Analysis
-
max time kernel
1684s -
max time network
1846s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-07-2021 15:48
Static task
static1
Behavioral task
behavioral1
Sample
ToDesk_Lite.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ToDesk_Lite.exe
Resource
win10v20210410
General
-
Target
ToDesk_Lite.exe
-
Size
6.4MB
-
MD5
ce5ab2494fc91c67248bbdb085b747c2
-
SHA1
bdc554a291a4c4e2bf2490522aa70d0ff262cba7
-
SHA256
4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6
-
SHA512
a60d8225cf8c497f8364adde5467ba6872fd56692650b324815c7eec676e263776be8f7aa442e21d3cb733d5d7544d4e6001a2f8a5834f1b834c9de222b0cbc0
Malware Config
Signatures
-
GandCrab Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1332-94-0x0000000000280000-0x0000000000297000-memory.dmp family_gandcrab behavioral1/memory/2208-104-0x00000000001C0000-0x00000000001D7000-memory.dmp family_gandcrab behavioral1/memory/2348-111-0x0000000000300000-0x0000000000317000-memory.dmp family_gandcrab behavioral1/memory/2360-149-0x0000000000230000-0x0000000000247000-memory.dmp family_gandcrab behavioral1/memory/2884-164-0x0000000000240000-0x0000000000257000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2852 bcdedit.exe 2248 bcdedit.exe -
Executes dropped EXE 9 IoCs
Processes:
Tilde Ransomware.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeCryptoWire Ransomware .exeCRYPTO~1.EXECRYPTO~1.EXEpid process 1720 Tilde Ransomware.exe 1332 GandCrab 勒索.exe 2208 GandCrab 勒索.exe 2348 GandCrab 勒索.exe 2360 GandCrab 勒索.exe 2884 GandCrab 勒索.exe 1904 CryptoWire Ransomware .exe 2924 CRYPTO~1.EXE 1840 CRYPTO~1.EXE -
Processes:
resource yara_rule C:\Users\Admin\Desktop\CryptoWire Ransomware .exe upx C:\Users\Admin\Desktop\CryptoWire Ransomware .exe upx -
Loads dropped DLL 3 IoCs
Processes:
ToDesk_Lite.exeCryptoWire Ransomware .exeCRYPTO~1.EXEpid process 992 ToDesk_Lite.exe 1904 CryptoWire Ransomware .exe 2924 CRYPTO~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
GandCrab 勒索.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GandCrab 勒索.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\truvmjnonss = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xrczgn.exe\"" GandCrab 勒索.exe -
Drops desktop.ini file(s) 14 IoCs
Processes:
CryptoWire Ransomware .exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Documents\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Links\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Videos\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Searches\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CryptoWire Ransomware .exe File opened for modification C:\Users\Admin\Music\desktop.ini CryptoWire Ransomware .exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GandCrab 勒索.exeCryptoWire Ransomware .exedescription ioc process File opened (read-only) \??\H: GandCrab 勒索.exe File opened (read-only) \??\O: GandCrab 勒索.exe File opened (read-only) \??\U: GandCrab 勒索.exe File opened (read-only) \??\x: CryptoWire Ransomware .exe File opened (read-only) \??\y: CryptoWire Ransomware .exe File opened (read-only) \??\L: GandCrab 勒索.exe File opened (read-only) \??\M: GandCrab 勒索.exe File opened (read-only) \??\b: CryptoWire Ransomware .exe File opened (read-only) \??\K: GandCrab 勒索.exe File opened (read-only) \??\V: GandCrab 勒索.exe File opened (read-only) \??\Y: GandCrab 勒索.exe File opened (read-only) \??\r: CryptoWire Ransomware .exe File opened (read-only) \??\w: CryptoWire Ransomware .exe File opened (read-only) \??\t: CryptoWire Ransomware .exe File opened (read-only) \??\u: CryptoWire Ransomware .exe File opened (read-only) \??\P: GandCrab 勒索.exe File opened (read-only) \??\T: GandCrab 勒索.exe File opened (read-only) \??\X: GandCrab 勒索.exe File opened (read-only) \??\Z: GandCrab 勒索.exe File opened (read-only) \??\m: CryptoWire Ransomware .exe File opened (read-only) \??\q: CryptoWire Ransomware .exe File opened (read-only) \??\s: CryptoWire Ransomware .exe File opened (read-only) \??\B: GandCrab 勒索.exe File opened (read-only) \??\J: GandCrab 勒索.exe File opened (read-only) \??\R: GandCrab 勒索.exe File opened (read-only) \??\a: CryptoWire Ransomware .exe File opened (read-only) \??\j: CryptoWire Ransomware .exe File opened (read-only) \??\f: CryptoWire Ransomware .exe File opened (read-only) \??\k: CryptoWire Ransomware .exe File opened (read-only) \??\n: CryptoWire Ransomware .exe File opened (read-only) \??\A: GandCrab 勒索.exe File opened (read-only) \??\N: GandCrab 勒索.exe File opened (read-only) \??\Q: GandCrab 勒索.exe File opened (read-only) \??\W: GandCrab 勒索.exe File opened (read-only) \??\e: CryptoWire Ransomware .exe File opened (read-only) \??\p: CryptoWire Ransomware .exe File opened (read-only) \??\E: GandCrab 勒索.exe File opened (read-only) \??\G: GandCrab 勒索.exe File opened (read-only) \??\I: GandCrab 勒索.exe File opened (read-only) \??\S: GandCrab 勒索.exe File opened (read-only) \??\v: CryptoWire Ransomware .exe File opened (read-only) \??\o: CryptoWire Ransomware .exe File opened (read-only) \??\z: CryptoWire Ransomware .exe File opened (read-only) \??\F: GandCrab 勒索.exe File opened (read-only) \??\g: CryptoWire Ransomware .exe File opened (read-only) \??\h: CryptoWire Ransomware .exe File opened (read-only) \??\i: CryptoWire Ransomware .exe File opened (read-only) \??\l: CryptoWire Ransomware .exe -
Drops file in System32 directory 13 IoCs
Processes:
ToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\service_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log ToDesk_Lite.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Tilde Ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Simple_Encoder\\img.bmp" Tilde Ransomware.exe -
Drops file in Program Files directory 6 IoCs
Processes:
CryptoWire Ransomware .exeCRYPTO~1.EXEdescription ioc process File created C:\PROGRA~2\COMMON~1\38260081373826008137 CryptoWire Ransomware .exe File opened for modification C:\PROGRA~2\COMMON~1\7318006283 CryptoWire Ransomware .exe File created C:\PROGRA~2\COMMON~1\3826008137 CRYPTO~1.EXE File created C:\PROGRA~2\COMMON~1\CryptoWire Ransomware .exe CryptoWire Ransomware .exe File opened for modification C:\PROGRA~2\COMMON~1\CryptoWire Ransomware .exe CryptoWire Ransomware .exe File opened for modification C:\PROGRA~2\COMMON~1\update.txt CryptoWire Ransomware .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
GandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab 勒索.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab 勒索.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab 勒索.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab 勒索.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab 勒索.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab 勒索.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab 勒索.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2460 vssadmin.exe -
Processes:
CryptoWire Ransomware .exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 CryptoWire Ransomware .exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a CryptoWire Ransomware .exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a CryptoWire Ransomware .exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
ToDesk_Lite.exepid process 992 ToDesk_Lite.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ToDesk_Lite.exepid process 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe 1620 ToDesk_Lite.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
CRYPTO~1.EXECRYPTO~1.EXEpid process 2924 CRYPTO~1.EXE 1840 CRYPTO~1.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
ToDesk_Lite.exevssvc.exedescription pid process Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeTcbPrivilege 1620 ToDesk_Lite.exe Token: SeBackupPrivilege 340 vssvc.exe Token: SeRestorePrivilege 340 vssvc.exe Token: SeAuditPrivilege 340 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ToDesk_Lite.exeCryptoWire Ransomware .exepid process 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 992 ToDesk_Lite.exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
ToDesk_Lite.exeCryptoWire Ransomware .exepid process 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 992 ToDesk_Lite.exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe 992 ToDesk_Lite.exe 1904 CryptoWire Ransomware .exe 1904 CryptoWire Ransomware .exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ToDesk_Lite.exeGandCrab 勒索.exedescription pid process target process PID 1620 wrote to memory of 992 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 992 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 992 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 992 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1536 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1536 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1536 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1536 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1012 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1012 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1012 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1012 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 864 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 864 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 864 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 864 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 972 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1164 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1164 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1164 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1164 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1440 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1440 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1440 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1440 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1052 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1052 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1052 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1620 wrote to memory of 1052 1620 ToDesk_Lite.exe ToDesk_Lite.exe PID 1332 wrote to memory of 1072 1332 GandCrab 勒索.exe splwow64.exe PID 1332 wrote to memory of 1072 1332 GandCrab 勒索.exe splwow64.exe PID 1332 wrote to memory of 1072 1332 GandCrab 勒索.exe splwow64.exe PID 1332 wrote to memory of 1072 1332 GandCrab 勒索.exe splwow64.exe PID 1332 wrote to memory of 2064 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2064 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2064 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2064 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2100 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2100 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2100 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2100 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2140 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2140 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2140 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2140 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2172 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2172 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2172 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2172 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2220 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2220 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2220 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2220 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2272 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2272 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2272 1332 GandCrab 勒索.exe nslookup.exe PID 1332 wrote to memory of 2272 1332 GandCrab 勒索.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" server_start1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" clinet_hide2⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video2⤵
- Drops file in System32 directory
-
C:\Users\Admin\Desktop\Tilde Ransomware.exe"C:\Users\Admin\Desktop\Tilde Ransomware.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Desktop\GandCrab 勒索.exe"C:\Users\Admin\Desktop\GandCrab 勒索.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
-
C:\Users\Admin\Desktop\GandCrab 勒索.exe"C:\Users\Admin\Desktop\GandCrab 勒索.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Desktop\GandCrab 勒索.exe"C:\Users\Admin\Desktop\GandCrab 勒索.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Desktop\GandCrab 勒索.exe"C:\Users\Admin\Desktop\GandCrab 勒索.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Desktop\GandCrab 勒索.exe"C:\Users\Admin\Desktop\GandCrab 勒索.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Desktop\CryptoWire Ransomware .exe"C:\Users\Admin\Desktop\CryptoWire Ransomware .exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3826008137 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn 3826008137 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 4139863|vssadmin.exe Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 4139863"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 4632181|bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 4632181"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 7098827|bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 7098827"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\Desktop\CRYPTO~1.EXEC:\Users\Admin\Desktop\CRYPTO~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Desktop\CRYPTO~1.EXEC:\Users\Admin\Desktop\CRYPTO~1.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ToDesk\config.iniMD5
993d67428ec5e4960b65158f74cb971b
SHA17c8b1bc56d3fc86a5a9da05f543484ce0add584a
SHA25602a0debb95b072421dba82013b690c96422641001169146c08f2a9043c3aa5ca
SHA512e4462c5fd3df43f0cdb8895a8dbb2e5b786c5a7e41ade98d16e1fc24333672264327b4d91ffc44dffd9f7e83d8ec6137d17ab13f3e0c29f477ee06964cc7d9cd
-
C:\Users\Admin\Desktop\CompressPush.vbs.~MD5
1d2feb0173b6097c5259aca2c4c90e5f
SHA187fd037b30d36e4e9dde68989e3fdae56fe684b5
SHA2566d5e188d9b67992b977777cfe549b1bf90727a8d4fd66765ceec08ba614332bf
SHA5120e42df7b45481607bec4061e05a795767be62e594607efc01b9145d3f49cd24d2d2bfb984a59bb416d37469b143aa5bdb4eed3aa623724e1395dc9daa4682adf
-
C:\Users\Admin\Desktop\CryptoWire Ransomware .exeMD5
8d7da99f1beaeee4fd8fc6264f0c4471
SHA127f199f7d944c941b0518b98f2b993181d930f92
SHA2562f07a538a2edea2e14c9e402e57b24912e0ae794fe9df81c660791a4be8ba0a4
SHA5127a9c57780f413b0326229f6fee2473f065f7a014244cddf78b278ebd0e4883893289993e7ac43a8c8daed887f857512c16893bdabd8d8e5330cb983bf026e9cb
-
C:\Users\Admin\Desktop\CryptoWire Ransomware .exeMD5
8d7da99f1beaeee4fd8fc6264f0c4471
SHA127f199f7d944c941b0518b98f2b993181d930f92
SHA2562f07a538a2edea2e14c9e402e57b24912e0ae794fe9df81c660791a4be8ba0a4
SHA5127a9c57780f413b0326229f6fee2473f065f7a014244cddf78b278ebd0e4883893289993e7ac43a8c8daed887f857512c16893bdabd8d8e5330cb983bf026e9cb
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GandCrab 勒索.exeMD5
90c137b149503d4dc83e4e2227401c29
SHA1924094e7b2aec85d9c9282d8c8b0b596a24695bb
SHA256149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367
SHA512d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e
-
C:\Users\Admin\Desktop\GroupUnregister.xls.~MD5
78da4498ade7996336fa4aba134262a0
SHA176a7863b41636cf6b74f9332dfa756a115bd0474
SHA256e5f6a451c7acf3fbff38b5ef9636f09592b4f8f79944eefd88d9d72a45209224
SHA5126f0c942feb4d9829d3047d51fe786dcac316f84a2fa24f46c76854ea8e2e1c1e3e4b54edd974862edbe72f715b56a5e5b580f9100ce5511c419f636c77436323
-
C:\Users\Admin\Desktop\ReadEnter.bat.~MD5
f3a3b68af294b9c793127742fb3ae0ad
SHA1dd456a675a1a0df3d62565c4155508dd3f76f58a
SHA2567244bfff7d39294213291acef4cde491125e62f5a5470e7990e8fb7a60d5331c
SHA5123eda93c1056116fce98b001e674c5dd7af1057f7dc30d4c903c0cbb6113042ca20b78eb04f0dad82692c0d9bec23ed36fafb9e55cc2fa2beac16b801585481ae
-
C:\Users\Admin\Desktop\RequestOptimize.avi.~MD5
3bac5573d4c09dbaed66ef3b43ad36d4
SHA146a37fdeced8deebc05311e08634428dd2034e21
SHA256f9a922edb838bcd59c8634ac12e23480462053cfaa2455aa07e174f94a17c0fe
SHA512f220f0e28e69a61b40e4cbf0a7505171beef09390a7d6b28a61c40d1acb1cb003279de2db1fc5c1d9b4de91b893c476d954e826fd3126b7208fc8b1d86c62992
-
C:\Users\Admin\Desktop\SetUpdate.mpg.~MD5
de8f9c72fd20e7244ac0603595c2f836
SHA1048709f395f32379a7954f17916778308f2d9ee7
SHA256909bb645a72b4fb1d2699d6ca6a7c4dbda5c5e16c236af4f2433c26e273d3559
SHA512fdcb8a11dfda1cb61343de0078b7f186c1a042b3b8ab8a9bb6c6b335b261facc46c6d311ab4e3c505bd0123434c72c358532dd329e23eebe411734ee57b461f0
-
C:\Users\Admin\Desktop\SplitDebug.png.~MD5
5177c91091c4c87102f5e1222dd3b8be
SHA1cd8c123169d68cbf12c0d9855faeb12316716fbd
SHA2561d782fa2051bf79e17ad96973870534e31c33bf4a9f87bd433e0af4eb5fdbefc
SHA512650238ecbb354c49c2ad6e8ceaa75b5044e5e4b995b94ce43424873629895b9238504472e8a01acc817a384aed7f478520fa181f3ff646cd7c5f3b57cd79bb10
-
C:\Users\Admin\Desktop\StepDisable.xlsx.~MD5
d66fad64bc40d439d17c01d2c74c35f3
SHA10a4f3cbedfa8f9180edaeb0fe20c58a254ae8dda
SHA2562c4d300529baef84f6274d7249cfebd62a1b0d78f2ab93f36b550517c1685065
SHA51279f2ccb3ea47a4ee3304b4ce8e4838d911767ce0cc565b39821c217c5c32e702494f22e8c390e111376c3de8071779f57be94037d99ba3a0a6321acd62677480
-
C:\Users\Admin\Desktop\StepSelect.avi.~MD5
a457d8510fc3869d5efa999171d15978
SHA1f541833022559c7687f11880532cdfad33ed82d1
SHA256519225ed42fbc944ea56af6b0ddc6cc05f7a59b814138fa6afc9b6e7e8892931
SHA512843050c762d4bf0087aac882e3b5d9710adc700be55c3bccd82e2fb1915d7eda75bd01bd6fcdc924bfcbe642926a2735a15bcf072a9b29fc3b2c842d9125dcc9
-
C:\Users\Admin\Desktop\Tilde Ransomware.exeMD5
d7eab96f074b593c3fc7139c6eb818bb
SHA18d2c81ae64c4a534af5299b9110aaee5bb74011d
SHA2567784ef4f0c425eb5578559102faaa99c4fba0ab2c2ff7dbe5fcc3c9e731a97a7
SHA5120d5b13641716d78b759e78fcdf41d23a5df48593737019072d7272f9cb0f8691b4c7c924439a72356e40f078d908de78845f5006e81173326f87dcd73cc24e8a
-
C:\Users\Admin\Desktop\Tilde Ransomware.exeMD5
3d83ed39ffc379a1608a7a341fc01e33
SHA1b0edd30d27468dd056da58f6c3ad4808f9c4eab3
SHA256165f6a9f94265fff5602882ae53fd92a1ab3c353a301630db946561fbf40f9b1
SHA512799e72329611dcee4ca221a63c252941286a298565067a35e7d587e69936f1aa7bb031b0cff1658942bc66d69d02311114a5db064f939b01707bb4e03b443934
-
C:\Users\Admin\Desktop\UnpublishStep.mpg.~MD5
b344a429bd6fe514108748da6a3582ae
SHA1bd6de0b372c980e310d7f77cc85c4b0deefddbd0
SHA2562762a3cff602466fe9b1cfdcc28cea38165410f4b9499256b2be35891d64199a
SHA5128e77d8ade6b9cd863ec80f02e3222b3b72cf5d4b3276a656838bd5ede874297fa1d1989d69816f0dbcdefd304437bdec715cd33cc2c2e9c726f228fe6c3413ea
-
C:\Users\Admin\Desktop\_RECOVER_INSTRUCTIONS.iniMD5
1dd27ae64ed6573ca668533583acec4c
SHA118d44a97f1acd8df94db0d60fc5573843d6294fe
SHA25612c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b
SHA512043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00
-
C:\Users\Admin\Documents\AddOptimize.potm.~MD5
e2aacc26b39e18cb02d8e57707687fcf
SHA1d4f935c5334e9027edd0c9c654caa7189721d906
SHA256eccbdb5b8ea2ac7183cc7d7ae83f7ebc76d4078300fef4ddf5d54b3b7b190ba5
SHA512a435b404628c75204165d7129430a5a57486784c47d0461d9a472651526dda819786e4c8e9622d5f35f8d53afdc5a03d56459e324d40ce2d9e1083f0d926bf08
-
C:\Users\Admin\Documents\Are.docx.~MD5
977e65af8c86d3d5de0ca39d4855691e
SHA10b3c2bb95fc0316846d94a4fb9fba6a8da2ad27e
SHA256a81831e8e0e368cf7b39c6bf4b8a48d231f110a4b22857f14cb0daf70f5dd2e0
SHA51207f5143c0add645376219f7d3969db5c40412370be8e73462fe10d4a72eae8862bd9ce140b736de915004d8e467d50de2a09b60e202feeaf9e9a039423aaf8e5
-
C:\Users\Admin\Documents\ClearDebug.ppsx.~MD5
5b90028a85729192577f8db7c6116403
SHA19baee739257dbb9cc43058d6aaaf1d70c7ee93dc
SHA25644d8ea036675afac53a4591968438e3d3e6886a622366408d5981804c9541e66
SHA5122ca8ff6dc338f822b8a6b5c888ba79abd3b1fdc609f0eb3140db95be909fd1f521c49fbc2c9f31dfb6f7d87f8216cfffed09de4344b5586c7fe5bde8f339eb9b
-
C:\Users\Admin\Documents\CloseReset.xml.~MD5
649b6d947426557143584ab15f7947b4
SHA1e5f3e08de2eb48754a288603863c2e5672671559
SHA256a1e6d0a50f2f72f203c3ba746353018d80f69f2b896512fd2818b3024e828055
SHA5123f3d1d8d5de8b4fbca8bbae8064bdfb93cc977351ec9d8ebe780857e831fdb2afc68307ab0a5c5192cc53a662b0d9034cbdace9017d61ac8ec1bc18b602b9f92
-
C:\Users\Admin\Documents\ConfirmPush.dotm.~MD5
640e06293c81d479eaa57245bb816ee9
SHA12482eda22687bc39d9dd24c199547f9eab99a7a7
SHA256ddd217957d07db3e45715b9dd516de7ced4e3a4a3ce94984b9ef09d4cf563764
SHA512d26b15f42a33f9b741868b2896c6e18fd8e197eaf78c0e40536e4e2ea75dca80131a18f884acbd9078fd7cd480796246d56d4b13f7d5c71a632cf3c9d621c4e5
-
C:\Users\Admin\Documents\ConvertFromUndo.docm.~MD5
ac0861ffd0321c63ede1a2dea4992cb9
SHA1021e0f0bdd0c8056d9b54504e3c664ccec525618
SHA2569b825797e534c2b7c700a99148fa2caf9a9042cdeb122ce729dd1e6ccc0e0e87
SHA512ee991027a54ded46f072f755ee71fae7335fb90184530933805fc8864dda9ace70efa8073da9eecdeb223342c2b8107d8298cfa87b66cb3dcfd0d280eda8c190
-
C:\Users\Admin\Documents\CopyDebug.ppsx.~MD5
474d4fd5abb593f95bfc8a44ca38be44
SHA1069478a5786526d0fde3ce82e7c4d7a911727fca
SHA256d730b97be66ef18ed86f3d3fc58abe9363974bf6613105aa79cb78fd29897c31
SHA5129f2a5956f7f5e36c44e5c28eaffb9e61761d7822c20e745e6ecc1867dae5455fe2cadfa06422e8fad27cab3663da741790934abdfbb6c83db8914433c4035f4c
-
C:\Users\Admin\Documents\Files.docx.~MD5
6c64058c9a8c185b6cd944b2e925bcd2
SHA1cbd5a2a7cdc3406729318c27b40a179fb31e180b
SHA25626de854a26859cb4daa97433006f059e059ce9cc0202e14b69343f656663ef50
SHA512c7470865b4a22fd932cf2edf43ce7dce6a80f538ccb469e855ab8409aab28cc85f946a55b0ec350e69b53afac0da3a23c13ba9b32cf104721ea97e126fae99d2
-
C:\Users\Admin\Documents\GrantSubmit.dotx.~MD5
73c0d3f6469e4a1c2d48e6a109c3a2c8
SHA1314f5c5715d19090929ec45a0234596e02e2261c
SHA256da9ccf672805650fb398e775c0ab3a367296ba4ba423c544497ae0bf32b257a8
SHA5129d8511f00c9f3c5f4bde212e319abbc67adbd1005ff026799c2ddd57300e91981045173cd6a3aa4ff97b06e24bd1695a19214beb0cf36240319f5f8e6b4e1271
-
C:\Users\Admin\Documents\Opened.docx.~MD5
6c64058c9a8c185b6cd944b2e925bcd2
SHA1cbd5a2a7cdc3406729318c27b40a179fb31e180b
SHA25626de854a26859cb4daa97433006f059e059ce9cc0202e14b69343f656663ef50
SHA512c7470865b4a22fd932cf2edf43ce7dce6a80f538ccb469e855ab8409aab28cc85f946a55b0ec350e69b53afac0da3a23c13ba9b32cf104721ea97e126fae99d2
-
C:\Users\Admin\Documents\Recently.docx.~MD5
977e65af8c86d3d5de0ca39d4855691e
SHA10b3c2bb95fc0316846d94a4fb9fba6a8da2ad27e
SHA256a81831e8e0e368cf7b39c6bf4b8a48d231f110a4b22857f14cb0daf70f5dd2e0
SHA51207f5143c0add645376219f7d3969db5c40412370be8e73462fe10d4a72eae8862bd9ce140b736de915004d8e467d50de2a09b60e202feeaf9e9a039423aaf8e5
-
C:\Users\Admin\Documents\SearchUnpublish.doc.~MD5
6fb9a4a876ca216a5010dc4b951b24bd
SHA117082793116a719cd4c42244c61424d36a4fd728
SHA256499f94a61313a087d2e4356a4c8e24b985725ef1475c3290cb07155a45903727
SHA512b010a19a8fac04f561508938fc8840f170d2099266d03d0ddc72b86fed792caae549869e6d1301ac8f004d0c7706cb9a7d0afb1386ff912f9c535760cbab3041
-
C:\Users\Admin\Documents\SyncExit.ppt.~MD5
d9c9da89867490d7a037103c5ed037cd
SHA1b7e866ad11353c35db0df9f64369053e2ee97251
SHA256c424645463ec39a284a20d917022e23ce2270ba0840a302cdff90e5c708343f0
SHA5121ec85f06f7a17f21eac1bd86dffb2f4d86c43ee1053424e0bb684bca75e6ae47136c31d065637e939a8cb0a04a0788aff7417c35b91363149666a89bd4aa2487
-
C:\Users\Admin\Documents\These.docx.~MD5
dc3d46991fe82636753e08c9d82e40a9
SHA16221e66f8668817da7c14502079cd49e1c2a7234
SHA256bcc4922821f675e94f05dab4d9ae4eceefbe8d4def52c0ac1e485684b4bc95ba
SHA512ed813c8e6a024ca2150088efe471084c6c61bee5e16f55c1234e77375ecbfd1daa371f027c446369e8815c17f5fe8f14b4a96806e13075b6d96d925d14b18d45
-
C:\Users\Admin\Documents\UninstallExport.dot.~MD5
7fc6b36597ccc2b3ba21d8e780b4960f
SHA1c9974906b9f782ac05f62c5c352a63dc02d2db9c
SHA25688411b73423761f66c0df0a1cad9c5edb0dbbf545adfee57ddae6797fae5f05e
SHA5121fbe3c5a67962444201b6b21971c8aaa9ab4f42635894db289699d97768d2bf51e26e22093d9a3169c380c89d4c0887e41ebe342b2f1ccf5a652a524d2b26032
-
C:\Users\Admin\Documents\WatchLimit.xltx.~MD5
4c5a9df227b28be333747d0712da39c3
SHA1479497793b78e062a284dec33ded844a2f0f8083
SHA256426e32da73308205504682603f9e2fd19e9089cbcc03565fbfd10b396bc318d3
SHA512955d31aa52e8ee3092e55627577468eac27e7647b689b202372102d4d3573a40b7dd40a069a14cc4fe1c6ebd8113249cb821ca0550d80a7799a01d5781715be9
-
C:\Users\Admin\Documents\_RECOVER_INSTRUCTIONS.iniMD5
1dd27ae64ed6573ca668533583acec4c
SHA118d44a97f1acd8df94db0d60fc5573843d6294fe
SHA25612c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b
SHA512043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00
-
C:\Users\Admin\Downloads\MountRestart.odt.~MD5
cf991f1eea7e344a15f009dd0feb02ec
SHA150a5bae733ac745c441edfdd15395872b613972a
SHA2567fa8f1634aee30b90c44f6c96bc3f0f5a6ddab88e61db13be930dc0237742b86
SHA51211411db17c72592a65a7fcfa7b1928eb700e318f5ad4ea082ded822e417bdcf78911c28f4ad784ec6837ddd735a6399c3844f6d007a9bdf7cb8bad1495e5e9bb
-
C:\Users\Admin\Downloads\ResetConfirm.bmp.~MD5
fc63ec3665e07cc427b9349e2418e79b
SHA1c278908c82d116c18870f540cfffdcc25340a669
SHA256aade923f07933e1f68047238f9cde9b8c0d18ff72025629029f90c25ebe7d1f0
SHA512afc34d2ce8a6088d6c835e5f41d6d57ecde66f85f32463ea772369802ab589c836156a66caadaec85136305948fe250309d44f404808ac0748341fc947a56dc1
-
C:\Users\Admin\Downloads\ResumeUnregister.txt.~MD5
fe3cc8861c12cdb5e2ebb5365fe74bec
SHA1cfa5e75105ed8c5e2440fed4188ad9229469edd2
SHA2566c82ead96b7974f1b62c06893b964816e229fd8cf7b424aceb2cabb8f6e735b5
SHA5124f7e7d864a9d91b0c828f2aa21a13d425ced48a5e5b11c5591bb372f1137ebfaf14765a078488ebee9b2b9f7e46c39e5b166e8290b2d737664a6cd8319a19818
-
C:\Users\Admin\Downloads\RevokeWatch.xlsb.~MD5
61142c7046526718b0cdf8ad77e5909b
SHA1f2a2aa2aefc9493cf511ea0ec3cc4b599fd63a44
SHA25618fe7770cd5d204c9cbd3c0123c0f25508ec3196c45ca7c15d40415baa96a6d5
SHA5122a23833cc3c16c4fadd4e54b3b6810e0b2fdfe2663075cd3e4559f5a34491e60ea0cf35802f8319fe2ec3890b530b04162408db1382596bac09cc0e5a6d840f0
-
C:\Users\Admin\Downloads\WriteRepair.asf.~MD5
cfb11b6f7fe9ca525bb27412f2c00c7d
SHA17fe56e1a296abd68cdcb1dbbe1f491851e688968
SHA2563590f707f270b7e937ba8ab753934419d073829609362a412e27ebc0b00c12f7
SHA5122040bb00729b80e68d439867788719a99782885cd4e802acbe158b3e28044336c7d4d0cf1139f805236112861e8dc3543cfa2d6ac8c288cae67340746dd71c20
-
C:\Users\Admin\Downloads\_RECOVER_INSTRUCTIONS.iniMD5
1dd27ae64ed6573ca668533583acec4c
SHA118d44a97f1acd8df94db0d60fc5573843d6294fe
SHA25612c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b
SHA512043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00
-
C:\Users\Admin\Music\ApproveRedo.rtf.~MD5
aefbb693dddc9280750ded23cc1ff150
SHA171af792039ed0e309fbf927edf2f333af3b64acd
SHA2563e66a03c3ab2ec3f2c6f37f7cedc2231c517f0338c288d7cb580b13fd2fb09c0
SHA512ebc09388d52a3a421e91a57c9539db9abca7bace9142e6efa42463bc9c3886f3aff24f2264275a0d66cec85e5eee825f9256ec85a9a08a0ceaf5e5ad99ff151d
-
C:\Users\Admin\Music\BackupMount.xml.~MD5
592136a3df6bc53ec0a6ae4542b8795e
SHA149dce28f6f32edc300dd02c4583ba43a8e034314
SHA256ff3beb6b7e4b1bb3e5a007696c4cb4e01ee77a6c4e5607a5996179ba83b2a619
SHA5121b73ce4878041fa98c9690be19aa76a0c044fa8c700b1c9c06a5ed91be7b590bd24f027279a6a321bf310e19daeecf8b3bf687be27784bb0b88c019329fa1f7a
-
C:\Users\Admin\Music\CompressSelect.raw.~MD5
9db43859117784c1007329879242c5c1
SHA1512717722dc219a06355a684f74353c6e38f8589
SHA256f7152d430af75f3744151971e569e2ae41074315c0609f8f19a53207617da027
SHA51209b771c42c275b1e7d3824147462a616c29baeafb615091bb454e7859ede550d227605b6e43913731b0af054648cdb2b7cb6a1c7e26e64fd6977d65ae40e0940
-
C:\Users\Admin\Music\ResizeUnlock.wma.~MD5
f61a6619084dcd21146b2d72bef7efce
SHA1f6f83562a1debe69b5f49f521fa2796237a5b6fd
SHA256aef68b869296649f6665547dc64adfe10a7a3eeac80c12af1922d9a156acd77d
SHA512a0ce491f6c4e8d6184371cfdac1ae4d54b7f7860ebee69bdb521fa658cd921d57ca800d74033bce7f77e14b76469621bf660c2fab5f6471a41d6b8c2e5bacbbd
-
C:\Users\Admin\Music\ResolveAdd.sql.~MD5
7a559a705ffb88c07d1ac5420e233ec3
SHA12691b64d666065a3c546ba35c32ef8248d98d514
SHA25615dcf3a0149e60409af6b4515924dab445e79521f0cff03ecd31309563da853d
SHA51206047c103ac47937b3244c6510f8a48afb76694d7867916aefeca870a5bc6db921fd5b90599ecab11474c0ee033a879f224ff3f16e950e0ff40021c9b838360a
-
C:\Users\Admin\Music\StopAdd.jpeg.~MD5
14eb169c5efd4d25541ed8061416f02f
SHA1425e5671d55f12e1dd5b30524b0e47dd08ceb2d6
SHA256e2a75d1099f0f5f60f5555192cfdf4da3ab5aed9f2de434a5e14f5323ff3eb99
SHA512f83023a8a527f16e9c1f5e48c2b6e0e0d1ad66f93d665a2093d28dd03fe9c8b2c32b919b44589dd9e7bf0b87fd5ae700786da12a79c857f258763205cf2c5092
-
C:\Users\Admin\Music\StopBlock.xls.~MD5
1ef824751b2c3384c15f4083e36b9546
SHA17dad41b851084bdfe9a3201942505f5c0804fcd6
SHA256b8f872a97f08a9cd215b81a58af55788291b80fe540a6e98ea4e5919bb1c0263
SHA512e321f1b2150cff400fa54278ead68e2c54e44ed24dbe5f96f68223fef48c2fca628041804ec31ad66338d722c6848dc6d1fb303a8e9441038f3d2ac8ba0a6a4b
-
C:\Users\Admin\Music\UseResume.rar.~MD5
21c80421e632e113bce870ec5938c09c
SHA1d5cbbf0140e349f29378ff65ef6d3c876550e3b8
SHA2564ca3be1ff170f1e94a77dd368bd440f9bf54dff1d2f3d5b6f187cdda3981593a
SHA5120510c72d3b9694bd388122476abd8fe14cba870dcbf7aa44f93ce3e4c43e3773bca24b6eec857f50e670d34bacf91f5c056045e6b343c0c6c6bf9ab97b6fa20e
-
C:\Users\Admin\Music\_RECOVER_INSTRUCTIONS.iniMD5
1dd27ae64ed6573ca668533583acec4c
SHA118d44a97f1acd8df94db0d60fc5573843d6294fe
SHA25612c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b
SHA512043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
7e5620ca93b3f8db0d8902571c8d8858
SHA1e59293fcdee1f495aa36871370ecf0814d7da671
SHA256851c8e6cecf9d807f4d8300563096c891dcce2f008f4996e7a924ee50dbba20e
SHA512058f419760de07cc0445b770631b29eab4696e68705624cba27f761cb39c67b2b51e93f0e68441a43019de04b7916fd80050558d8b8da8712bbd7a16eb3cffd0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
7e5620ca93b3f8db0d8902571c8d8858
SHA1e59293fcdee1f495aa36871370ecf0814d7da671
SHA256851c8e6cecf9d807f4d8300563096c891dcce2f008f4996e7a924ee50dbba20e
SHA512058f419760de07cc0445b770631b29eab4696e68705624cba27f761cb39c67b2b51e93f0e68441a43019de04b7916fd80050558d8b8da8712bbd7a16eb3cffd0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
80ef353e87d5c400afa9e6dc91bc3a79
SHA1addaff4001e98f48cdc6eb07a885e3a14c9a9252
SHA2561ae420009452201cf192fa912a18ec05d9342f80895c4716b099b8087215f41b
SHA512fc7244301a52697568b33dc9232fd3ba7f1d07d5ad11149828a6135abe0f5344954f5976bda8e841de158168f14f2963bdba47bc35041a8448bc00fecf6da1ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
519eabefb0c4f60c72d4a0c58f26e2bd
SHA115657decb81f730b08b8599161eb58faf572daba
SHA2565605a755f5345e0f04ea1e6d447e8d7eb6ac6adaa74e2f13f25b50d0d7bba230
SHA5122cfaf025575fe045b1482469e1bf91e2db656759abfe70bacfaad7a2bf25edd50281886ac9f247445976700917a20bd480d8ca29e45f53842ab08d2f194a4d73
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
7aa6d4660d5141c31551003847a330aa
SHA1cc5db3e38830a1db13c26edbbfbb6fe6904e2cba
SHA25624ab151a95db3c904c380e99a6b166673a90f2a681115fe461acd3b254aa5a3d
SHA5124c657ce550b390d42abfdbcb7cb15b2938a877fb029b6517dbd42f40d2b6766f08961c8ec82dd896b332a0a15f409f1114e8ffef14e73c203681df8f3dfa2836
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
e54ace05b678472f2c5d19f0ee41fc73
SHA1840d01d970e90bd89aa2001c4ffd04a008272601
SHA256d3f591a7c5dc095c9db6686143e870baf35e5dffd8e486bfe2024b0fd72086ba
SHA51249bb08e7d697dd9d5a27e650b708abf1885838548335b0d787b371ae30abfa13315fbe0d07bdfd400a484e122d42f513463e7ef5d5a0e71220c911f96040e762
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
7b85b183f306bf21976c053f3cfa4ecf
SHA1be3c5b07824d2ec13dc299d601fb87f5aac9ed68
SHA2564903a9fed78755adf230d0f019c86d95393cf3470fe79b1efa60fad1ed6d2ebe
SHA5124f7b5f46c4c730d8084c72162a2e701900a0128e059435c1e7eb84805a33bb6ae7735b4f7f91b2e08a56321d89f669297c65ac2d7bc7b0770e6592b3f59df4f4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
4f04388359db224cc38d5461b2e4a1ff
SHA1e70776a0fc07b19b228559ac996ff45eb3e91cc5
SHA2566e7eec0ddfc681628cdc7e9572482fd762668ac59d9af5e9683368cfbe2545d5
SHA51299e80963ea62a8d7e72ecc72c721f504245f1a599b6181e7f8e9b1e937fab4890ec0322716fd1294be2ad114d3d980665b6b4845573b9e6b219b5ba1639e44d8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.logMD5
863f9f040ca2c1efe2e1deaec62ae9e2
SHA1183259da8636f62af361fbc8762c22a1f4dedbd0
SHA2565d850b6810e8f35b8088778075d5547b060af08b2f9423bec6dc06dea56715e2
SHA5125ff4905c5056c28f233df8fd9f9f889300a6ecb887fc6b407cda983012a01768a37360cce760de5cc4613d011ad240cbc77afc2c7def109c8ca0ca2c1bc9788c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.iniMD5
f521075099c64c96dd7bef7b0d173ac2
SHA1d6fbbfad3a41414e3337e39d726c348e3bcbb6cd
SHA25655fa0e72a80049b9415c5be0c14737971aea2fce4d50395f363e135e7b0ec084
SHA512036ed2a775d96914808f9b81483917c224b87a255e297fca6a2105c8f205647ae23f3eda3fc06eee1618cb74d65ddb431588b2d8dcdc676c6669879eb404420b
-
\Users\Admin\Desktop\Tilde Ransomware.exeMD5
3d83ed39ffc379a1608a7a341fc01e33
SHA1b0edd30d27468dd056da58f6c3ad4808f9c4eab3
SHA256165f6a9f94265fff5602882ae53fd92a1ab3c353a301630db946561fbf40f9b1
SHA512799e72329611dcee4ca221a63c252941286a298565067a35e7d587e69936f1aa7bb031b0cff1658942bc66d69d02311114a5db064f939b01707bb4e03b443934
-
memory/188-143-0x0000000000000000-mapping.dmp
-
memory/784-144-0x0000000000000000-mapping.dmp
-
memory/864-73-0x0000000000000000-mapping.dmp
-
memory/872-142-0x0000000000000000-mapping.dmp
-
memory/900-141-0x0000000000000000-mapping.dmp
-
memory/960-154-0x0000000000000000-mapping.dmp
-
memory/972-76-0x0000000000000000-mapping.dmp
-
memory/992-61-0x0000000000000000-mapping.dmp
-
memory/1012-67-0x0000000000000000-mapping.dmp
-
memory/1052-87-0x0000000000000000-mapping.dmp
-
memory/1064-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1072-91-0x0000000000000000-mapping.dmp
-
memory/1152-134-0x0000000000000000-mapping.dmp
-
memory/1164-79-0x0000000000000000-mapping.dmp
-
memory/1280-133-0x0000000000000000-mapping.dmp
-
memory/1332-94-0x0000000000280000-0x0000000000297000-memory.dmpFilesize
92KB
-
memory/1332-93-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1440-82-0x0000000000000000-mapping.dmp
-
memory/1444-167-0x0000000000000000-mapping.dmp
-
memory/1536-64-0x0000000000000000-mapping.dmp
-
memory/1704-130-0x0000000000000000-mapping.dmp
-
memory/1824-166-0x0000000000000000-mapping.dmp
-
memory/1956-132-0x0000000000000000-mapping.dmp
-
memory/1972-70-0x0000000000000000-mapping.dmp
-
memory/2024-131-0x0000000000000000-mapping.dmp
-
memory/2064-96-0x0000000000000000-mapping.dmp
-
memory/2100-97-0x0000000000000000-mapping.dmp
-
memory/2140-98-0x0000000000000000-mapping.dmp
-
memory/2172-99-0x0000000000000000-mapping.dmp
-
memory/2180-135-0x0000000000000000-mapping.dmp
-
memory/2204-146-0x0000000000000000-mapping.dmp
-
memory/2208-103-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2208-104-0x00000000001C0000-0x00000000001D7000-memory.dmpFilesize
92KB
-
memory/2212-137-0x0000000000000000-mapping.dmp
-
memory/2220-101-0x0000000000000000-mapping.dmp
-
memory/2228-136-0x0000000000000000-mapping.dmp
-
memory/2272-105-0x0000000000000000-mapping.dmp
-
memory/2276-138-0x0000000000000000-mapping.dmp
-
memory/2304-106-0x0000000000000000-mapping.dmp
-
memory/2332-139-0x0000000000000000-mapping.dmp
-
memory/2348-110-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2348-111-0x0000000000300000-0x0000000000317000-memory.dmpFilesize
92KB
-
memory/2360-148-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2360-149-0x0000000000230000-0x0000000000247000-memory.dmpFilesize
92KB
-
memory/2372-109-0x0000000000000000-mapping.dmp
-
memory/2380-140-0x0000000000000000-mapping.dmp
-
memory/2412-112-0x0000000000000000-mapping.dmp
-
memory/2504-113-0x0000000000000000-mapping.dmp
-
memory/2528-150-0x0000000000000000-mapping.dmp
-
memory/2536-114-0x0000000000000000-mapping.dmp
-
memory/2556-151-0x0000000000000000-mapping.dmp
-
memory/2568-115-0x0000000000000000-mapping.dmp
-
memory/2588-152-0x0000000000000000-mapping.dmp
-
memory/2600-116-0x0000000000000000-mapping.dmp
-
memory/2612-153-0x0000000000000000-mapping.dmp
-
memory/2632-117-0x0000000000000000-mapping.dmp
-
memory/2668-118-0x0000000000000000-mapping.dmp
-
memory/2700-119-0x0000000000000000-mapping.dmp
-
memory/2708-155-0x0000000000000000-mapping.dmp
-
memory/2732-120-0x0000000000000000-mapping.dmp
-
memory/2748-156-0x0000000000000000-mapping.dmp
-
memory/2764-121-0x0000000000000000-mapping.dmp
-
memory/2768-157-0x0000000000000000-mapping.dmp
-
memory/2796-122-0x0000000000000000-mapping.dmp
-
memory/2808-158-0x0000000000000000-mapping.dmp
-
memory/2828-123-0x0000000000000000-mapping.dmp
-
memory/2840-159-0x0000000000000000-mapping.dmp
-
memory/2860-124-0x0000000000000000-mapping.dmp
-
memory/2884-164-0x0000000000240000-0x0000000000257000-memory.dmpFilesize
92KB
-
memory/2884-163-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2892-125-0x0000000000000000-mapping.dmp
-
memory/2896-162-0x0000000000000000-mapping.dmp
-
memory/2928-126-0x0000000000000000-mapping.dmp
-
memory/3040-127-0x0000000000000000-mapping.dmp
-
memory/3048-165-0x0000000000000000-mapping.dmp