d5e9e0a9fb470a3c946

SHA1
a683efdf5e708dbf73ae84707f9f68471ae9f2e0

SHA256
6f9e639b503f232e4b2a2dd6286c5b5d0ec33dfb0c15cb6cfc05b154256d0ab7

SHA512
4d8dcab63d469130d930b073e50db7b9420a1d1b30d34c99e5c666d8cebcaa518297ba8b78be9a50359bba361f1ded62ad42da2ea336fdcf3c512c50620e1c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236cf56e45047cc988674db1a18fc4c7

SHA1
02391e40eeefef321e9c922d515919d97bbd0446

SHA256
e1015f3728544de4d50f07bca1428f6df76d3549e871195b422f9b8fbcc5d8e5

SHA512
33929bafa42df1bf2d992ff9b7404af5724fec7840a2aa56de2c0196bdf1b88d929bdf7ed3a9816e3563d918cb48190232fcab4f8cbb6bc8e6a68710bd9a122a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f32372968218de55da4eb091e877c4

SHA1
3d8e1d61cd810dee7e92c649b95b6024d1dc27f2

SHA256
c9e07e70f148e1fd6d0a1a2ba31be948eacac8a27000162a7f8ee3c967d38399

SHA512
2e31556b6d3c46db9112ea02b0a665fb98dc7d7ba756c434b53f7548cbc419f8d0ebee243c14adc993390583fbcaec3b44c0ccd4913b0e517039c9a4f99b9a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a76dda73bcd088aad40297d59562681

SHA1
411f92e0d4fc2494b50eb21971b8e3c40adb56c4

SHA256
fd11ff0172b4f81c510f5ad09a7332f8574d1c1ca2ed9e11c203589cd1298953

SHA512
a49489c72c8ac46d0db9752567c10c9fd6338b45052a05098d3a119d9af147500a55e8eb6ff602df733ad953ec0365c42af3714d6114531f226d62f5f5d8a0cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6f5053562ca33758b4422bdc6b6c82a3

SHA1
8bcefcef21b62f124b8e575f682c841ff5e93838

SHA256
58a69677130c91717112e62a67193dd121ad1cf254238c62f9a7b62da2569480

SHA512
fca7599360c50522af7a0c2637e36b18b313734987cc74bb2fc7dfec39cf80130f1c39d686e25e56e7bb0e281d58fc31e787426c0c85dd58f3d93d4977f83388

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18F1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier

Filesize
3B

MD5
bc949ea893a9384070c31f083ccefd26

SHA1
cbb8391cb65c20e2c05a2f29211e55c49939c3db

SHA256
6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61

SHA512
e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287

Download Submit
C:\Users\Admin\Desktop\00273\HEUR-Trojan-Ransom.Win32.Agent.gen-719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244.exe

Filesize
192KB

MD5
06dfde68d9e07bc1191626855a321801

SHA1
a17859092783b09986512203119bbfaf4f5e13b0

SHA256
719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244

SHA512
9d4f64e297e694d49ff4eee734afaf48945cf1b0d991dff707253266a10603994edaa6a68ad614118d50925e25a9f9f405ca60b15c4c0d4464175e80c0cfc2df

Download Submit
C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jujb-79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf.exe

Filesize
71KB

MD5
598d66c68a6b5eb33493b4b264e40e5b

SHA1
e8a6a2092c8494a33d7b8606bb7a3b4ac3a7d2a1

SHA256
79ab656fdcdb485b68c490da921dbd67296fc2b22f008c1090ac5d698596adbf

SHA512
746d6ea9204810ed90eaf3ed829067035ec83cb437c3ce04e135150fe4e3548b26be4b5a0bfc9f6d0629cc9e28610aff6464bb5e215e279db3dbaad3dd6c7f80

Download Submit
C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Blocker.jumq-9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965.exe

Filesize
650KB

MD5
d1bce477f226afd35eb2eda9e0c99867

SHA1
9b23565fceb388cf8bc4c6e92f8e36601c02f81e

SHA256
9a0bd8161765f211c1be418eb8109897be47a7d54252967805fa5c4ca2104965

SHA512
10cc56dab4c7916a3bea8e4e076a8147b06fdf8a7b930d01c0cace3618ddc69468d9ee2d22a2f2691d7d43f6afedd7e49d4af89a854531f955b2df91365337d9

Download Submit
C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Scatter.lu-23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63.exe

Filesize
204KB

MD5
7661ddde2844c69f6c990ca886291719

SHA1
5f7b07330d1de98b1c28b1106a81712e9f869596

SHA256
23d5c0af1f40ac2bfc7db1c34384e83f79870fe6c786512b116d599b41579c63

SHA512
82608695c3579b724abd5a7d137891bd90b02b45083a0e16c87a00da1519c99b0c028acc3c5d97f1a3b2b29b18a0aa913fcfa51cfb8791411656c79168f33d89

Download Submit
C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Shade.lgc-c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07.exe

Filesize
952KB

MD5
837324e34b58c2553fc0af963c7cdbff

SHA1
f724e28c42f72ea47776c086945d1d4da6e66acc

SHA256
c62093ffaa2889561fef53383c3f6ed0c2d9a379fd9008301ac6906bfceddf07

SHA512
1dd3e7872fb50709a4098904099c895fea09bd7fffabcf657c48d0b74f99aeabc58709f29cd87658c40a393acd7971183d3a4bad700eeae8b290752b72bf6f66

Download Submit
C:\Users\Admin\Desktop\00273\Trojan-Ransom.Win32.Zerber.ardv-100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1.exe

Filesize
264KB

MD5
48036052ba00df2abeff3bdb8b3bc392

SHA1
f1b0fc62263a3ff14f67af84595ac8e98265e4bb

SHA256
100b72a33d7a0a83f798c9ba77ce9ccc8615bd17a1de8809a2c70c672a42e5a1

SHA512
d61f33f74ad9eb7dfd302fd5e4e36654e6361d64a11629eed95bd3372cde179579c63bab8112ef79c3ee806379fa657774ac04873ca642080326247a8bb7f330

Download Submit
\Users\Admin\AppData\Local\Temp\nseECFF.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEF01.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/484-97-0x0000000002C20000-0x0000000002D87000-memory.dmp

Filesize
1.4MB

Download
memory/484-94-0x0000000002C20000-0x0000000002D87000-memory.dmp

Filesize
1.4MB

Download
memory/484-119-0x00000000013E0000-0x0000000001547000-memory.dmp

Filesize
1.4MB

Download
memory/484-62-0x00000000013E0000-0x0000000001547000-memory.dmp

Filesize
1.4MB

Download
memory/704-116-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/908-390-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-388-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-387-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/908-383-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-381-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-379-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-377-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-385-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1240-391-0x00000000000A0000-0x0000000000207000-memory.dmp

Filesize
1.4MB

Download
memory/1240-99-0x00000000000A0000-0x0000000000207000-memory.dmp

Filesize
1.4MB

Download
memory/1240-440-0x00000000000A0000-0x0000000000207000-memory.dmp

Filesize
1.4MB

Download
memory/1240-437-0x00000000000A0000-0x0000000000207000-memory.dmp

Filesize
1.4MB

Download
memory/1400-442-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-123-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-392-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-121-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-126-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-438-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-125-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-393-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1400-124-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2004-166-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-168-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-444-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-197-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-417-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2324-108-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/2324-111-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/2324-113-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/2772-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2772-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download