General Info

File name

Ransom.Prometheous.exe_bin

Full analysis
https://app.any.run/tasks/689ffea2-1171-4c40-a3ba-d2063c673310
Verdict
Malicious activity
Analysis date
15/01/2022, 03:35:01
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

evasion

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

dd4eb8aa3371b7fd821a7a9730c924cf

SHA1

3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054

SHA256

9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184

SSDEEP

3072:gq1cp4Z88R77RRZCsllDXUnVx01f9PSiILEM9Q3L+9XQE0yhM49dyeT4:nejKl0v0bKLEM9OL+9XQE0ufrc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes to a start menu file
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses Task Scheduler to run other applications
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Starts NET.EXE for connection to shared resources
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses TASKKILL.EXE to kill antiviruses
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Renames files like Ransomware
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Dropped file may contain instructions of ransomware
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Starts NET.EXE for service management
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 2156)
 Reads the computer name
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
  • powershell.exe (PID: 2908)
  • powershell.exe (PID: 5024)
  • mshta.exe (PID: 3784)
Uses TASKKILL.EXE to kill Office Apps
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses NETSH.EXE for network configuration
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Reads Environment values
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
  • netsh.exe (PID: 3080)
  • netsh.exe (PID: 3804)
Uses ICACLS.EXE to modify access control list
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses REG.EXE to modify Windows registry
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Checks supported languages
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
  • cmd.exe (PID: 2680)
  • cmd.exe (PID: 3060)
  • powershell.exe (PID: 2908)
  • powershell.exe (PID: 5024)
  • cmd.exe (PID: 2236)
  • mshta.exe (PID: 3784)
  • cmd.exe (PID: 5100)
  • cmd.exe (PID: 3400)
Starts SC.EXE for service management
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Executes PowerShell scripts
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Creates files in the user directory
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses TASKKILL.EXE to kill process
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Uses TASKKILL.EXE to kill Browsers
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Starts CMD.EXE for commands execution
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Drops a file with a compile date too recent
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Checks for external IP
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Executable content was dropped or overwritten
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Starts CMD.EXE for self-deleting
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Creates files in the program directory
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
  • SearchIndexer.exe (PID: 1708)
  • SearchIndexer.exe (PID: 4704)
Starts NET.EXE for network exploration
  • cmd.exe (PID: 2236)
Reads Microsoft Outlook installation path
  • mshta.exe (PID: 3784)
Starts CHOICE.EXE (used to create a delay)
  • cmd.exe (PID: 3400)
Executed as Windows Service
  • SearchIndexer.exe (PID: 1708)
  • SearchIndexer.exe (PID: 4704)
Modifies files in Chrome extension folder
  • chrome.exe (PID: 3612)
 Dropped object may contain TOR URL's
  • Ransom.Prometheous.exe_bin.exe (PID: 3972)
Checks supported languages
  • taskkill.exe (PID: 2600)
  • reg.exe (PID: 3384)
  • sc.exe (PID: 3476)
  • sc.exe (PID: 2836)
  • sc.exe (PID: 3652)
  • sc.exe (PID: 3688)
  • sc.exe (PID: 2140)
  • sc.exe (PID: 564)
  • schtasks.exe (PID: 2156)
  • sc.exe (PID: 3220)
  • reg.exe (PID: 3460)
  • net.exe (PID: 3480)
  • sc.exe (PID: 2908)
  • net.exe (PID: 3136)
  • netsh.exe (PID: 3080)
  • netsh.exe (PID: 3804)
  • net.exe (PID: 3908)
  • net.exe (PID: 1124)
  • net.exe (PID: 628)
  • net.exe (PID: 3388)
  • net.exe (PID: 1220)
  • net.exe (PID: 2236)
  • net.exe (PID: 3180)
  • net.exe (PID: 2464)
  • net.exe (PID: 532)
  • net.exe (PID: 2000)
  • net.exe (PID: 1808)
  • net.exe (PID: 1524)
  • net.exe (PID: 3812)
  • net.exe (PID: 2480)
  • net.exe (PID: 3340)
  • net.exe (PID: 2404)
  • net.exe (PID: 3532)
  • net.exe (PID: 684)
  • net1.exe (PID: 2808)
  • net.exe (PID: 3460)
  • net1.exe (PID: 3384)
  • net.exe (PID: 1888)
  • net.exe (PID: 3948)
  • net.exe (PID: 3508)
  • net.exe (PID: 3776)
  • net1.exe (PID: 3668)
  • net.exe (PID: 1876)
  • net.exe (PID: 3032)
  • net1.exe (PID: 2992)
  • net.exe (PID: 964)
  • net.exe (PID: 2468)
  • net.exe (PID: 3268)
  • net1.exe (PID: 1272)
  • net1.exe (PID: 1144)
  • net.exe (PID: 3788)
  • net1.exe (PID: 3256)
  • net1.exe (PID: 2508)
  • net1.exe (PID: 2984)
  • net1.exe (PID: 3488)
  • net1.exe (PID: 4004)
  • net1.exe (PID: 2740)
  • net1.exe (PID: 2720)
  • net1.exe (PID: 3264)
  • net1.exe (PID: 2452)
  • net1.exe (PID: 1644)
  • net1.exe (PID: 956)
  • net1.exe (PID: 2624)
  • net.exe (PID: 3892)
  • net.exe (PID: 3548)
  • net1.exe (PID: 1800)
  • net1.exe (PID: 2912)
  • net1.exe (PID: 1648)
  • net1.exe (PID: 3968)
  • net1.exe (PID: 1500)
  • net.exe (PID: 2316)
  • net.exe (PID: 1408)
  • net.exe (PID: 968)
  • net.exe (PID: 3424)
  • net1.exe (PID: 2960)
  • net.exe (PID: 3636)
  • net.exe (PID: 3644)
  • net1.exe (PID: 3588)
  • net1.exe (PID: 2716)
  • net.exe (PID: 3244)
  • net1.exe (PID: 1828)
  • net1.exe (PID: 2600)
  • net1.exe (PID: 3064)
  • net1.exe (PID: 3896)
  • net.exe (PID: 3816)
  • net.exe (PID: 3476)
  • net.exe (PID: 2512)
  • net.exe (PID: 3544)
  • net.exe (PID: 2900)
  • net.exe (PID: 1864)
  • net.exe (PID: 3608)
  • net.exe (PID: 2680)
  • net.exe (PID: 3092)
  • net1.exe (PID: 2132)
  • net.exe (PID: 1688)
  • net.exe (PID: 2312)
  • net1.exe (PID: 3500)
  • net.exe (PID: 880)
  • net.exe (PID: 3248)
  • net.exe (PID: 3484)
  • net.exe (PID: 3568)
  • net1.exe (PID: 1368)
  • net.exe (PID: 2268)
  • net1.exe (PID: 3228)
  • net1.exe (PID: 4092)
  • net.exe (PID: 1292)
  • net.exe (PID: 3888)
  • net1.exe (PID: 3108)
  • net.exe (PID: 1612)
  • net1.exe (PID: 2764)
  • net.exe (PID: 1272)
  • net.exe (PID: 560)
  • net.exe (PID: 3088)
  • net.exe (PID: 3940)
  • net1.exe (PID: 1708)
  • net.exe (PID: 2916)
  • net.exe (PID: 3648)
  • net.exe (PID: 1144)
  • net1.exe (PID: 3680)
  • net.exe (PID: 2664)
  • net.exe (PID: 2852)
  • net1.exe (PID: 2836)
  • net.exe (PID: 3688)
  • net1.exe (PID: 2560)
  • net1.exe (PID: 2708)
  • net1.exe (PID: 4452)
  • net1.exe (PID: 4440)
  • net1.exe (PID: 4428)
  • net1.exe (PID: 4484)
  • net1.exe (PID: 4460)
  • net1.exe (PID: 4520)
  • net1.exe (PID: 4952)
  • net.exe (PID: 4876)
  • net.exe (PID: 5044)
  • net.exe (PID: 5252)
  • net1.exe (PID: 4476)
  • net.exe (PID: 5432)
  • net1.exe (PID: 5504)
  • net.exe (PID: 5636)
  • net1.exe (PID: 5948)
  • net.exe (PID: 5860)
  • net1.exe (PID: 4172)
  • net1.exe (PID: 6008)
  • net1.exe (PID: 520)
  • net1.exe (PID: 612)
  • net1.exe (PID: 4616)
  • net1.exe (PID: 5960)
  • net.exe (PID: 2896)
  • net1.exe (PID: 1828)
  • net.exe (PID: 4844)
  • net1.exe (PID: 4868)
  • net.exe (PID: 4852)
  • net1.exe (PID: 5588)
  • net1.exe (PID: 4928)
  • net.exe (PID: 5472)
  • net1.exe (PID: 5788)
  • net.exe (PID: 1200)
  • net1.exe (PID: 5564)
  • net1.exe (PID: 5304)
  • net.exe (PID: 5408)
  • net.exe (PID: 6104)
  • net.exe (PID: 5632)
  • net1.exe (PID: 5756)
  • net.exe (PID: 2340)
  • net.exe (PID: 5836)
  • net.exe (PID: 188)
  • net1.exe (PID: 1044)
  • net.exe (PID: 5664)
  • net.exe (PID: 2376)
  • net.exe (PID: 2880)
  • net1.exe (PID: 2156)
  • net.exe (PID: 4828)
  • net1.exe (PID: 2872)
  • net.exe (PID: 672)
  • net.exe (PID: 3752)
  • net1.exe (PID: 4908)
  • net.exe (PID: 5156)
  • net1.exe (PID: 4568)
  • net.exe (PID: 5608)
  • net1.exe (PID: 4900)
  • net.exe (PID: 4348)
  • net.exe (PID: 4496)
  • net.exe (PID: 1512)
  • net1.exe (PID: 5032)
  • net1.exe (PID: 524)
  • net.exe (PID: 848)
  • net.exe (PID: 1472)
  • net.exe (PID: 3540)
  • net.exe (PID: 5084)
  • net1.exe (PID: 4536)
  • net.exe (PID: 1644)
  • net1.exe (PID: 3364)
  • net1.exe (PID: 4800)
  • net.exe (PID: 5092)
  • net1.exe (PID: 4808)
  • net1.exe (PID: 5872)
  • net.exe (PID: 6108)
  • net1.exe (PID: 5704)
  • net1.exe (PID: 5564)
  • net.exe (PID: 4896)
  • net1.exe (PID: 5668)
  • net1.exe (PID: 5784)
  • net1.exe (PID: 4300)
  • net1.exe (PID: 3128)
  • net1.exe (PID: 2336)
  • net1.exe (PID: 6116)
  • net1.exe (PID: 1296)
  • net1.exe (PID: 4188)
  • net.exe (PID: 3500)
  • net1.exe (PID: 3008)
  • net.exe (PID: 3060)
  • net1.exe (PID: 2620)
  • net.exe (PID: 1024)
  • net.exe (PID: 2712)
  • net1.exe (PID: 1600)
  • net.exe (PID: 2596)
  • net.exe (PID: 5360)
  • net.exe (PID: 4060)
  • net.exe (PID: 1740)
  • net1.exe (PID: 4024)
  • net.exe (PID: 4508)
  • net.exe (PID: 5756)
  • net1.exe (PID: 5848)
  • net.exe (PID: 5812)
  • net1.exe (PID: 1556)
  • net1.exe (PID: 5032)
  • net1.exe (PID: 6072)
  • net.exe (PID: 5952)
  • net1.exe (PID: 2156)
  • net1.exe (PID: 4968)
  • net.exe (PID: 2816)
  • net.exe (PID: 392)
  • net.exe (PID: 3992)
  • net1.exe (PID: 5036)
  • net.exe (PID: 3576)
  • net.exe (PID: 3456)
  • net.exe (PID: 5480)
  • net1.exe (PID: 1384)
  • net1.exe (PID: 3644)
  • net.exe (PID: 5172)
  • net1.exe (PID: 3136)
  • net1.exe (PID: 2296)
  • net1.exe (PID: 636)
  • net1.exe (PID: 2564)
  • net.exe (PID: 5256)
  • net1.exe (PID: 4956)
  • net.exe (PID: 4360)
  • net.exe (PID: 148)
  • net.exe (PID: 2984)
  • net.exe (PID: 3396)
  • net.exe (PID: 3000)
  • net1.exe (PID: 5324)
  • net.exe (PID: 5564)
  • net.exe (PID: 3080)
  • net1.exe (PID: 4156)
  • net1.exe (PID: 4632)
  • net.exe (PID: 4120)
  • net1.exe (PID: 5228)
  • net.exe (PID: 2540)
  • net1.exe (PID: 2468)
  • net.exe (PID: 2316)
  • net.exe (PID: 1888)
  • net1.exe (PID: 832)
  • net1.exe (PID: 1524)
  • net.exe (PID: 1968)
  • net.exe (PID: 2848)
  • net1.exe (PID: 2584)
  • net.exe (PID: 5632)
  • net.exe (PID: 1252)
  • net1.exe (PID: 848)
  • net.exe (PID: 5616)
  • net1.exe (PID: 5212)
  • net.exe (PID: 4380)
  • net1.exe (PID: 2860)
  • net.exe (PID: 3624)
  • net1.exe (PID: 3440)
  • net.exe (PID: 2736)
  • net.exe (PID: 2632)
  • net.exe (PID: 1388)
  • net.exe (PID: 3384)
  • net.exe (PID: 4364)
  • net1.exe (PID: 1708)
  • net1.exe (PID: 5540)
  • net.exe (PID: 5380)
  • net1.exe (PID: 676)
  • net.exe (PID: 5292)
  • net1.exe (PID: 4164)
  • net.exe (PID: 1864)
  • net1.exe (PID: 3804)
  • net1.exe (PID: 3264)
  • net.exe (PID: 880)
  • net.exe (PID: 4524)
  • net.exe (PID: 1612)
  • net1.exe (PID: 3064)
  • net1.exe (PID: 1236)
  • net1.exe (PID: 2728)
  • net1.exe (PID: 4016)
  • net.exe (PID: 3372)
  • net.exe (PID: 1536)
  • net1.exe (PID: 4292)
  • net.exe (PID: 4808)
  • net.exe (PID: 4848)
  • net.exe (PID: 4624)
  • net.exe (PID: 5736)
  • net.exe (PID: 4780)
  • net1.exe (PID: 6124)
  • net.exe (PID: 2204)
  • net1.exe (PID: 2096)
  • net1.exe (PID: 1984)
  • net1.exe (PID: 1688)
  • net.exe (PID: 5944)
  • net1.exe (PID: 4324)
  • net.exe (PID: 2296)
  • net1.exe (PID: 4092)
  • net.exe (PID: 5200)
  • net.exe (PID: 5084)
  • net1.exe (PID: 4528)
  • net1.exe (PID: 4672)
  • net.exe (PID: 872)
  • net1.exe (PID: 4256)
  • net.exe (PID: 4332)
  • net.exe (PID: 4944)
  • net.exe (PID: 3428)
  • net.exe (PID: 5448)
  • net1.exe (PID: 5652)
  • net1.exe (PID: 3220)
  • net.exe (PID: 4240)
  • net.exe (PID: 4904)
  • net1.exe (PID: 4668)
  • net.exe (PID: 5284)
  • net1.exe (PID: 2836)
  • net1.exe (PID: 1600)
  • net.exe (PID: 4108)
  • net1.exe (PID: 5728)
  • net1.exe (PID: 2956)
  • net.exe (PID: 1004)
  • net1.exe (PID: 2252)
  • net.exe (PID: 2340)
  • net1.exe (PID: 1520)
  • net.exe (PID: 4024)
  • net.exe (PID: 4176)
  • net.exe (PID: 2132)
  • net1.exe (PID: 1144)
  • net.exe (PID: 3152)
  • net1.exe (PID: 4032)
  • net.exe (PID: 5016)
  • net1.exe (PID: 2832)
  • net1.exe (PID: 5360)
  • net1.exe (PID: 4476)
  • net.exe (PID: 5636)
  • net1.exe (PID: 4400)
  • net.exe (PID: 3520)
  • net1.exe (PID: 5772)
  • net.exe (PID: 4312)
  • net.exe (PID: 3100)
  • net1.exe (PID: 748)
  • net1.exe (PID: 5888)
  • net1.exe (PID: 2456)
  • net.exe (PID: 2852)
  • net.exe (PID: 3680)
  • net.exe (PID: 2472)
  • net.exe (PID: 3916)
  • net1.exe (PID: 5848)
  • net1.exe (PID: 5188)
  • net1.exe (PID: 4496)
  • net.exe (PID: 5152)
  • net.exe (PID: 2664)
  • net1.exe (PID: 4832)
  • net1.exe (PID: 2468)
  • net1.exe (PID: 2880)
  • net1.exe (PID: 3888)
  • net1.exe (PID: 3636)
  • net.exe (PID: 4984)
  • net.exe (PID: 4488)
  • net.exe (PID: 524)
  • net1.exe (PID: 4432)
  • net1.exe (PID: 5660)
  • net.exe (PID: 2388)
  • net1.exe (PID: 5092)
  • net1.exe (PID: 612)
  • net.exe (PID: 3968)
  • net.exe (PID: 6020)
  • net1.exe (PID: 3896)
  • net1.exe (PID: 6016)
  • net.exe (PID: 5076)
  • net1.exe (PID: 3256)
  • net.exe (PID: 3484)
  • net.exe (PID: 5528)
  • net.exe (PID: 5928)
  • net.exe (PID: 1596)
  • net.exe (PID: 5760)
  • net1.exe (PID: 2156)
  • net1.exe (PID: 1372)
  • net1.exe (PID: 6084)
  • net1.exe (PID: 5556)
  • net.exe (PID: 2072)
  • net1.exe (PID: 4712)
  • net.exe (PID: 6028)
  • net.exe (PID: 4292)
  • net.exe (PID: 3664)
  • net1.exe (PID: 4476)
  • net1.exe (PID: 5436)
  • net.exe (PID: 5872)
  • net.exe (PID: 3400)
  • net1.exe (PID: 5620)
  • net1.exe (PID: 5640)
  • net.exe (PID: 4256)
  • net1.exe (PID: 4508)
  • net.exe (PID: 5560)
  • net1.exe (PID: 6008)
  • net1.exe (PID: 2884)
  • net.exe (PID: 2236)
  • net.exe (PID: 5764)
  • net1.exe (PID: 5472)
  • net1.exe (PID: 2900)
  • net.exe (PID: 2956)
  • net.exe (PID: 2404)
  • net1.exe (PID: 4392)
  • net1.exe (PID: 2428)
  • net1.exe (PID: 2436)
  • net.exe (PID: 5952)
  • net1.exe (PID: 1124)
  • net1.exe (PID: 1564)
  • net.exe (PID: 2564)
  • net.exe (PID: 2624)
  • net.exe (PID: 2152)
  • net1.exe (PID: 2628)
  • net1.exe (PID: 5344)
  • net.exe (PID: 4200)
  • net.exe (PID: 3596)
  • net.exe (PID: 4696)
  • net1.exe (PID: 5600)
  • net.exe (PID: 4932)
  • net1.exe (PID: 3360)
  • net1.exe (PID: 492)
  • net.exe (PID: 2676)
  • net.exe (PID: 2044)
  • net1.exe (PID: 3908)
  • net1.exe (PID: 2744)
  • net1.exe (PID: 6064)
  • net.exe (PID: 4616)
  • net1.exe (PID: 5376)
  • net1.exe (PID: 4492)
  • net1.exe (PID: 4436)
  • net.exe (PID: 4964)
  • net.exe (PID: 3156)
  • net1.exe (PID: 3212)
  • net.exe (PID: 4484)
  • net1.exe (PID: 4744)
  • net.exe (PID: 2724)
  • net.exe (PID: 1588)
  • net1.exe (PID: 1636)
  • net1.exe (PID: 5792)
  • net1.exe (PID: 3640)
  • taskkill.exe (PID: 3420)
  • taskkill.exe (PID: 4284)
  • taskkill.exe (PID: 5428)
  • taskkill.exe (PID: 3688)
  • taskkill.exe (PID: 3024)
  • net1.exe (PID: 2216)
  • net1.exe (PID: 2860)
  • net1.exe (PID: 3556)
  • net1.exe (PID: 5648)
  • net1.exe (PID: 3052)
  • taskkill.exe (PID: 4992)
  • taskkill.exe (PID: 3696)
  • taskkill.exe (PID: 2428)
  • net1.exe (PID: 4924)
  • taskkill.exe (PID: 5644)
  • net1.exe (PID: 4400)
  • taskkill.exe (PID: 5516)
  • taskkill.exe (PID: 4552)
  • net1.exe (PID: 392)
  • taskkill.exe (PID: 3816)
  • taskkill.exe (PID: 5236)
  • taskkill.exe (PID: 2612)
  • taskkill.exe (PID: 5804)
  • net1.exe (PID: 3652)
  • taskkill.exe (PID: 6080)
  • net1.exe (PID: 5308)
  • net1.exe (PID: 964)
  • net1.exe (PID: 636)
  • taskkill.exe (PID: 4320)
  • taskkill.exe (PID: 4996)
  • net1.exe (PID: 5740)
  • net1.exe (PID: 532)
  • net1.exe (PID: 4736)
  • net1.exe (PID: 5016)
  • net1.exe (PID: 4236)
  • net1.exe (PID: 3812)
  • net1.exe (PID: 5088)
  • net1.exe (PID: 6028)
  • net1.exe (PID: 3016)
  • taskkill.exe (PID: 5680)
  • net1.exe (PID: 2896)
  • net1.exe (PID: 4420)
  • net1.exe (PID: 2312)
  • taskkill.exe (PID: 2072)
  • taskkill.exe (PID: 6136)
  • taskkill.exe (PID: 2376)
  • taskkill.exe (PID: 3604)
  • taskkill.exe (PID: 3588)
  • taskkill.exe (PID: 5908)
  • taskkill.exe (PID: 5184)
  • taskkill.exe (PID: 2316)
  • taskkill.exe (PID: 4392)
  • taskkill.exe (PID: 4908)
  • taskkill.exe (PID: 4592)
  • taskkill.exe (PID: 3524)
  • taskkill.exe (PID: 3436)
  • taskkill.exe (PID: 5248)
  • taskkill.exe (PID: 6036)
  • taskkill.exe (PID: 712)
  • taskkill.exe (PID: 6068)
  • taskkill.exe (PID: 5076)
  • taskkill.exe (PID: 6128)
  • taskkill.exe (PID: 3664)
  • taskkill.exe (PID: 4428)
  • taskkill.exe (PID: 4548)
  • taskkill.exe (PID: 3936)
  • taskkill.exe (PID: 3228)
  • taskkill.exe (PID: 5852)
  • taskkill.exe (PID: 5828)
  • taskkill.exe (PID: 5892)
  • taskkill.exe (PID: 5000)
  • icacls.exe (PID: 2684)
  • icacls.exe (PID: 4040)
  • icacls.exe (PID: 3016)
  • arp.exe (PID: 652)
  • net.exe (PID: 5784)
  • net.exe (PID: 3144)
  • net.exe (PID: 2096)
  • WINWORD.EXE (PID: 5140)
  • SearchIndexer.exe (PID: 1708)
  • PING.EXE (PID: 492)
  • choice.exe (PID: 5492)
  • fsutil.exe (PID: 5600)
  • chrome.exe (PID: 3612)
  • chrome.exe (PID: 3952)
  • chrome.exe (PID: 5052)
  • chrome.exe (PID: 3388)
  • chrome.exe (PID: 4828)
  • chrome.exe (PID: 5048)
  • chrome.exe (PID: 4196)
  • chrome.exe (PID: 5208)
  • chrome.exe (PID: 5084)
  • chrome.exe (PID: 5284)
  • chrome.exe (PID: 2736)
  • chrome.exe (PID: 1124)
  • chrome.exe (PID: 2060)
  • chrome.exe (PID: 4792)
  • SearchProtocolHost.exe (PID: 2616)
  • chrome.exe (PID: 4128)
  • SearchIndexer.exe (PID: 4704)
  • chrome.exe (PID: 3808)
  • SearchFilterHost.exe (PID: 3060)
  • SearchProtocolHost.exe (PID: 5108)
  • chrome.exe (PID: 3956)
  • chrome.exe (PID: 4804)
  • chrome.exe (PID: 4496)
  • chrome.exe (PID: 3608)
  • chrome.exe (PID: 2432)
  • chrome.exe (PID: 5800)
  • chrome.exe (PID: 1704)
  • chrome.exe (PID: 4152)
  • rundll32.exe (PID: 684)
  • chrome.exe (PID: 5500)
  • chrome.exe (PID: 3192)
  • chrome.exe (PID: 1124)
Reads the computer name
  • taskkill.exe (PID: 2600)
  • schtasks.exe (PID: 2156)
  • sc.exe (PID: 3220)
  • sc.exe (PID: 3476)
  • sc.exe (PID: 2140)
  • sc.exe (PID: 3688)
  • sc.exe (PID: 2836)
  • sc.exe (PID: 3652)
  • sc.exe (PID: 564)
  • netsh.exe (PID: 3080)
  • sc.exe (PID: 2908)
  • netsh.exe (PID: 3804)
  • net1.exe (PID: 2808)
  • net1.exe (PID: 3384)
  • net1.exe (PID: 3668)
  • net1.exe (PID: 2992)
  • net1.exe (PID: 1144)
  • net1.exe (PID: 3488)
  • net1.exe (PID: 2984)
  • net1.exe (PID: 1644)
  • net1.exe (PID: 2740)
  • net1.exe (PID: 3264)
  • net1.exe (PID: 2452)
  • net1.exe (PID: 2508)
  • net1.exe (PID: 4004)
  • net1.exe (PID: 2720)
  • net1.exe (PID: 3256)
  • net1.exe (PID: 956)
  • net1.exe (PID: 1800)
  • net1.exe (PID: 2912)
  • net1.exe (PID: 2960)
  • net1.exe (PID: 1648)
  • net1.exe (PID: 1500)
  • net1.exe (PID: 3968)
  • net1.exe (PID: 2716)
  • net1.exe (PID: 1828)
  • net1.exe (PID: 3588)
  • net1.exe (PID: 3896)
  • net1.exe (PID: 2600)
  • net1.exe (PID: 3064)
  • net1.exe (PID: 2132)
  • net1.exe (PID: 1368)
  • net1.exe (PID: 3500)
  • net1.exe (PID: 2764)
  • net1.exe (PID: 3108)
  • net1.exe (PID: 1708)
  • net1.exe (PID: 3680)
  • net1.exe (PID: 2836)
  • net1.exe (PID: 2708)
  • net1.exe (PID: 4440)
  • net1.exe (PID: 2560)
  • net1.exe (PID: 4452)
  • net1.exe (PID: 4428)
  • net1.exe (PID: 4460)
  • net1.exe (PID: 4476)
  • net1.exe (PID: 4520)
  • net1.exe (PID: 4952)
  • net1.exe (PID: 5948)
  • net1.exe (PID: 6008)
  • net1.exe (PID: 1828)
  • net1.exe (PID: 5960)
  • net1.exe (PID: 520)
  • net1.exe (PID: 612)
  • net1.exe (PID: 4616)
  • net1.exe (PID: 4172)
  • net1.exe (PID: 4868)
  • net1.exe (PID: 5588)
  • net1.exe (PID: 5788)
  • net1.exe (PID: 4928)
  • net1.exe (PID: 5564)
  • net1.exe (PID: 5304)
  • net1.exe (PID: 5756)
  • net1.exe (PID: 1044)
  • net1.exe (PID: 2872)
  • net1.exe (PID: 2156)
  • net1.exe (PID: 4568)
  • net1.exe (PID: 4900)
  • net1.exe (PID: 5032)
  • net1.exe (PID: 3364)
  • net1.exe (PID: 4536)
  • net1.exe (PID: 524)
  • net1.exe (PID: 4800)
  • net1.exe (PID: 4808)
  • net1.exe (PID: 5872)
  • net1.exe (PID: 5704)
  • net1.exe (PID: 5668)
  • net1.exe (PID: 6116)
  • net1.exe (PID: 5784)
  • net1.exe (PID: 4300)
  • net1.exe (PID: 2336)
  • net1.exe (PID: 5564)
  • net1.exe (PID: 3128)
  • net1.exe (PID: 1296)
  • net1.exe (PID: 2620)
  • net1.exe (PID: 1600)
  • net1.exe (PID: 4024)
  • net1.exe (PID: 5848)
  • net1.exe (PID: 1556)
  • net1.exe (PID: 6072)
  • net1.exe (PID: 4968)
  • net1.exe (PID: 2156)
  • net1.exe (PID: 5036)
  • net1.exe (PID: 3644)
  • net1.exe (PID: 2296)
  • net1.exe (PID: 1384)
  • net1.exe (PID: 2564)
  • net1.exe (PID: 636)
  • net1.exe (PID: 4956)
  • net1.exe (PID: 5324)
  • net1.exe (PID: 4156)
  • net1.exe (PID: 5228)
  • net1.exe (PID: 2468)
  • net1.exe (PID: 1524)
  • net1.exe (PID: 832)
  • net1.exe (PID: 848)
  • net1.exe (PID: 2584)
  • net1.exe (PID: 5212)
  • net1.exe (PID: 3440)
  • net1.exe (PID: 2860)
  • net1.exe (PID: 676)
  • net1.exe (PID: 1708)
  • net1.exe (PID: 4164)
  • net1.exe (PID: 3804)
  • net1.exe (PID: 3064)
  • net1.exe (PID: 3264)
  • net1.exe (PID: 1236)
  • net1.exe (PID: 2728)
  • net1.exe (PID: 4292)
  • net1.exe (PID: 6124)
  • net1.exe (PID: 2096)
  • net1.exe (PID: 4324)
  • net1.exe (PID: 4092)
  • net1.exe (PID: 4528)
  • net1.exe (PID: 3220)
  • net1.exe (PID: 5652)
  • net1.exe (PID: 4256)
  • net1.exe (PID: 2836)
  • net1.exe (PID: 1600)
  • net1.exe (PID: 4668)
  • net1.exe (PID: 5728)
  • net1.exe (PID: 2956)
  • net1.exe (PID: 1520)
  • net1.exe (PID: 2252)
  • net1.exe (PID: 4032)
  • net1.exe (PID: 2832)
  • net1.exe (PID: 4476)
  • net1.exe (PID: 5360)
  • net1.exe (PID: 4400)
  • net1.exe (PID: 5772)
  • net1.exe (PID: 748)
  • net1.exe (PID: 2456)
  • net1.exe (PID: 5848)
  • net1.exe (PID: 4832)
  • net1.exe (PID: 4496)
  • net1.exe (PID: 5188)
  • net1.exe (PID: 2880)
  • net1.exe (PID: 2468)
  • net1.exe (PID: 3888)
  • net1.exe (PID: 3636)
  • net1.exe (PID: 4432)
  • net1.exe (PID: 5092)
  • net1.exe (PID: 5660)
  • net1.exe (PID: 612)
  • net1.exe (PID: 6016)
  • net1.exe (PID: 3256)
  • net1.exe (PID: 1372)
  • net1.exe (PID: 2156)
  • net1.exe (PID: 6084)
  • net1.exe (PID: 4712)
  • net1.exe (PID: 5556)
  • net1.exe (PID: 5436)
  • net1.exe (PID: 4476)
  • net1.exe (PID: 5620)
  • net1.exe (PID: 4508)
  • net1.exe (PID: 6008)
  • net1.exe (PID: 5472)
  • net1.exe (PID: 2900)
  • net1.exe (PID: 2884)
  • net1.exe (PID: 2428)
  • net1.exe (PID: 4392)
  • net1.exe (PID: 2436)
  • net1.exe (PID: 5344)
  • net1.exe (PID: 1124)
  • net1.exe (PID: 1564)
  • net1.exe (PID: 3212)
  • net1.exe (PID: 4744)
  • net1.exe (PID: 2628)
  • net1.exe (PID: 492)
  • net1.exe (PID: 5600)
  • net1.exe (PID: 3908)
  • net1.exe (PID: 6064)
  • net1.exe (PID: 2744)
  • net1.exe (PID: 4492)
  • net1.exe (PID: 4436)
  • net1.exe (PID: 1636)
  • net1.exe (PID: 5792)
  • taskkill.exe (PID: 5428)
  • net1.exe (PID: 3640)
  • taskkill.exe (PID: 3420)
  • taskkill.exe (PID: 3024)
  • taskkill.exe (PID: 3688)
  • taskkill.exe (PID: 4284)
  • net1.exe (PID: 2216)
  • net1.exe (PID: 2860)
  • net1.exe (PID: 3052)
  • taskkill.exe (PID: 3696)
  • net1.exe (PID: 3556)
  • taskkill.exe (PID: 2428)
  • net1.exe (PID: 4924)
  • taskkill.exe (PID: 4992)
  • taskkill.exe (PID: 5644)
  • net1.exe (PID: 4400)
  • taskkill.exe (PID: 4552)
  • taskkill.exe (PID: 5236)
  • taskkill.exe (PID: 5516)
  • net1.exe (PID: 392)
  • taskkill.exe (PID: 3816)
  • taskkill.exe (PID: 5804)
  • taskkill.exe (PID: 2612)
  • net1.exe (PID: 3652)
  • net1.exe (PID: 5308)
  • taskkill.exe (PID: 6080)
  • net1.exe (PID: 964)
  • net1.exe (PID: 5740)
  • net1.exe (PID: 4736)
  • taskkill.exe (PID: 4996)
  • net1.exe (PID: 532)
  • net1.exe (PID: 636)
  • net1.exe (PID: 3812)
  • taskkill.exe (PID: 4320)
  • net1.exe (PID: 5016)
  • net1.exe (PID: 4236)
  • net1.exe (PID: 5088)
  • net1.exe (PID: 2896)
  • net1.exe (PID: 4420)
  • net1.exe (PID: 6028)
  • taskkill.exe (PID: 5680)
  • net1.exe (PID: 3016)
  • net1.exe (PID: 2312)
  • taskkill.exe (PID: 2376)
  • taskkill.exe (PID: 2072)
  • taskkill.exe (PID: 6136)
  • taskkill.exe (PID: 3604)
  • taskkill.exe (PID: 3588)
  • taskkill.exe (PID: 4908)
  • taskkill.exe (PID: 5908)
  • taskkill.exe (PID: 2316)
  • taskkill.exe (PID: 4392)
  • taskkill.exe (PID: 5184)
  • taskkill.exe (PID: 3436)
  • taskkill.exe (PID: 4592)
  • taskkill.exe (PID: 3524)
  • taskkill.exe (PID: 5248)
  • taskkill.exe (PID: 3664)
  • taskkill.exe (PID: 6036)
  • taskkill.exe (PID: 6068)
  • taskkill.exe (PID: 5076)
  • taskkill.exe (PID: 712)
  • taskkill.exe (PID: 6128)
  • taskkill.exe (PID: 4428)
  • taskkill.exe (PID: 4548)
  • taskkill.exe (PID: 3936)
  • taskkill.exe (PID: 3228)
  • taskkill.exe (PID: 5000)
  • taskkill.exe (PID: 5852)
  • taskkill.exe (PID: 5892)
  • icacls.exe (PID: 2684)
  • taskkill.exe (PID: 5828)
  • icacls.exe (PID: 3016)
  • icacls.exe (PID: 4040)
  • arp.exe (PID: 652)
  • net.exe (PID: 2096)
  • net.exe (PID: 5784)
  • net.exe (PID: 3144)
  • WINWORD.EXE (PID: 5140)
  • PING.EXE (PID: 492)
  • SearchIndexer.exe (PID: 1708)
  • chrome.exe (PID: 3612)
  • chrome.exe (PID: 3952)
  • chrome.exe (PID: 5208)
  • chrome.exe (PID: 1124)
  • chrome.exe (PID: 5284)
  • SearchIndexer.exe (PID: 4704)
  • SearchFilterHost.exe (PID: 3060)
  • SearchProtocolHost.exe (PID: 2616)
  • SearchProtocolHost.exe (PID: 5108)
  • chrome.exe (PID: 5500)
  • chrome.exe (PID: 1704)
  • chrome.exe (PID: 5800)
Checks Windows Trust Settings
  • powershell.exe (PID: 2908)
  • powershell.exe (PID: 5024)
  • mshta.exe (PID: 3784)
Reads settings of System Certificates
  • powershell.exe (PID: 5024)
  • mshta.exe (PID: 3784)
  • chrome.exe (PID: 5208)
Manual execution by user
  • WINWORD.EXE (PID: 5140)
  • chrome.exe (PID: 3612)
  • rundll32.exe (PID: 684)
Creates files in the user directory
  • WINWORD.EXE (PID: 5140)
Reads internet explorer settings
  • mshta.exe (PID: 3784)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 5140)
  • SearchProtocolHost.exe (PID: 5108)
Application launched itself
  • chrome.exe (PID: 3612)
Reads the hosts file
  • chrome.exe (PID: 3612)
  • chrome.exe (PID: 5208)
Reads the date of Windows installation
  • chrome.exe (PID: 1704)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (56.7%)
.exe
|   Win64 Executable (generic) (21.3%)
.scr
|   Windows screen saver (10.1%)
.dll
|   Win32 Dynamic Link Library (generic) (5%)
.exe
|   Win32 Executable (generic) (3.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2021:02:16 06:27:57+01:00
PEType:
PE32
LinkerVersion:
8
CodeSize:
196608
InitializedDataSize:
2048
UninitializedDataSize:
null
EntryPoint:
0x31f62
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
FileDescription:
FileVersion:
0.0.0.0
InternalName:
Svchost.exe
LegalCopyright:
OriginalFileName:
Svchost.exe
ProductVersion:
0.0.0.0
AssemblyVersion:
0.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
16-Feb-2021 05:27:57
FileDescription:
null
FileVersion:
0.0.0.0
InternalName:
Svchost.exe
LegalCopyright:
null
OriginalFilename:
Svchost.exe
ProductVersion:
0.0.0.0
Assembly Version:
0.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
16-Feb-2021 05:27:57
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0002FF68 0x00030000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.23786
.rsrc 0x00032000 0x000005C5 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.42369
.reloc 0x00034000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 5494 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 60015 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 61024 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 63059 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 72088 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 73087 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 146496 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 147502 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 161587 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 164627 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 171628 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 177659 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 180675 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 181700 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 189766 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 194854 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 198875 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 202906 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 204934 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 205935 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 218033 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 219035 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 222051 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 226079 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 231090 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 233108 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 234108 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 238140 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 246193 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 258298 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 261296 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 266314 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 270333 ms from task started Screenshot of 9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 taken from 284447 ms from task started

Processes

Total processes
932
Monitored processes
579
Malicious processes
2
Suspicious processes
3

Behavior graph

+
start ransom.prometheous.exe_bin.exe no specs ransom.prometheous.exe_bin.exe taskkill.exe no specs reg.exe no specs schtasks.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs net.exe no specs net.exe no specs netsh.exe no specs net.exe no specs net.exe no specs netsh.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs