cerber | e135b3e7b476bb122662a05c539f79fe49d827871232835c708952a4df95ce4b

Analysis

max time kernel
69s
max time network
168s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00276.7z
Size

4.1MB
MD5

39fb6bc4ba8a5113f3c9ef47e229e92b
SHA1

aaaa278089a53fd91d9ec5fd3e4baec2e9a57c28
SHA256

e135b3e7b476bb122662a05c539f79fe49d827871232835c708952a4df95ce4b
SHA512

016db01d77520c9fa21a696cb03c6239da6a458499e0f2db217e9f41305150b2eff4b98366e5c58793db85453da2b8593d37e3ba4ff6e3595ee96181fd64eef8
SSDEEP

98304:qVOn1PxwzMhM512CUclkyBcYDpdQysDyKu3xXN7zX:qVjzMWLrUclkkk6fBJL

Score

10^/10

cerber gozi troldesh banker defense_evasion discovery evasion isfb persistence privilege_escalation ransomware trojan upx

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\Users\Default\How To Recover Encrypted Files.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="utf-8"> <title>GLOBE</title> <HTA:APPLICATION ICON="UserAccountControlSettings.exe" /> </head> <body> <center> <div><h2>Your files are Encrypted!</h2></div> <hr> <div class="note private"> <div class="title">Your personal ID</div> <pre>3596986768909002996298131113519231175384744339787198052149999934933749628428866965878469710985329298 0377206158483635205161288262654556097525494145349262189644812323708127467261931297965313552208909612 4071342589145091774518365310953273249525195770324797350168971059286531446956478492498257767986155646 9889889578445547579108135454805442002349054188865919096479958416450461747387934412965003113539739657 3022972975613891348331167588833643868218493714339821097659717768196180007609393361582084497134223402 0847042360362936479131732635564859852671779368166093961198168364632537971662735040878531214942853793 104614762014530288</pre> </div> <hr> <div class="bold"> Your documents, photos, databases, and other important data has been encrypted. </div> <div class="bold">For data recovery needs decryptor.</div> <br><hr> <div>To buy the decryptor, you must pay the cost of: <font color="#FF0000"> <b>0.5 Bitcoin</b></font> <br>on the Bitcoin wallet: <font color="#FF0000"> <b>18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH</b></font><br> (Buy Bitcoins can be here <a href="https://localbitcoins.com/buy_bitcoins">https://localbitcoins.com/buy_bitcoins/</a> or <a href="https://blockchain.info/">https://blockchain.info/</a> - Visa/MasterCard, QIWI Visa Wallet..) <hr> <div> <b><font color="#FF0000">After the payment</font></b>, send a letter to the email address <b>[email protected]</b>.<br>In the letter include your personal identifier and<br> Bitcoin wallet: 18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH <br><br> In a response letter you will receive a program to decrypt. <br> After start decryptor program, all your files will be restored. </div> </div> </center> </body> </html>

Emails

<b>[email protected]</b>.<br>In

Wallets

18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Contacts a large (592) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1772	netsh.exe

Executes dropped EXE 23 IoCs

pid	Process
2612	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
2100	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
2508	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
2116	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
1688	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
1484	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
1168	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
2800	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
1532	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
1400	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
2224	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
3056	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
2188	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
2516	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
1712	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
2284	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
1396	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
2904	trust.exe
1816	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe

Loads dropped DLL 10 IoCs

pid	Process
2612	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
2100	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
2116	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
1400	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
1532	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2112721518 = "\"C:\\Users\\Admin\\AppData\\Local\\KupuNgay\\ZevnInci.exe\""	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
File opened (read-only)	\??\F:	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trust.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2188	2612	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe	49
PID 2100 set thread context of 2516	2100	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe	50
PID 2116 set thread context of 1712	2116	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe	51
PID 1532 set thread context of 2284	1532	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe	52
PID 1400 set thread context of 1396	1400	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe	54
PID 832 set thread context of 1816	832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe	59

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-161-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2284-159-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2284-186-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2284-185-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2284-367-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2904	trust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
976	1816	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2612	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000018b71-62.dat	nsis_installer_1
behavioral1/files/0x0009000000018b71-62.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
1832	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2612	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 16 IoCs

pid	Process
2612	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
2100	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
2508	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
2116	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
1484	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
1688	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
1168	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
2224	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
2800	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
3056	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
1532	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
1400	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2516	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
2600	taskmgr.exe
2600	taskmgr.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
2284	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
2284	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
2600	taskmgr.exe
2600	taskmgr.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
2904	trust.exe
2904	trust.exe
2904	trust.exe
2904	trust.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2612	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
2100	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
2116	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
1532	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
1400	Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2660	7zFM.exe
Token: 35	2660	7zFM.exe
Token: SeSecurityPrivilege	2660	7zFM.exe
Token: SeDebugPrivilege	2600	taskmgr.exe
Token: SeShutdownPrivilege	1712	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Token: SeCreateGlobalPrivilege	1320	Dwm.exe
Token: SeShutdownPrivilege	1320	Dwm.exe
Token: SeDebugPrivilege	1320	Dwm.exe
Token: SeCreateGlobalPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeDebugPrivilege	1360	Explorer.EXE
Token: SeCreateGlobalPrivilege	928	DllHost.exe
Token: SeShutdownPrivilege	928	DllHost.exe
Token: SeDebugPrivilege	928	DllHost.exe
Token: SeCreateGlobalPrivilege	2788	cmd.exe
Token: SeShutdownPrivilege	2788	cmd.exe
Token: SeDebugPrivilege	2788	cmd.exe
Token: SeCreateGlobalPrivilege	2536	conhost.exe
Token: SeShutdownPrivilege	2536	conhost.exe
Token: SeDebugPrivilege	2536	conhost.exe
Token: SeCreateGlobalPrivilege	2600	taskmgr.exe
Token: SeShutdownPrivilege	2600	taskmgr.exe
Token: SeDebugPrivilege	2600	taskmgr.exe
Token: SeCreateGlobalPrivilege	2508	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
Token: SeShutdownPrivilege	2508	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
Token: SeDebugPrivilege	2508	HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
Token: SeCreateGlobalPrivilege	832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
Token: SeShutdownPrivilege	832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
Token: SeDebugPrivilege	832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
Token: SeCreateGlobalPrivilege	1484	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
Token: SeShutdownPrivilege	1484	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
Token: SeDebugPrivilege	1484	Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
Token: SeCreateGlobalPrivilege	1688	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
Token: SeShutdownPrivilege	1688	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
Token: SeDebugPrivilege	1688	Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
Token: SeCreateGlobalPrivilege	1168	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
Token: SeShutdownPrivilege	1168	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
Token: SeDebugPrivilege	1168	Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
Token: SeCreateGlobalPrivilege	2224	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
Token: SeShutdownPrivilege	2224	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
Token: SeDebugPrivilege	2224	Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
Token: SeCreateGlobalPrivilege	2800	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
Token: SeShutdownPrivilege	2800	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
Token: SeDebugPrivilege	2800	Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
Token: SeCreateGlobalPrivilege	3056	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
Token: SeShutdownPrivilege	3056	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
Token: SeDebugPrivilege	3056	Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
Token: SeCreateGlobalPrivilege	2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Token: SeShutdownPrivilege	2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Token: SeDebugPrivilege	2176	Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
Token: SeCreateGlobalPrivilege	1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
Token: SeShutdownPrivilege	1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
Token: SeDebugPrivilege	1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
Token: SeCreateGlobalPrivilege	2188	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
Token: SeShutdownPrivilege	2188	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
Token: SeDebugPrivilege	2188	HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
Token: SeCreateGlobalPrivilege	2516	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
Token: SeShutdownPrivilege	2516	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
Token: SeDebugPrivilege	2516	HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
Token: SeCreateGlobalPrivilege	1712	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Token: SeShutdownPrivilege	1712	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Token: SeDebugPrivilege	1712	HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
Token: SeCreateGlobalPrivilege	2284	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
Token: SeShutdownPrivilege	2284	Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2660	7zFM.exe
2660	7zFM.exe
2660	7zFM.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
1360	Explorer.EXE
1360	Explorer.EXE
2600	taskmgr.exe
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
1984	Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3060	Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
832	Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2612	2788	cmd.exe	33
PID 2788 wrote to memory of 2612	2788	cmd.exe	33
PID 2788 wrote to memory of 2612	2788	cmd.exe	33
PID 2788 wrote to memory of 2612	2788	cmd.exe	33
PID 2788 wrote to memory of 2100	2788	cmd.exe	34
PID 2788 wrote to memory of 2100	2788	cmd.exe	34
PID 2788 wrote to memory of 2100	2788	cmd.exe	34
PID 2788 wrote to memory of 2100	2788	cmd.exe	34
PID 2788 wrote to memory of 2508	2788	cmd.exe	35
PID 2788 wrote to memory of 2508	2788	cmd.exe	35
PID 2788 wrote to memory of 2508	2788	cmd.exe	35
PID 2788 wrote to memory of 2508	2788	cmd.exe	35
PID 2788 wrote to memory of 2116	2788	cmd.exe	36
PID 2788 wrote to memory of 2116	2788	cmd.exe	36
PID 2788 wrote to memory of 2116	2788	cmd.exe	36
PID 2788 wrote to memory of 2116	2788	cmd.exe	36
PID 2788 wrote to memory of 832	2788	cmd.exe	37
PID 2788 wrote to memory of 832	2788	cmd.exe	37
PID 2788 wrote to memory of 832	2788	cmd.exe	37
PID 2788 wrote to memory of 832	2788	cmd.exe	37
PID 2788 wrote to memory of 1484	2788	cmd.exe	38
PID 2788 wrote to memory of 1484	2788	cmd.exe	38
PID 2788 wrote to memory of 1484	2788	cmd.exe	38
PID 2788 wrote to memory of 1484	2788	cmd.exe	38
PID 2788 wrote to memory of 1688	2788	cmd.exe	39
PID 2788 wrote to memory of 1688	2788	cmd.exe	39
PID 2788 wrote to memory of 1688	2788	cmd.exe	39
PID 2788 wrote to memory of 1688	2788	cmd.exe	39
PID 2788 wrote to memory of 1168	2788	cmd.exe	40
PID 2788 wrote to memory of 1168	2788	cmd.exe	40
PID 2788 wrote to memory of 1168	2788	cmd.exe	40
PID 2788 wrote to memory of 1168	2788	cmd.exe	40
PID 2788 wrote to memory of 2224	2788	cmd.exe	41
PID 2788 wrote to memory of 2224	2788	cmd.exe	41
PID 2788 wrote to memory of 2224	2788	cmd.exe	41
PID 2788 wrote to memory of 2224	2788	cmd.exe	41
PID 2788 wrote to memory of 2800	2788	cmd.exe	42
PID 2788 wrote to memory of 2800	2788	cmd.exe	42
PID 2788 wrote to memory of 2800	2788	cmd.exe	42
PID 2788 wrote to memory of 2800	2788	cmd.exe	42
PID 2788 wrote to memory of 3056	2788	cmd.exe	43
PID 2788 wrote to memory of 3056	2788	cmd.exe	43
PID 2788 wrote to memory of 3056	2788	cmd.exe	43
PID 2788 wrote to memory of 3056	2788	cmd.exe	43
PID 2788 wrote to memory of 3060	2788	cmd.exe	44
PID 2788 wrote to memory of 3060	2788	cmd.exe	44
PID 2788 wrote to memory of 3060	2788	cmd.exe	44
PID 2788 wrote to memory of 3060	2788	cmd.exe	44
PID 2788 wrote to memory of 2176	2788	cmd.exe	45
PID 2788 wrote to memory of 2176	2788	cmd.exe	45
PID 2788 wrote to memory of 2176	2788	cmd.exe	45
PID 2788 wrote to memory of 2176	2788	cmd.exe	45
PID 2788 wrote to memory of 1532	2788	cmd.exe	46
PID 2788 wrote to memory of 1532	2788	cmd.exe	46
PID 2788 wrote to memory of 1532	2788	cmd.exe	46
PID 2788 wrote to memory of 1532	2788	cmd.exe	46
PID 2788 wrote to memory of 1984	2788	cmd.exe	47
PID 2788 wrote to memory of 1984	2788	cmd.exe	47
PID 2788 wrote to memory of 1984	2788	cmd.exe	47
PID 2788 wrote to memory of 1984	2788	cmd.exe	47
PID 2788 wrote to memory of 1400	2788	cmd.exe	48
PID 2788 wrote to memory of 1400	2788	cmd.exe	48
PID 2788 wrote to memory of 1400	2788	cmd.exe	48
PID 2788 wrote to memory of 1400	2788	cmd.exe	48

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1360
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00276.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:2612
  - - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
      HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:2100
  - - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
      HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
    HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe" "HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1772
- - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
    HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:2116
  - - C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
      HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1712
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_7GQNI73_README_.hta"
        5⤵
        
        PID:840
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:2420
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe"
        6⤵
        Kills process with taskkill
        
        PID:1832
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
    Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    PID:832
  - - C:\Users\Admin\Desktop\00276\Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
      Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 228
        5⤵
        Program crash
        
        PID:976
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
    Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
    Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F346\79A3.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\C_G1ring\catsclnt.exe" "C:\Users\Admin\Desktop\00276\TROJAN~3.EXE""
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\C_G1ring\catsclnt.exe" "C:\Users\Admin\Desktop\00276\TROJAN~3.EXE""
        5⤵
        
        PID:2332
      - C:\Users\Admin\AppData\Roaming\MICROS~1\C_G1ring\catsclnt.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\C_G1ring\catsclnt.exe" "C:\Users\Admin\Desktop\00276\TROJAN~3.EXE"
        6⤵
        
        PID:1704
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:3052
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
    Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys74F1.tmp"
      4⤵
      PID:832
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
    Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys4DA3.tmp"
      4⤵
      PID:2396
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
    Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysFAD3.tmp"
      4⤵
      PID:2972
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
    Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
    Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of UnmapMainImage
    PID:3060
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
    Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
  - - C:\Users\Admin\AppData\Roaming\trust.exe
      "C:\Users\Admin\AppData\Roaming\trust.exe" runas
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Access Token Manipulation: Create Process with Token
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2904
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Scanner','C:\\Users\\Admin\\AppData\\Roaming\\trust.exe');}catch(e){}},10);"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "C:\Users\Admin\How To Recover Encrypted Files.hta"
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Roaming\\trust.exe');close()}catch(e){}},10);"
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\mshta.exe
      mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\Desktop\\00276\\TR9736~1.EXE');close()}catch(e){}},10);"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1160
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
    Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:1532
  - - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
      Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
    Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1984
  - - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
      C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
      4⤵
      PID:2168
  - - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
      C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe
      4⤵
      PID:964
- - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
    Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: MapViewOfSection
    PID:1400
  - - C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
      Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1396
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1963435411815313295185338886-482149471-962783482-1513655511973323830-1445796610"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:1968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c4
1⤵
PID:876

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:1136

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2016

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSIRIS-727f.htm

Filesize
8KB

MD5
6c4f3f32d413159c4aa9f3da8f91d454

SHA1
7ca300d5ea85c21a9310e10f9401265251e18971

SHA256
264c5fd4301ae0eb8219884b0a7cf0548f498e9fd7caa34b260c88e381ea41fa

SHA512
8d7a17fafe1471f378673bbd42510112073baedd2970a1634e97fc9f4700331cd923d5231a3be51246ee83bafd4f956cfd79a75009305deb8e1fe9bc6a588f52

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-4745.htm

Filesize
9KB

MD5
ce1673d8fdb40c87ef97f1992b625659

SHA1
63268717f27b7e971815456a33563896a30b1b22

SHA256
a3b8c28468ea830eb98ecc7734e2a3160bf1e62c26a861a10d17dfe0ea8e7730

SHA512
68bb09b223c42b518bda64a474ba2f62d3c319021ecdb386f1e4cc6168d2475026d7a38fb714d0e4e53152cfbc838a4186a57dfe4c6558d9636ba57b2aaa7a43

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-8040.htm

Filesize
8KB

MD5
f3de7ec98551e8227b8cdd142997260a

SHA1
2771451e3d90b1d8afff70478d466ee6e5d84438

SHA256
0b8972fd8992aa2b8bc31ffdd36202d0a395c99658642e7bf652cecc922c4fad

SHA512
0bdb4f7cf2002f81d0e69b47e10374f968e05665f983db6b6723ab44279b48866c28835b297812a93babecfa23fd773700f8988b4e93f1c9486b37f311cd0dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b97c444672feb6cd4d9de4c19951a467

SHA1
e4edeb3efa4bb826998076b666f1eafbb1dac165

SHA256
fd0604fcefc1a96a14bf8455f9c05efba416b66ecbc287fad33957eecda80c9d

SHA512
b3faf774057fc7de6a8ee6c4f2afa50ba1674bc7de20ac0be53a60e6a65a95ac137cf0ef35fca13796dbc8524d9b5db109d4ac3daab951e70e0ac3ffc4606b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57235b734c62cf4162b5485dd57516d1

SHA1
9b521c4e68a4e0b2276eae47cd1d0daadbac3e0b

SHA256
07bea18ae0164223660485b7216ac7c8de78f1e3d20b593ee43088ce1196fa69

SHA512
d65bd907521b487c2bcb5ad2a917bcd10cfaf9717704e2bfa0d633e4c2f26222f14a5bc49b1c6c8d137d4d3cf60627036ddc081e7e5c4b2adb7a34dcd44584ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efdad0edaeba41bfc825151bbab11657

SHA1
983c291c22f2d9b2deec84be946c04231ccf3a5a

SHA256
424939aff3a08b521ae1c2d2b8e1f91c37a7add4ceef42957d10c27ea2c8df00

SHA512
2bb89a224e4f270f97eb57f9a3bfc5ab9200a2f4668c00479eb4295f6f143ac78a0a3f836e41da04b25359588012f1f5a6ccddfddd5f6c4b4c1c0fa63974c5f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bf76984270ef49a652c31cd5cc45d3a

SHA1
4a2635cd53df9788e5ae5bf312013ee6c0176e80

SHA256
b4919d38556b783de34284161a18f54f9287e5118b42d5aa471e3375021be4aa

SHA512
b845bf17f23cf47d693e78099ad788396e39f4b78bf56e798107d29a2cc12b0de155ec22ef96c1fd92a09cecd0a644fb686d6d838ae7d6dc53ec684b642c5a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c1c1a021d86675d31ed55516ed94d40

SHA1
62cf94f550ba1f297f9365ae487af679a2831ead

SHA256
df2623eeb6c79adaf3fa0ccde0f6b2b0c48a454ec8951090858ebf11ad8d120c

SHA512
c60c06f37713cb2564916501198bb5507465f9c86bbc033222b3bfc33edeca97c0b09607ea93e44a1f234b8fdf617c82c8aee2af57fd56ba4b18681404f4fe4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e646e8c5b054c023946373bb4e3efbc0

SHA1
8e37d3d3de2d038e637a3c4f0cb3d597749a3e79

SHA256
a28bd6cc00a8d0c2c0ae9237310ea37d7c50972aae037a0e83c5ab950e0d5d8c

SHA512
1a721875a1f9a20965058cc646af066462bd29af940cbf0f0fdcebd97a2b8ff3e1f0c81691255d7167f895fce7e389689de5f62297405f48c6bb0923e275f8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b87ce34cbac96ed215256c3c5fd92ca3

SHA1
d94837b87d7339f8380248bcd50f96e687996b55

SHA256
4f870eb271bc5dbd3d795e732fbf893fe904e7166679496a264baddeb63c6885

SHA512
c50304dab60061f1d0c5f7bbd582644d67bc7050c3c23982a8aa1158078a61ad22b015fbc3cbac3a3e9ad5719c02fb74052725888b4d40cebc6d5023bb98b02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08be92b2b4e31270892732fa9d5b32ca

SHA1
f33d166a72e37498d2705cbd21db379e322930ba

SHA256
8f33c9dbd29e03acf33bde0244cae97e6532eca6ef1316d143491ea96f73e9df

SHA512
a13dbfbd31263d60c52e11a8f34dbc954716b9a215d2178c96865ed4040b388876929c6654aa68306f56d9361db9b8230ff06cd25e0e6a6fc3fb1fec69f92896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7364a58d2a3a88a0d41ab44b4ca1974b

SHA1
1458cc55dedb1e23f374cc8a861fe4a4c7eb6904

SHA256
6cb93e3cc0bb74ff178aa605fc69a25f521375efb61edec00a0f302dbfbbe7b2

SHA512
5b4954d870ea0db39c3427bf0746d8a5c1c98fba6f02fc87184c69a0775e7d96d50065c9635b2c6c10637663d31cc24f6e2ca4ac174b65a9cd20bd6e90b0d521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f01ed71f47528a3215b6d04a4537e1d

SHA1
b7694c469af9421817e27d066cc27ba0846f388b

SHA256
3d781636596c707558bef65bae5223e5a1e939a39266d197fdc81afab079f9d3

SHA512
fdb3c974fa0dbe9b810ae420960644d36dafd056f9fcbf35cd45718450f2f88734a860575565294016ad0264071c189883e8638f99198b30b56ef6be08d611b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b954a0ca80928cebbcc834085742ffc0

SHA1
a4e829479d3a3867d80e2dd3fa5528c84ae81656

SHA256
54a6dc17f972414e4285ca0f560d6d85c1bfd22f6e3cfb92b6af283c1903cdc7

SHA512
1ec5412d9e5a870699a8a64fd9fd391554bbb857be8983a014bee966d46e15979ee35952279085faa35a993c0376cdff1d8c5eacb6435a7ef3a421dc5ebc421d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf3bd9488079ebe5d87d1c679039cdf9

SHA1
53f7e9c1ec3e8c65b2bf75c800a6bf961d7115a4

SHA256
601cfcfeacc0cd81bc1c2b3033e4a1f83d1af074d4b427f3a54033da7b938719

SHA512
09a3986837d5d7906c4c4791feb7940a71f5029883c33c053c55a006a082e1bdc8e75dd8b857a7c83dfd97cb97d9a2f0f4886a517a2e4663f050d0ccc8947ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e77c6bcd141fef199183bae48d95a87

SHA1
02c43c48d762d8ed2008459531b9cc643a12c804

SHA256
1b5ecf557f8748bbef7b91426a2e94ca422d6a8b72e0130c34e258db6433803b

SHA512
9dc36510edf2e8c97f8d599b40b4a4387720ac3845e673c6bed072d6ef3fe1e23a677aac1021569fdcfa7835e3855e199ee8810a1425a2693e9c25c3e91796a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed84c00c71e9dc7290ec3659526db408

SHA1
1119df51e7007c12bd154b278ae54cf3a195e826

SHA256
2ff2e499ee693f782734a725840169dee4c4d7724a92a677666e474a7b58fc19

SHA512
66973328f622488cd6dde1840d903c9f7c0f08f3d31e08c682e100c6aca3de4ffbb46a6b8013afe159b40802265c51fb678eb137846dfe566e7fa265cd5e6c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa44755e768c6f756a54199687375a2a

SHA1
325e0cf23ce7abc7ef89915651286d9abb75b8c9

SHA256
4df43160b63b48d0da89bd1be9c52634f53dff45bf07b3d7d890c7929c2034f5

SHA512
f575006935ed8443b9e4527a706b5684ac77897aee11ce42c8ab86a515c8221a9530ab4a7a207fa79d88f676266751aaf047827e710755d4cf91782144fb7baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b918c24386dffb7e0402cc81a3d60c

SHA1
9b5420c6b407dfbf381ec031fc71c9ffdecb5723

SHA256
9f7b159bf131f785154500faa65bc0c27ef9157558fd53c7619c698cd2fec473

SHA512
bb284ad3b92f9cc664122239aa0418e18203dff17432cbb35b66d3bd1ca59248c1ac63e2c5aaa6896c6f84777a267cf641673041fe10e740f121409f1cedd275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9887b9d9d991e19f3c3a9ec9cb705d13

SHA1
31abb50e441e27ab87957a6424b94746c63b6c35

SHA256
4bb9dcd0224db0c7f02375f119ea17e8fbc2034a5ff66caa0c3019bc57396a01

SHA512
11d29e1beb66987f0c48b64b1a9c8dd7f84704d1b5dc6b99eceace9eb3f060b6636abb750042be7579ac3a6daace934380c15c3ee963c770a90c3a5e77a7fdb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d84387bc4ea7b79b223b51e8701ce6

SHA1
7f75ed69a8ac1146c269c28245054145b5d5d097

SHA256
b7db80f1e38b2381d3a42f1ec6169c3ec9529704a4674e06fc73c464d0795a3f

SHA512
1f42cadb4d4fac042178b7cfe7fa599f28913864c7373b35702a6e7238569efec0c8cc5de45427bf4b05b4fe089eb6a688bca56ba5308af0370a82cbfe783998

Download Submit
C:\Users\Admin\AppData\Local\Temp\6110149a\442a.tmp

Filesize
344B

MD5
a711a1b4959a5b5a5060afe01b790d42

SHA1
8c01575a22cef2dcc738f1d7a4b3b992bdc885fa

SHA256
faf1d96917b797c234c4e13066ea4571f3bcfecbd8ee9d92e40daade44bfa136

SHA512
24b1f792219c208c68e926595f701b626cf1f24a6e91fa42280d72af101f838991ae12f7a04e6669f004f66b1b0c379ed81d9e6d58fe4bae45ec9b7646c0f1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6110149a\fcf0.tmp

Filesize
130B

MD5
50fe8da980185d34474851acb1c8adef

SHA1
e12b98e0ae8d749f294dd41bfc60c10c8834707e

SHA256
d75177bbebb15a663805b68c8fb5e593b7b3b273eb51688cb7f4d07e4d429574

SHA512
555be9514ecf42bd991bb2227103b18c654a5dddbf73b53446aa82fda0e2c80a4b07ff4e6ef028fd860a07cde1db0baf0b1da7ec7f746b1861ea5b8578e4abde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab166F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F346\79A3.bat

Filesize
112B

MD5
f8fc2424b05c1507dc69e975ab75491c

SHA1
96f107103461358454dc23fccf0fb6d4031331d2

SHA256
9fb153482d2fc05e543c1e76adb60072cb9007cc7de255239eb3fb65b2119bc7

SHA512
82661ac2e43352bd047c806551bd678aff3c2f70d87822398a1d8c1fb064f8205757e39840635afdd5bc87cf98d6b891056f7c25fbf9bd5912d49102f1582604

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar172F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC818B36DB3606BB9.TMP

Filesize
20KB

MD5
dc7efc3668b77c8ba961b8519d5013f4

SHA1
11a981cd7829b8d943846299bdaba2101991c668

SHA256
67fcee43691c1cc7e31ca6de9e0a67e4564cb162ca2c0b90bf5a5dbc7c3ca699

SHA512
85349b2fc735cc2be19436a18e977b5a24b48dfa44f7a725b16a2996090138adc3c6a7ea7a863e4988003e8b0dd5d6cbb892f3b5da8920393362341d09acdb99

Download Submit
C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e.exe

Filesize
124KB

MD5
cb0545e707741dd34d46f7d2cacf07b5

SHA1
32feb2f64150f747c8c22944b0125a13a4c4d33c

SHA256
c4704d7278cdf8ee080dd26737a7d77510642eda2f4cc86fcf588ae93e37e37e

SHA512
49323240e6bf327405bcc9fafa2d23eb07b6d6ef8187e82eed990ac967f1b7e2b3737ae9753fce73b04b56b4fbc882f87e08e88108cbd4ac4443dabb54003bb2

Download Submit
C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Agent.gen-e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff.exe

Filesize
140KB

MD5
d86fac2dc09ef4e755372aa193ef9eef

SHA1
79bd39658485ea7d47b9bd619d6c0af73e1139bc

SHA256
e0947d8feacccf452053cb70d7dc6473f7d25261df9114a21d141926d75c8cff

SHA512
6604f7d78f94aac14d37190b4541d20206fc8978e1041c4c0424c1eddf19ca72642e3352097e9bb174468fb19d87895e62ad09b73c73621d8df32432b001190c

Download Submit
C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Generic-45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6.exe

Filesize
200KB

MD5
6c3629244b7d22d6e5fd73d47ef8af13

SHA1
24b99847f63dad7cf7db6773dcc17641a23aa52a

SHA256
45b56e901322cab6a7ad4ddd8877a15e7ba58ee7f306bf4412130661b809a2e6

SHA512
8ee4fff740320956cb851cbba6bfde63b224ebee65145867ba712083ffa7a3da2657a5786bab0897c42f0547fe8e0556d29d07c50735bdda2b410b38528514d3

Download Submit
C:\Users\Admin\Desktop\00276\HEUR-Trojan-Ransom.Win32.Zerber.gen-4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1.exe

Filesize
311KB

MD5
eb94e500c8fa73b209cd5911a0898520

SHA1
bf59f70cca8060e25c802161872fee9f7511ded6

SHA256
4fc86327f8e56ea41e26ea15f1d5b1e86ed7c07cd2378bb11eb3962e1c087fd1

SHA512
7212ffdedc4d2f6d1dc4b8aa41a24c6068e486cdc6b298a18508e4b34ae114b95535fbb16c437918c5ba43583bf67826f2cc05164aa94da216308d123b633684

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.NSIS.Xamyh.dmr-01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4.exe

Filesize
726KB

MD5
90e3ed01394831283c5ff89c7326d701

SHA1
37d5c3beb2a43f7d325f7febf236e613419d78b9

SHA256
01d833e05fac36d3c1b0febeadb2aa5775214477c111ddfbebec9d95dba27ad4

SHA512
214af2469780d9ec4913e393ac8bf9c3ab9e60dfb0947d9b7eb8d105168bbd2e1f3a5dd0dac8a3632561d19b2db0f59a8b64a89d9e22651ece5142c3a29ed7b7

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Blocker.jwft-9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2.exe

Filesize
1.9MB

MD5
ee4048b9f0a0e6bf5b6816cc5228b271

SHA1
5c295590f5a0f7ca9b86d7fd9a54651be116f179

SHA256
9c8abc653e74ac19d8ed0d66c3fabea874ddec68676057bbabe10108a1851ec2

SHA512
8857797cb045c280f2d20426074758a1a784c402abf6ee5a3386dbe00005f49930f4c81afd22c8e95491e047d185f0fdda8ddc9cfaaf507d134ddca77ca691ac

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Foreign.njhr-5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9.exe

Filesize
436KB

MD5
7709a00cea8d1188cceeaa8fcfeebe72

SHA1
f912192a1aa94252ce8f0f31df3dff58db46f56a

SHA256
5a73483fb187ff90010729ad07c984826f132de2a52848e0f7d77f5aad6054a9

SHA512
b256a522b7beda3aa2e2d4534b90b8f60b5393946d8f96ade575056ea995deb0b7d705eba0c3f0be7eaa5082c23537ca3aa2c69c6f31da1a677966a7cb730ea9

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.wzv-05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8.exe

Filesize
407KB

MD5
c9713296bfe0d9831623e5419399c33c

SHA1
94f055a334f6b2398d58529c684717ab97c440e8

SHA256
05ed2cee7f1f85222fefd38973bcb6fae641dcfa06c759eb277e036eb639d7d8

SHA512
4717e9c4033c2b75ed137e9cc322ce98221dc8b67e99814dd3915164cf7fe668714407064fffe899199cd974910949f0a5008087915dbf5d6ec4192725001a5f

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xax-47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb.exe

Filesize
434KB

MD5
62513caa3544d96ccbc4f6eb2f7893fa

SHA1
91e2f91daef9e7e16223c0e461428df56a7ed0c7

SHA256
47331d2336a89f03369d48c766b304cadc0983ed98f5853c1bdb428c7edaeeeb

SHA512
0f006c78175a2787b242384bf0e00f79c64ce26b2753eb7a337510c7ece75092156afe58d5c8388d4eaf828319df8bb5f3ac1bd5d82aba447d8f8abe3ab6b1ee

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xbs-aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452.exe

Filesize
544KB

MD5
df18ef1934536fdc01a1edb1c6202092

SHA1
cc836464bc5201e2e85ebe42157ccb80e6481c4c

SHA256
aa82459641ac99a94efafa8744a509a1747d23875de8a1e4ba4b3311991c0452

SHA512
890a116cec41af8e93479e99c25261d6017a6aff647b96a1ac316367a76e52321359c46edbc25a251d88f2dc97126ce1b7eef7c11dae894c01a4f765d5f777fb

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Locky.xcq-79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db.exe

Filesize
585KB

MD5
afed90629bb84de0ce8e7c6d2231e9c3

SHA1
4e7fa838280b7ab7f70afd5e73c461639a1f0b5e

SHA256
79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db

SHA512
7e2d9b080742c93faef815d867ebe0f7eaaeda2f569641be4c3ae5ab74e678277f3264b496669ff25c6e1d6c486d2b1d3dd99163edf3a2a5caafc5c1b8ef00a2

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.PornoAsset.cyem-af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e.exe

Filesize
160KB

MD5
1627a0b37c3d8f17fb37746dafb74017

SHA1
645dba497a64ca838b81ab63bb9fed1d4775d520

SHA256
af461cd7748e94a46e3a7c2670b0f153521bc30524df8a02b7501dbffd48fe3e

SHA512
8ba3f6ba382e82d895e639f3e3a330cd7ea8858860232e094e2f129c5b9ecbd7f563933dfe8398051aba5dd0e2a94b446137ee1b87d3d2e6911a5991da02c293

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Purga.af-a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749.exe

Filesize
436KB

MD5
643f54876dd07602c8fe3f0ba310cc14

SHA1
f4858c0341af73a17c91849c5cb7d4484afbc870

SHA256
a8198aad1ddd19d882e3139ae724a3a640af05185da591f5a66b1c144825a749

SHA512
f3a443aa5e4280c4ad4106b34bcce2a388b285f48c9e97668be4572fe7c4077c668467bce3b298d7803a381b8ab87130bad4ddf2b30879cbe2d63318b9c41053

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Shade.lku-b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d.exe

Filesize
921KB

MD5
950f25aceb50436245afaa3bda191abc

SHA1
040a41003d7ce9253bde139d83d57656ad02bee6

SHA256
b853187c755624fb93e704c9c20319b5a5d9c4d74c662a6cb4cdbef15023dc6d

SHA512
c1f695fefdd46d45b0141cb2fe868a854426fe934bbd18ad2b3be37a5b595d42f1960c24ffff2a73b7414a582e025b643483284165d73b6442adbbf2d3e6f530

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Spora.d-2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1.exe

Filesize
116KB

MD5
039e77ff2ec4d2cceef3b75dc5b2e30d

SHA1
0828378907747807803a519fdce294ccdadff66f

SHA256
2af751bac1f92c754a7d5a0c58c3a68f62dfce5806c11619d2a31640d1a6ccf1

SHA512
6e770aacf2f06a0d507da8071db310b77029de7d81a94c6467bfaf06624ebecd96f17be1429e3183cf79f169b3dd22da2e86689e11fd6ca8c326f94326c4efc7

Download Submit
C:\Users\Admin\Desktop\00276\Trojan-Ransom.Win32.Zerber.ettc-7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9.exe

Filesize
321KB

MD5
0cdbbf02a6a36f3c745b4a077bcfd6e9

SHA1
022afdb6674de5be840eed1360fd3402e3479108

SHA256
7ed8a3ec8eba42f190b44315ae3f44520bc9d7fc3c07b8e292dd24865df74df9

SHA512
ff0cd082969751a1927072e6ab3cfec38fe634c61db0e294bd4fbcb68c86fd80dc1e3cfac77a5ff39a9249f66e4bbb89d0c591a5638f2f9b1424f16b06fab579

Download Submit
C:\Users\Admin\Desktop\HaR03jeYYaQPNa6wLgXeRv-TVuO9Y9WojwCsFwCC8+0.globe

Filesize
542KB

MD5
3a62d13cc031f968e0c540e5744175b8

SHA1
d0ccadb44ed0f5f5c26c0a515e906418a01e5876

SHA256
2ea46047702acd502e1e118df3dc62a1bf83d8264844d8e12ec8dc9a9032e37e

SHA512
f736063d13c753352ae3a563092b4349ff64a25389bb95f485018ce2da699b791edd32ee488fd81b3bd9be8ebf03d4a925ba4c7223079693d6c2d7727bb67677

Download Submit
C:\Users\Admin\Desktop\OV8AaOJreQVXnsvw6NZX8Rj1IuzhQiFaHmLqrjbAZbg.globe

Filesize
449KB

MD5
5c8dec848f824ba3fa0f1920db58b945

SHA1
398ac7327aedc919d5c0ed6506454d6450d4a12f

SHA256
dbd43ab86787a2786a9f0829b2529cdb107e1bda97483d32b6e192c016df57b4

SHA512
e41a17879692863e3759386259426fcbc87033efd9fb007f0d974d3dfb78be41df2c9c83af1dd6eebd581593d71296e016653cf038c7cfb9939f7e0c5e69bddb

Download Submit
C:\Users\Admin\Desktop\XK1hF8Q49MxHo-StmbtOmNsPAa8BBWD6vXn+7NDppOw.globe

Filesize
13KB

MD5
40a6f4855b20dbabfffa1d494666fb5c

SHA1
7937f0bba556823eb0921e03c5af07ae607c89e9

SHA256
117b3255732af2d78de1b3d76b78524552e85393fca86b0ad5a36ff20aab2349

SHA512
159e4c07097ded8c0b130fa86221229f81ec76b47aa27daa26bb7da93d6824ffdb3413b10aa761001d845a36d5bfe9c29552527cbb2e416a70debc273f43a9a7

Download Submit
C:\Users\Admin\Desktop\_7GQNI73_README_.jpg

Filesize
150KB

MD5
cfa66ead3eb30641590c331ef45b00f6

SHA1
2bc7738ffec45175567e1017bea18a20c9813670

SHA256
f968bbce57b83156a87388199d619127f9300c74c1653dd8c00e4789bb99a876

SHA512
4b44e1fd84ea689e846951b470b49a2e2a941503991664a5c7728db4e587e872edc96c364806bde77036eaccf91b73e6c73d89d724dd712f16dc643d835d3a99

Download Submit
C:\Users\Admin\Desktop\o3Fuzy5Eqr.a749

Filesize
883KB

MD5
895ceb0c81baaf61dace39a798c0417d

SHA1
9bdee2fbf35b2c53cd0027061a0d6fd8589c1c9b

SHA256
23b13a7f3e86b81a9b40ddd8f6110c0299a3c64bfd19c4adf2764faba0a77122

SHA512
9d005c79a4d3d351aa2acdb181cb7df403b76fa97d21a46b0804aa7f49d19d6b9fb92f7b49feb3bba200e34ee0451dc964b46dc46b7669344ff9dbeec40c809f

Download Submit
C:\Users\Default\How To Recover Encrypted Files.hta

Filesize
2KB

MD5
f791c8a6aeaf301fe5e076ab9c502a48

SHA1
c2ff561960ce5b8c590edfb65a61b727dc8feb38

SHA256
1cb0d0ece1de0c23832f300cba58897ba5cf5e7cb466d6e6b51b94d1a40aeb93

SHA512
502aea4d0834263854f191a24186c7cb2876a86f6dffbcb0d5d9497005749691135f786fbb0ad6df27fa6df4c2514039cab1ee5ba20255c1ea90446dd8ab5db1

Download Submit
\Users\Admin\AppData\Local\Temp\nse2D77.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nsuDAF5.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nszDA79.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
\Users\Admin\AppData\Roaming\CabDLL.dll

Filesize
9KB

MD5
c51af6fbee12bf5268cfa2fe936fe9ce

SHA1
bc6de4ae5fe657b8cb88c7ed794f491470ddc3fc

SHA256
03e62930900b1299ace40af496be60efe58576884a4e5bf6c40cd6ab75597258

SHA512
7401f7d2885cba6f2ec534111be3baf4ee15d631bd9a09fc11cc7fc7317c677d0d045cf0bdff4b6466284ca2fbad6e0bcac3410e3da702dbcc6c7f282e1a3fb9

Download Submit
memory/928-202-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/928-200-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/1320-183-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1320-188-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/1320-184-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/1320-181-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1320-189-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1360-193-0x000007FFFFF50000-0x000007FFFFF6B000-memory.dmp

Filesize
108KB

Download
memory/1360-194-0x0000000003C30000-0x0000000003C57000-memory.dmp

Filesize
156KB

Download
memory/1360-198-0x000007FFFFF50000-0x000007FFFFF6B000-memory.dmp

Filesize
108KB

Download
memory/1360-199-0x000007FFFFF50000-0x000007FFFFF6B000-memory.dmp

Filesize
108KB

Download
memory/1396-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-163-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/1688-164-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1712-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-165-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2188-110-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2188-109-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2188-92-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2284-161-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2284-159-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2284-367-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2284-186-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2284-185-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2516-153-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2516-152-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2536-212-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/2600-759-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-656-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-871-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-870-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-806-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-805-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-765-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-764-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-876-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-716-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-715-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-872-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-655-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-873-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-34-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-32-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-875-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2788-208-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/2788-206-0x000007FFFFF90000-0x000007FFFFFAB000-memory.dmp

Filesize
108KB

Download
memory/3060-177-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download