Overview

overview

10

Static

static

1

RNSM00279.7z

windows7-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00279.7z

  • Size

    5.4MB

  • MD5

    acba2209edbb1f7e0bee57da387ca965

  • SHA1

    6b0333d14fe7a7421cf59357843edb6b796f0e84

  • SHA256

    a15b04019cc88bc0035e8808c951ad06177d55fa11488131caac90ce1346b6b6

  • SHA512

    2888aaaebe2e25f441349ada813fa291b6de0ed09957ebb8b7728ed0ff7f9d85f5e17e9fc01061111c2540100a0562af3c1f79be6b138237f9763d4c59738cbb

  • SSDEEP

    98304:legqLR4xsY1BV9z3TKtFUcAVHZh7QDzJJ/4TLLLCMw8mUuN3abv8wxJv:legWY1BV9z3XHP0PjQPubhN3A0OF

Score
10/10
cerberlockylocky_osirisluminositydefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012 | | 2. http://4kqd3hmqgptupi3p.wl52rt.bid/F843-3FC2-E5D0-0446-8012 | | 3. http://4kqd3hmqgptupi3p.b4by4c.bid/F843-3FC2-E5D0-0446-8012 | | 4. http://4kqd3hmqgptupi3p.fw1bwy.bid/F843-3FC2-E5D0-0446-8012 | | 5. http://4kqd3hmqgptupi3p.onion.to/F843-3FC2-E5D0-0446-8012 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/F843-3FC2-E5D0-0446-8012 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012

http://4kqd3hmqgptupi3p.wl52rt.bid/F843-3FC2-E5D0-0446-8012

http://4kqd3hmqgptupi3p.b4by4c.bid/F843-3FC2-E5D0-0446-8012

http://4kqd3hmqgptupi3p.fw1bwy.bid/F843-3FC2-E5D0-0446-8012

http://4kqd3hmqgptupi3p.onion.to/F843-3FC2-E5D0-0446-8012

http://4kqd3hmqgptupi3p.onion/F843-3FC2-E5D0-0446-8012

Extracted

Path

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012" id="url_1" target="_blank">http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://4kqd3hmqgptupi3p.wl52rt.bid/F843-3FC2-E5D0-0446-8012" target="_blank">http://4kqd3hmqgptupi3p.wl52rt.bid/F843-3FC2-E5D0-0446-8012</a></li> <li><a href="http://4kqd3hmqgptupi3p.b4by4c.bid/F843-3FC2-E5D0-0446-8012" target="_blank">http://4kqd3hmqgptupi3p.b4by4c.bid/F843-3FC2-E5D0-0446-8012</a></li> <li><a href="http://4kqd3hmqgptupi3p.fw1bwy.bid/F843-3FC2-E5D0-0446-8012" target="_blank">http://4kqd3hmqgptupi3p.fw1bwy.bid/F843-3FC2-E5D0-0446-8012</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/F843-3FC2-E5D0-0446-8012" target="_blank">http://4kqd3hmqgptupi3p.onion.to/F843-3FC2-E5D0-0446-8012</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012" id="url_2" target="_blank">http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012" id="url_3" target="_blank">http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012" id="url_4" target="_blank">http://4kqd3hmqgptupi3p.w3r6a4.bid/F843-3FC2-E5D0-0446-8012</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/F843-3FC2-E5D0-0446-8012</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Luminosity family
    luminosity
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Contacts a large (522) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00279.7z"
    1⤵
    • Luminosity
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2308
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
      HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
        HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 288
          4⤵
          • Program crash
          PID:4624
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
      Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe
        "C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe" "C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.dll" "dejumifit" " -p bscsrvgup -i b2a7fcfc9e7e4b7bb1489aec1ad94faa" "mifitiwiqiy"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        PID:4604
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
      Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SetWindowsHookEx
      PID:2024
      • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
        Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
        • C:\Windows\iadpmsccojgu.exe
          C:\Windows\iadpmsccojgu.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2116
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 324
            5⤵
            • Program crash
            PID:4936
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00279\TROJAN~2.EXE
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2588
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
      Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        "C:\Users\Admin\AppData\Local\Temp\File.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3600
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4912
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
          4⤵
          • Luminosity
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3628
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3688
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3704
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3804
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1836
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:532
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1480
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3236
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2364
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3928
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exe.lnk " /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2500
      • C:\Users\Admin\AppData\Local\Temp\notepad.exe
        "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4236
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
      Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: MapViewOfSection
      PID:2492
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
      Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2344
      • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
        Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4920
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
      Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1472
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
      Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: MapViewOfSection
      PID:2836
      • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
        Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5096
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
      Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Drops file in System32 directory
        PID:4268
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
      Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysCC73.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4772
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
      Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:3028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:3912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4008
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:406536 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4748
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC33F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4120
    • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
      Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic.exe shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4396
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\@[email protected]
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3132
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3232
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]
        3⤵
          PID:3160
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
            PID:3284
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im "Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3340
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3380
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2796
      • C:\Windows\syswow64\svchost.exe
        "C:\Windows\syswow64\svchost.exe"
        1⤵
        • Modifies WinLogon for persistence
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4416
      • C:\Program Files (x86)\BasicServe\basicserve.exe
        "C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" uzowesoweh zowanude
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4672
        • C:\Program Files (x86)\BasicServe\basicserve.exe
          "C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" cinatayoh apohonecin
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4804
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        PID:3956
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 336
          2⤵
          • Program crash
          PID:2208
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:4068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 360
          2⤵
          • Program crash
          PID:2636
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:3764

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        1
        T1046

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        2
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-6c03.htm
          Filesize

          8KB

          MD5

          0159493b49b920c1a2c92b6649df6d33

          SHA1

          18c312701414914005d7f7866d5ea9a194841daf

          SHA256

          81cd42c8ae46602849c543457e3ac282dd5c4fb3000d09f265e1a4f19829e40a

          SHA512

          acf2d454251fa4c1ff73e4f5ed6e6f1b5e4d74a0c69ac5c40400c4b102357c17927de88e25d43d2d23b9c59e1b65d3db08e07741bb3b3bac813057760a487124

          Download Submit

        • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-d06f.htm
          Filesize

          8KB

          MD5

          71bab7344150d3686aa13c969c34475e

          SHA1

          361373b35d3f971eb410dc5956b854e920dc84e4

          SHA256

          5e6331ade91b98726127c67e8c229ef3f0d93c507900847d2b2738223b41896a

          SHA512

          c8ab8e9591d60ff2bfb561e5cc0b550fc5ba5dff96e91eacd96e205ec359e98d3c0f581dd02e4a447765a9dc9674c2c501f113b6f337f543916e31f5a7b84805

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          64b4c98bf4cc873ca590f43c6f49afb5

          SHA1

          13f1adee31d56dbf7bdb0554964d364729409d61

          SHA256

          fcb01b05c74b7553ceae54583b51aace81d9ad415d88ee584c0bf752fa2457b7

          SHA512

          5af85f6ded4ce077e83f812880e1b11bc19b693b5505d065afc9d4a7a4d56c55cd84e5dad108f4eaf5fd4cf317fe3915ce20cf84eebb1b1c8db9cabec1e4c7e5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          625a85f01081e5216362d60d5f815327

          SHA1

          df7d47abaaa31ac949f4b6962e7af965a15e0d33

          SHA256

          bb5b0dd9c0df904ea12af3dcf56b4e41d765a5e575e5eb092d7bc2a153dd5ef7

          SHA512

          f45479693c43929bddcbdc156303e55641413807b5aed717603f20465fa38e971446194eb552ec886174ee42736b7a95fa36eea73e1752241298b4e8508cd47d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          a6d1b2c3276117e1ee0faa3446a58840

          SHA1

          f6d4fef2858a222575dcc4b9b0dad62650a9d22a

          SHA256

          754c804091438e082801c1d29bfb4dd8fa97ef636bf7ceb30d345b2fdd5ad2f5

          SHA512

          998b902137fe6df4ad02dd384084dd0d5935735cfb9254dd8e0ee654fe5974fe430c029e854b816d4afee825c1944a681753a84e8c93c4f88f48222b451e7870

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          376d88b7657129784c083079c040688b

          SHA1

          6c725bf66e637e36a6658ce413d9a07e0a514f4f

          SHA256

          175e5a21a61df4e543893fef92979240e7691e95c4ca6a46da2b6050f8215139

          SHA512

          930980a50efebc0c9a32594bd1b8fb6bceb825c6a751b9ced1f997ff00f71d9fd7dca3ea8c220126227957d4aff4760768e4c6f19469b33f71882c96fc8537b5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e64e4154850bf9753e0861f05010c1ff

          SHA1

          2e34846cd94b826cb99d1908b03b6a37ecb4f296

          SHA256

          771fb07fdb50d42f1a102d51646cefcd47c9e5137d918629ac49bab19c5b3b2c

          SHA512

          a147fc94df893c3e18cebe8fcd9d130ee00a6630ac2b8c4272d3ad19d30f7e4bc5cdab56f853bd9e0a1835aa176c0a638f4483e1dce44bd773bb05bf91e1e7ad

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          3e006aa40d0b9c745b799a07ff004ed4

          SHA1

          df216246b54a8957e2014ccb325eb53b27b5b967

          SHA256

          b47be15909c4389d762e85d0ea0d88ea5ea74c85bdc0d6bdbe48eb7e32919a60

          SHA512

          0189b288bea9259e16a40e04b40f963da24075d4db4bc90c57538b02454d81261d8d7a57ce5e1c93db19e71392c05fbbe10eb5dbb5eaf41390956922f2b972b7

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d9ecc31a42705fffa4d3ff701cf997da

          SHA1

          432e9548fa4d70d68dc12f69b40e0661eafeca19

          SHA256

          35a2329e7c236f68e6cb84543a670f31acfe3b4148c42003f36a34fa9175bd04

          SHA512

          c2a41318fb4ea179abfa079e27bc1e24e009daff8549cdbf3033f1d3beb3cb676f289a52f897793d2b9747cb33a1ebec2b490b6d550b7d1d84b59aca80bf7e30

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          2ceea0a10c21eb6aa6a981e875052830

          SHA1

          c82982299a262404a93447202afaa35e53cd1a85

          SHA256

          bb5c2ff806af619ddf91121f9ad45988b60bc171328e61ea97ea13438ae7a3f0

          SHA512

          57452dcf6965c67d09d72781866ab3ea16f0a805aeed03a87d2e6658132f572d9dc8caff6b544f849a81880f6d50b612919caf4ae5d0e52186d7b727762e5daa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7d8221213925416d5dec5f6cb6d181a8

          SHA1

          c6271ca21c43d09ca646b6403a629d62dde93af6

          SHA256

          bb9b79b042d890c1dcccc9d36820b448723cc593ba30041f4e61854b6ff6e93c

          SHA512

          1bbff8b63700adf78daf32e4828b51050c9c9a270cfff41fea8d9f303882284bac026d3eb484c0abb2d17d53feb6b60953b9c1550e111bfe221583fe26f43ad2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d6bbd49f3752c7856cf9bab52f44224a

          SHA1

          aa74824543bf9a455605ed848dc97e11c52ace71

          SHA256

          6486dd0d6f9be0e116dfc4ce08b22e5eec090dd7d67ba0feb8f59c02f650f996

          SHA512

          e5ff280293a25f55d064782ed1bc7756fcad37939306bbdc3ff07bc205f09a210e3aff6a3397b6a57727d66a1e220cb2a993429b4d12387b0bee1590978719a6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          18146d8b3c72522e3be208cad8a13116

          SHA1

          75f4fd34d08ac33915b342de6c9eb937e28c70d3

          SHA256

          7ae034ed0f284b8a3a0920be67aa826f0eef4236cb22fde92652dbc63fcd013b

          SHA512

          c30cdcaa86c826cca8ba40047450df4f71d1484d37e027d5be43cc00b04cc4c981ac6bb5df5aea65faca337839b53ae8f5b3418296bc6c64a9433bedade71479

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabD902.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\File.exe
          Filesize

          857KB

          MD5

          bc6529f2a93dd5eb328963e0b41a855a

          SHA1

          0d3fe448baa8a886fd33541f17e893a8a550640f

          SHA256

          b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

          SHA512

          4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarD9F1.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe
          Filesize

          22KB

          MD5

          74a5404b477ff0328829aa9d8889c3a3

          SHA1

          dad102f34d74e614668f91c2de287cf4f63b1aac

          SHA256

          49c095451a1203a82004c294fcd418621fd0649ec3eaa6f8a6a96c193cd4e270

          SHA512

          f953401617e0c5560297d72f3bba24c74d6c5d1ec500226e198799c56fb0aa38642246e0cb0d111dee9be31b7c771d13e59e16b590c98d290eb230fd4d5559d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\uninstall.exe
          Filesize

          78KB

          MD5

          2e1c0769beff93993d98eaa6c537acdf

          SHA1

          459f3a41027bb6d74023d4f4f094a7165301e4a6

          SHA256

          f3479f5877dec3810598bb3b707660bfcd0cbe4791cee939a305b8261ba972ac

          SHA512

          6d61a5286964874b8e36ef713808bfc363d7d05560270a3d1616b15c547755e87f5e174ee1dca8a1248c89a58667221a5bf22ba91b6e2614c6b29b0926931295

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~DF659A64974EA1F815.TMP
          Filesize

          16KB

          MD5

          fc2a3b136df9ed2642e3366f94f5ee48

          SHA1

          ae124ba9b05fb8aa3144697286675c674d9f9b34

          SHA256

          0995f0a43be3425f3fd3bae770a9cf0c6ebb33b9cab54e868e50553d4dce9575

          SHA512

          5222c59878963f41c92e1d399f16e54ee77f1771da358090d822e1a15b9211ff48d79f320b139ccf3666446fdc5b1aa254460a9401e107578fbb2ae8846bad4a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]
          Filesize

          19KB

          MD5

          8ebc0e807a744b926c88591b48dad8c3

          SHA1

          cae1fbaa33efe2b960b2a874191861e29485e597

          SHA256

          9db7be0b55732fff9e0766245cd7c96b7ec9c395367fc16f336b73b189c997f5

          SHA512

          63f7c9c888aac2ceb2dac49d0d4dc7270b4c6f93f591a2073c72777e3556edf6b771e666ce01d19546897b231e9fae09eb31a71c8ffe882b391e51e3a1c42432

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]
          Filesize

          10KB

          MD5

          292dfaf6e70809046cb3f21e1fb6c8aa

          SHA1

          4da7be42a5fd0dddde68b246f26dbece2de9ec78

          SHA256

          d54479ba731bc66ccf5f0317bab3c93e041642b9802c0c590829df674ac26433

          SHA512

          dbc46772c1940ea8eb16cfe92b1844b5e146b656e10df1866ad6efc665b0e4e4461408ca7638b5876889549a66bc790d4d16cc1408749f480929bd2abe8e3e93

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]
          Filesize

          90B

          MD5

          bc1bb4b1ee1df9946f6bc7e849aff5e1

          SHA1

          8ab20e0068bf05aa4d72d764a5aef578005e6ad7

          SHA256

          82d2415b9de91ce3abb20ee114ad129eab06882270ffd9f33d79898811914676

          SHA512

          29c4ca0c4bee8eccd7fe592f10a5f028a9e54354c7fa8a1a9e314d188a245c1cc4f32860f5c86a5d5d294d3c21b8a8745414183f4d18fd3c73b6652e36b0a830

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_574FCEB3833242FBAF079F7169BF5F0D.dat
          Filesize

          940B

          MD5

          764b285dff272a359649a6f186fb5564

          SHA1

          cce9eedfac5b0b33587787ee3e3a88d49059fb10

          SHA256

          aae9d778d4f1aab839bd6db3ac3a732f3a3496d91127f667f8177a0d9f1c36de

          SHA512

          56773b067b831850aa056c9c185047cc62e19062c5b9ffb55c985876ee57793108bdb5faef513b8e3d6d51ed34b765a3f826c821155c138ba919f67ac56caa1c

          Download Submit

        • C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
          Filesize

          195KB

          MD5

          3a93542ef653c9211885999f6be603df

          SHA1

          35d36643555790d859653c60fd6712035a1ec806

          SHA256

          14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf

          SHA512

          2039bed38fd2586898af38d5bcba3549cf58e3e3e71ae6256d191a60ee80d8cd448fc242d3ae9b939d5531288b680fcb21b045568c624073f5d8243c30a01b3a

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
          Filesize

          1.9MB

          MD5

          21c1d06c5e5a3c2a4234d4cbf729ccfd

          SHA1

          49c3464b8e863dcbe571dca4d3872f16012f32fd

          SHA256

          154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01

          SHA512

          6708dda48790a45a55dc2eba485cdfc3d65d5606059a86010002dcc66698621d08ca85f87770e69225c0c3cc947729cac287429c93efbad686c609aa03f5e064

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
          Filesize

          376KB

          MD5

          f5002d397908a598439660b936f713b9

          SHA1

          372ac77e8fd7ed0919b0b66a55514d6437093a43

          SHA256

          63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157

          SHA512

          b4f1ab6d3614c02869b67c4181e981d40690bd3ebc39b5b1036f8ad8918139083b17d9fc5b93033cb1872e8b42a6d4d4288b36cf7acc5d5497bd5abed4da6010

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
          Filesize

          1.8MB

          MD5

          4cccaa5cfb192851d364230d184a0472

          SHA1

          6453801f53aabd336417b5b2d3d9bad1a5df4527

          SHA256

          8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75

          SHA512

          fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
          Filesize

          115KB

          MD5

          fed3dbb724d8364ef12976526447f8aa

          SHA1

          9c92a66492675ff7c593eae74813e6e53b73c881

          SHA256

          811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24

          SHA512

          986a5011d7a298016e9f78cc40d4837ba2e9123e05e15b8b630c63a0e5cb136ac822885c15ec16d1d3ad6b0d36c7887bf0e4d17e6a61f4dc810f53c60d40d407

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
          Filesize

          277KB

          MD5

          82f0133b4c752cf1ff4c4be7aad4e7fc

          SHA1

          d9a5aba99d0e5a253ed8d31fc703097348723d02

          SHA256

          f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51

          SHA512

          3132794da90f0e7542a87119a11a73ba405020c09db9eb06f25e6f1fc93e6b87ec51b4d4ca243f247686b1cfe7af30de3c2a992ffda9a11b4151e66ab64ae5f9

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
          Filesize

          244KB

          MD5

          bd5f6a6a82a3bbb0004a0f3a312dde96

          SHA1

          8e4c593bd985dab4777d4a6b0c40a1b2a45c5db7

          SHA256

          2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453

          SHA512

          083a0b1c664ac99686bbc8143dae1972ceedddb97fa0fe732fc94252270674cc997c9634c99e160100be17eb519ee96d333f5b418fd677d54e3109b425ebb129

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
          Filesize

          281KB

          MD5

          6cdd9d7e0300fdf9ec878d83f8b064d9

          SHA1

          0ddb718c9c49339f37090976604e21d263f7f242

          SHA256

          284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355

          SHA512

          ad2ac4671c807144ba9db2831b5beeb6fa5e0e231420e8c4d6b3cdc209f6f35dbe8927351d6659687c260907b0f3735dc04cac6b149b304f17c1f7d34f6c6ef6

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
          Filesize

          340KB

          MD5

          273c23e73735fd3d0db438edafe52287

          SHA1

          0c660ed417994b1630edc3a73599e30ce69a5d65

          SHA256

          f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e

          SHA512

          980f30ceca8d4b729f3d85726935ffabbdea2149970fb677f92ca6e6eb0edc64389358aab729318c5d99d6da9009728c6b5d203efe08a2e14c36ed367680c99d

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
          Filesize

          411KB

          MD5

          dff0940a39675fe15fdf0dfbf6fa1549

          SHA1

          e85713e8074d02a21cfa9b8ace7723e9540774cb

          SHA256

          49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6

          SHA512

          d9b7307f0ea3abbb5bbd2e01e55060c5623ff279a33746e79d98606163dc5172912c2718d6aec0aadd61e75712116f06ba65c80b70f1f97574d442765205da39

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
          Filesize

          392KB

          MD5

          4a2592bc635987fa01678a5eff79cdde

          SHA1

          f7554f1f50e31080f6dd6946fc3755984ab4993e

          SHA256

          47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0

          SHA512

          807fbeb38bf285780a1cdb4dee569a077123fbeb28861738f001334171d6d89b7d30e53546f878cd3eff2e8e0763b92ed0331e59397a013150df13860e7e9d52

          Download Submit

        • C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
          Filesize

          352KB

          MD5

          a0edcf1f6d3dac996ca1eb09bd7a0d87

          SHA1

          a436b32c9218281767a291a5b0fab164b49b24e6

          SHA256

          612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de

          SHA512

          a26f9ec662feb6d033e69b897d2112078fd00b9a474ab68fa5746c64d89874b3ce572f78eedf5f326db70ef550f6bd48a0430dc683aa3ed7319d447a9622b114

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nse73AC.tmp\System.dll
          Filesize

          10KB

          MD5

          fe24766ba314f620d57d0cf7339103c0

          SHA1

          8641545f03f03ff07485d6ec4d7b41cbb898c269

          SHA256

          802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

          SHA512

          60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst72E1.tmp\System.dll
          Filesize

          11KB

          MD5

          3e6bf00b3ac976122f982ae2aadb1c51

          SHA1

          caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

          SHA256

          4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

          SHA512

          1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

          Download Submit

        • memory/632-758-0x0000000003500000-0x00000000035D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1472-666-0x0000000001290000-0x00000000012CF000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1820-747-0x0000000002EB0000-0x0000000002F82000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2344-664-0x0000000000520000-0x000000000053B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2492-670-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2492-669-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2796-24-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-1930-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-26-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-25-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-1952-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-1951-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2796-1931-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2968-667-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/3028-763-0x0000000000400000-0x0000000000468000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3028-772-0x00000000047B0000-0x00000000047D7000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3028-771-0x00000000047B0000-0x00000000047D7000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4416-671-0x0000000000080000-0x0000000000088000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4492-677-0x0000000010000000-0x0000000010016000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4492-675-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4492-676-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4492-682-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4492-681-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4604-696-0x0000000000410000-0x00000000004E2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/4672-703-0x00000000002E0000-0x00000000003B2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/4804-727-0x00000000005B0000-0x0000000000682000-memory.dmp

          Filesize

          840KB

          Download

        • memory/4920-742-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-744-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4920-734-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-745-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-746-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-740-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-738-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-736-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4920-752-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/5096-755-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/5096-756-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/5096-757-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download