Analysis
-
max time kernel
187s -
max time network
472s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
03/03/2025, 00:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
CrazyNCS.exe
Resource
win10ltsc2021-20250217-en
crimsonratgandcrabbackdoorcredential_accessdefense_evasiondiscoverypersistenceransomwareratspywarestealertrojan
windows10-ltsc 2021-x64
35 signatures
900 seconds
General
-
Target
CrazyNCS.exe
-
Size
122KB
-
MD5
d043ba91e42e0d9a68c9866f002e8a21
-
SHA1
e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c
-
SHA256
6820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08
-
SHA512
3e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd
-
SSDEEP
1536:frNvVsJysJYUjwRBRZ+dtf9naYlN4ZqhOn6w92znPIW+M2TlT8KV2enfBA2yYd1:zNv+JyS0DZ+hJlMn6w92zgnMq85f2v
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1786400979-876203093-3022739302-1000\RGZCNUO-MANUAL.txt
Family
gandcrab
Ransom Note
---= GANDCRAB V5.2 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .RGZCNUO
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/faedc421c26182e0
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAACnDKFjfDFoDx6FKJ2aSIFbp2Xq+bk5QgyXAJTF7YOvaWzRey5yJ+o1w41QJVeHJFcTrIhyKtNyUr8zwAW6kjiQip6LH2YmMdygnyvMBx5MJVzLHtRg0cwynDqmjtn2Lufjo6q3fXv6x34Pv+dPWibVDwtcpeja8LWkArXYIAKOil7cKOF+g82/dH0B54xTTUIYxWRQ+YF1MMjpoIqH3ui8wS/y74AbURb8MJPxf1voV5NbffrDAydEkW2e2laVqaGDs0Q+rHHhO8VK7iydBM3DUluaUypIhLqhhRnjNMVjKbgmfH6Qimz2IP9RFBVPxEI8JcXyNcROB+EdgTzw4TxwDMex1jIMs90rueyGEv6quNnL/TEwswNY/C1QkCv+sjcOmPwsWPfwcYMNlcHCUbl25ORGoMXpTvIyA054w+B1xHvIAYGEq++PnLgSjM5wG2cNdLvtWgacJYN/9Wy4h86Q0CbQremMbmv9JxEIxKbX0ir35uTT8gZWxI8+/yyuMD5QHMue6sPESNjNAxnRLZP+FKO2N3Sk4PXN3ocUDP5ceyGU4F57sUcgATIXz7uvF7yRc7R1OmwvkY03/As/7R3eVwWkQmk+7KVHHatQEosLIB7gWVAvou2QlyhA2PGbnaZSJv45SANGC2B9tX3zDGW6Rsu/BQEbYjKo6OeUoQ3a38sUEzVDqw1ZjH82CN7U6Et4ePXBQmOxXPV+dy0NdkE6UpgnnWUiUuIXhurGZiWQnJfEf66S4aPJbB05ohJ3WkLAiLaz7ut37RZdMK+Kw/vlcVuN8f5JFsiDJYNcc1UnikNu0IDQWPMCDSGwP/t+e1G6ukWCguPJhasuqMTk2IEo6jgsSShWW9hEsYInxG7+r4DkufN72Xye6OPu/cLQI92E5YcvIPuBlE6igwJ0Ae8oEFv8NL2eEHZzSfnzXFS+eqomcpHtbd3T/O/r54arLq/iZTgX5cdYmGfP44ShGDZvuYsqRo02edZO2uJLLqq6WH+ioph9IRghmAnwD0GdDJsMxQrGDyqgF+G3V+6HH/oTExEMVRBFn76bMnYx1LHN8WtlaqhsbzdWGkRRAm5I2sCii4+TuKTcKG7PS9+pCtRLsXTORoYqeHtdYD+OUmndGgVlYWSzVdeEXDnofXkmGUadY7/E4W1L6DV8JghG+7Z6gnkP6sslODPcdNM4Iz6FawLXzGGRNkpJh+9EAOZ/R6MBOFt/5m0ThcUyiPDw9BxlKNxWC5x7BcqgtDp/yTaIQ4tFL75wrVwopCNb17xoXWr3jshR8A2bJ5DUYq7d8IFxK4jpajyJDTTuZJiOCHWC365kKPt1sLfz0ZkLY4eNwVCV8BlfJ4pBDGEctBXpjjfG939YwW6CW1gguB3o3yPanfRvpgj7TfClzpc6rJ/HYE5rMBmwGbAgwN8a7RGyoKs3qhmKPesEComnB4KkCQLcIwZ6CayOcvyK73mCGa31yzEKRgw/huNfXTP76MeZ963HoldmMo5aJltSEAacd4GPS5JcFnl4WeRjfDgipaPnZ86zU4SEy0crGRaI3osEkwgIPJ/R6mtVhy9hj+Nx9U+VdN5l2w1p3osbdd7rA9NtCUA/ZclOKZ8uumgUR1Xtw5qEZHF/1P2zEj+fYqZqPD+DDdaZgjJAdWjSjzoMqk9NAbIERjMcw1rTw5qxsifIA24zW91PGV0z90JPKO2wl1Mk1eLxj58UCXekR5581eYENuUF9TFTKHSARyVy1NNonFmBDdZJo/x986/VKJ9z2kGkuf4RIzvD3jSFolBpMn2Qt6p+ix0pqW9bSoXqHY2YBXnVURlanijvxMZMWSnoxXSPr+0QveXKMzDoga96O1hL4XjbDovziOiSQ89TNypU6bb24F+WS5URWw61PvdubV14lCFMGyj/m2ZJbLLlwFF2esRkm/T8meQYKrPUzUD2YEccVdlou6iWHNuvMPEkgjagGvSbtrvJKAN4r+iH0eMVhme8JbCS3PzWee0FXW9JXxutnNJRk9yJy51GUDIv+OmfoU+mb2j1VIZyG9R3dT8RAzF7A60vtbSnYIfKM+GM4+Rn0oOaHvBkf4LsUDXLwDthKtTpsuC9BAgmf+6y8G8t023HPNm4fMim/uxoyc/xxIaQZ3hywGaLsT1u2Cci0KwgSHqI3HRmuxCINU35FkxN2oF5Q+cG75XqkpTSu9MTaUVGX/NHlqIuqrsOEmN/tFi1Sv8UkvJfWE65XKGHuDDf0I3LTV9Q=
---END GANDCRAB KEY---
---BEGIN PC DATA---
7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDq9NbJPpDcAvWVruDERWfIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemWoy1rWnPOZxV8SSVjOsTAmmL/7s4CzGBkpOKj7RToVZfeU0wFSACDBtKyJP9BcBnpq7cZhR723XrGVmYCRgUfWP4jyqfMxLOfjXaPgrwlW5uZ+T0bJ3va9LzR07fePSySz26B+oWfFo533PDqxlSg7ubDoQVp+6k2Vw+mvqB9vZLwArtkyoC8O1f2lWTmY7ql4GewxgT2wMUzab5sfvNxQLWyjrrjTwFji9DPDKIqgjY3pWN3+hglhvFqi4oFZEvhEsSM+AN7hzdQWIEz1U0GTyeyMcZ0O1go/+eQSe20E23SaCuLrfdcRPB6VJMorLqwb8AmOcGyVvrCSEaKsTrSHnIyaYEIrb5s07lHfcy/ShKIdDA3FyYH6qAJw1UbUxI7G7XVYm+fKMPMuEsCdCZihzgpfE7oT7wA2q18=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/faedc421c26182e0
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000028155-3994.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (332) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file 4 IoCs
flow pid Process 235 2504 firefox.exe 235 2504 firefox.exe 235 2504 firefox.exe 235 2504 firefox.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation GandCrab.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGZCNUO-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c261850cc26182e56b.lock GandCrab.exe -
Executes dropped EXE 64 IoCs
pid Process 1104 GandCrab.exe 2176 PolyRansom.exe 556 juUUQcQY.exe 3800 kgokcokM.exe 2124 PolyRansom.exe 4436 PolyRansom.exe 5028 PolyRansom.exe 1872 PolyRansom.exe 3012 PolyRansom.exe 232 PolyRansom.exe 4380 PolyRansom.exe 1420 PolyRansom.exe 1440 PolyRansom.exe 544 PolyRansom.exe 1308 PolyRansom.exe 2984 PolyRansom.exe 2948 PolyRansom.exe 4728 PolyRansom.exe 732 PolyRansom.exe 4964 PolyRansom.exe 3048 PolyRansom.exe 2784 PolyRansom.exe 4896 PolyRansom.exe 5028 PolyRansom.exe 2912 PolyRansom.exe 716 PolyRansom.exe 1420 PolyRansom.exe 3160 PolyRansom.exe 2984 PolyRansom.exe 4076 PolyRansom.exe 4052 PolyRansom.exe 1640 PolyRansom.exe 2664 PolyRansom.exe 4896 PolyRansom.exe 1248 PolyRansom.exe 4052 PolyRansom.exe 2076 PolyRansom.exe 1428 PolyRansom.exe 1872 PolyRansom.exe 3056 PolyRansom.exe 956 PolyRansom.exe 2608 PolyRansom.exe 4076 PolyRansom.exe 232 PolyRansom.exe 1104 PolyRansom.exe 3228 PolyRansom.exe 4896 PolyRansom.exe 980 PolyRansom.exe 5116 PolyRansom.exe 5024 PolyRansom.exe 216 PolyRansom.exe 2592 PolyRansom.exe 4824 PolyRansom.exe 2944 PolyRansom.exe 788 PolyRansom.exe 1136 PolyRansom.exe 4196 PolyRansom.exe 4692 PolyRansom.exe 216 PolyRansom.exe 1640 PolyRansom.exe 1812 PolyRansom.exe 2352 PolyRansom.exe 3952 PolyRansom.exe 4896 PolyRansom.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgokcokM.exe = "C:\\ProgramData\\EqswEIss\\kgokcokM.exe" kgokcokM.exe Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juUUQcQY.exe = "C:\\Users\\Admin\\SqsogEsU\\juUUQcQY.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgokcokM.exe = "C:\\ProgramData\\EqswEIss\\kgokcokM.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juUUQcQY.exe = "C:\\Users\\Admin\\SqsogEsU\\juUUQcQY.exe" juUUQcQY.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\D: GandCrab.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 230 raw.githubusercontent.com 231 raw.githubusercontent.com 232 raw.githubusercontent.com 233 raw.githubusercontent.com 234 raw.githubusercontent.com 235 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_56e3bb563920555c\Amd64\PrintConfig.dll GandCrab.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" GandCrab.exe -
Drops file in Program Files directory 39 IoCs
description ioc Process File opened for modification C:\Program Files\InvokeRestart.3g2 GandCrab.exe File opened for modification C:\Program Files\DismountClose.3gp2 GandCrab.exe File opened for modification C:\Program Files\GetSubmit.mp3 GandCrab.exe File opened for modification C:\Program Files\SearchRevoke.mpp GandCrab.exe File created C:\Program Files (x86)\RGZCNUO-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\ApproveSubmit.wpl GandCrab.exe File opened for modification C:\Program Files\ConfirmCheckpoint.ini GandCrab.exe File opened for modification C:\Program Files\LimitSet.ini GandCrab.exe File opened for modification C:\Program Files\SaveRename.mpv2 GandCrab.exe File opened for modification C:\Program Files\ImportHide.iso GandCrab.exe File opened for modification C:\Program Files\SwitchMove.ttc GandCrab.exe File opened for modification C:\Program Files\UpdateUse.vsdm GandCrab.exe File created C:\Program Files\c261850cc26182e56b.lock GandCrab.exe File opened for modification C:\Program Files\BlockSplit.mht GandCrab.exe File opened for modification C:\Program Files\ConvertDismount.MTS GandCrab.exe File opened for modification C:\Program Files\DisableSearch.iso GandCrab.exe File opened for modification C:\Program Files\LimitSave.001 GandCrab.exe File opened for modification C:\Program Files\MergeConfirm.vbe GandCrab.exe File opened for modification C:\Program Files\ResetStart.txt GandCrab.exe File opened for modification C:\Program Files\StopDeny.7z GandCrab.exe File opened for modification C:\Program Files\PublishSplit.DVR GandCrab.exe File opened for modification C:\Program Files\SetSuspend.wvx GandCrab.exe File opened for modification C:\Program Files\DenyDebug.vssm GandCrab.exe File opened for modification C:\Program Files\DisableUndo.bmp GandCrab.exe File opened for modification C:\Program Files\PopMerge.vdw GandCrab.exe File opened for modification C:\Program Files\ResetClear.mid GandCrab.exe File opened for modification C:\Program Files\ResumeCheckpoint.scf GandCrab.exe File opened for modification C:\Program Files\SaveExpand.ppt GandCrab.exe File opened for modification C:\Program Files\UninstallUndo.DVR-MS GandCrab.exe File created C:\Program Files (x86)\c261850cc26182e56b.lock GandCrab.exe File opened for modification C:\Program Files\HideResolve.doc GandCrab.exe File opened for modification C:\Program Files\MountImport.nfo GandCrab.exe File opened for modification C:\Program Files\ProtectWatch.wmx GandCrab.exe File opened for modification C:\Program Files\SetEnable.inf GandCrab.exe File opened for modification C:\Program Files\UnpublishEnter.tif GandCrab.exe File created C:\Program Files\RGZCNUO-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\DisconnectSplit.wpl GandCrab.exe File opened for modification C:\Program Files\EnableApprove.ADTS GandCrab.exe File opened for modification C:\Program Files\GroupSuspend.xlsm GandCrab.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2928 1104 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GandCrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juUUQcQY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3164 reg.exe 3004 reg.exe 732 reg.exe 4880 reg.exe 2576 reg.exe 5116 reg.exe 3372 reg.exe 1640 reg.exe 220 Process not Found 2928 reg.exe 3048 reg.exe 4316 reg.exe 960 reg.exe 3272 Process not Found 4536 reg.exe 3756 reg.exe 4852 Process not Found 4316 reg.exe 188 reg.exe 4316 reg.exe 1584 reg.exe 188 reg.exe 5116 reg.exe 4852 reg.exe 2944 reg.exe 2176 Process not Found 1248 Process not Found 2780 reg.exe 3160 reg.exe 2124 reg.exe 4436 Process not Found 2120 reg.exe 2564 reg.exe 216 reg.exe 2124 reg.exe 4240 reg.exe 3048 reg.exe 1276 Process not Found 1308 Process not Found 5028 reg.exe 2384 reg.exe 2900 reg.exe 4824 reg.exe 3004 reg.exe 980 reg.exe 1864 reg.exe 1500 reg.exe 3952 reg.exe 4380 reg.exe 3808 reg.exe 2612 reg.exe 4964 reg.exe 4896 reg.exe 956 reg.exe 2576 reg.exe 1276 reg.exe 544 reg.exe 4380 reg.exe 2784 reg.exe 960 reg.exe 1248 reg.exe 3788 reg.exe 980 Process not Found 4952 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1104 GandCrab.exe 1104 GandCrab.exe 1104 GandCrab.exe 1104 GandCrab.exe 2176 PolyRansom.exe 2176 PolyRansom.exe 2176 PolyRansom.exe 2176 PolyRansom.exe 2124 PolyRansom.exe 2124 PolyRansom.exe 2124 PolyRansom.exe 2124 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 5028 PolyRansom.exe 5028 PolyRansom.exe 5028 PolyRansom.exe 5028 PolyRansom.exe 1872 PolyRansom.exe 1872 PolyRansom.exe 1872 PolyRansom.exe 1872 PolyRansom.exe 3012 PolyRansom.exe 3012 PolyRansom.exe 3012 PolyRansom.exe 3012 PolyRansom.exe 232 PolyRansom.exe 232 PolyRansom.exe 232 PolyRansom.exe 232 PolyRansom.exe 4380 PolyRansom.exe 4380 PolyRansom.exe 4380 PolyRansom.exe 4380 PolyRansom.exe 1420 PolyRansom.exe 1420 PolyRansom.exe 1420 PolyRansom.exe 1420 PolyRansom.exe 1440 PolyRansom.exe 1440 PolyRansom.exe 1440 PolyRansom.exe 1440 PolyRansom.exe 544 PolyRansom.exe 544 PolyRansom.exe 544 PolyRansom.exe 544 PolyRansom.exe 1308 PolyRansom.exe 1308 PolyRansom.exe 1308 PolyRansom.exe 1308 PolyRansom.exe 2984 PolyRansom.exe 2984 PolyRansom.exe 2984 PolyRansom.exe 2984 PolyRansom.exe 2948 PolyRansom.exe 2948 PolyRansom.exe 2948 PolyRansom.exe 2948 PolyRansom.exe 4728 PolyRansom.exe 4728 PolyRansom.exe 4728 PolyRansom.exe 4728 PolyRansom.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2504 firefox.exe Token: SeDebugPrivilege 2504 firefox.exe Token: SeDebugPrivilege 2504 firefox.exe Token: SeDebugPrivilege 2504 firefox.exe Token: SeDebugPrivilege 2504 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe 2504 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 564 wrote to memory of 2504 564 firefox.exe 91 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 4100 2504 firefox.exe 92 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 PID 2504 wrote to memory of 1556 2504 firefox.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrazyNCS.exe"C:\Users\Admin\AppData\Local\Temp\CrazyNCS.exe"1⤵PID:672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27373 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db4bedb7-bd09-4ced-9d5e-17cd1b54b3a5} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" gpu3⤵PID:4100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 27251 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {449640aa-9384-4dbb-b8d9-8ea8f7f54a5f} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" socket3⤵PID:1556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2984 -childID 1 -isForBrowser -prefsHandle 1404 -prefMapHandle 2948 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {696cef7f-b7f0-4833-8e81-21f9bcdb5786} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:2232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4076 -childID 2 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 32625 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b507fc95-a37f-4cd1-b151-47627e3cba13} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:1396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4732 -prefsLen 32625 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e182f424-474a-44e5-b253-77d2c8fe5b2a} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" utility3⤵
- Checks processor information in registry
PID:3892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5300 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e4fe595-2119-4fb0-bf72-e4a407a54e14} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5464 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dd6887b-8627-47c5-8938-ec561f68b5a9} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:2264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5656 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2c542bd-0d13-4121-b847-c39ce7e328f4} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:1860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 6 -isForBrowser -prefsHandle 5984 -prefMapHandle 5980 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5201f8e-dd27-4c37-a350-9f259dbb194b} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:3196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 7 -isForBrowser -prefsHandle 6124 -prefMapHandle 5176 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9318c16c-53e0-4b4f-9848-499d4cf92d1e} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:4864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6388 -childID 8 -isForBrowser -prefsHandle 5140 -prefMapHandle 3840 -prefsLen 27901 -prefMapSize 244628 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5cbc376-7176-461b-a529-c2576b379df1} 2504 "\\.\pipe\gecko-crash-server-pipe.2504" tab3⤵PID:3836
-
-
C:\Users\Admin\Downloads\GandCrab.exe"C:\Users\Admin\Downloads\GandCrab.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet4⤵PID:3796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 16684⤵
- Program crash
PID:2928
-
-
-
C:\Users\Admin\Downloads\PolyRansom.exe"C:\Users\Admin\Downloads\PolyRansom.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Users\Admin\SqsogEsU\juUUQcQY.exe"C:\Users\Admin\SqsogEsU\juUUQcQY.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\ProgramData\EqswEIss\kgokcokM.exe"C:\ProgramData\EqswEIss\kgokcokM.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"4⤵PID:4196
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"6⤵PID:5096
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"8⤵PID:1420
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"10⤵PID:1640
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"12⤵PID:1796
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"14⤵PID:1420
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"16⤵PID:3004
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"18⤵PID:4536
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"20⤵PID:4316
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"22⤵PID:2912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:1640
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"24⤵PID:2564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:4896
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"26⤵PID:2612
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"28⤵PID:3160
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"30⤵PID:956
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"32⤵PID:3228
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom33⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"34⤵PID:5096
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"36⤵PID:544
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom37⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"38⤵PID:2352
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom39⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"40⤵PID:4952
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom41⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"42⤵PID:3056
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom43⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"44⤵PID:2176
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom45⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"46⤵PID:2140
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom47⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"48⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:956
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom49⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"50⤵PID:2384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:3004
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom51⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"52⤵PID:1312
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom53⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"54⤵PID:1440
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom55⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"56⤵PID:732
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom57⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"58⤵PID:1288
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom59⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"60⤵PID:3680
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom61⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"62⤵PID:1984
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom63⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"64⤵PID:2916
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom65⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"66⤵PID:3372
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom67⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"68⤵PID:4680
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom69⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"70⤵PID:2176
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom71⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"72⤵PID:2500
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom73⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"74⤵PID:2984
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom75⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"76⤵PID:4728
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom77⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"78⤵PID:3220
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom79⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"80⤵PID:2512
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom81⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"82⤵PID:4708
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom83⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"84⤵PID:2912
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom85⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"86⤵PID:2028
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom87⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"88⤵PID:3056
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom89⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"90⤵PID:4892
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom91⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"92⤵PID:2500
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom93⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"94⤵PID:2780
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom95⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"96⤵PID:960
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom97⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"98⤵
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom99⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"100⤵PID:560
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom101⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"102⤵PID:2136
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"104⤵PID:2120
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom105⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"106⤵PID:3160
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom107⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"108⤵PID:2564
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom109⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"110⤵PID:644
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom111⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"112⤵PID:4708
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom113⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"114⤵PID:4128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:3552
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom115⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"116⤵PID:2780
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom117⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"118⤵PID:1500
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom119⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"120⤵PID:5116
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom121⤵
- Executes dropped EXE
PID:3952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-