gandcrab | 4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6

Resubmissions

09-07-2021 13:58

210709-xk3hc7raax 8

02-07-2021 15:48

210702-mee6653ca6 10

Analysis

max time kernel
1684s
max time network
1846s
platform
windows7_x64
resource
win7v20210408
submitted
02-07-2021 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk_Lite.exe
Size

6.4MB
MD5

ce5ab2494fc91c67248bbdb085b747c2
SHA1

bdc554a291a4c4e2bf2490522aa70d0ff262cba7
SHA256

4a36398050b818b3ea0067685fc31cedbe3efa017ae741774c527c9391ec26a6
SHA512

a60d8225cf8c497f8364adde5467ba6872fd56692650b324815c7eec676e263776be8f7aa442e21d3cb733d5d7544d4e6001a2f8a5834f1b834c9de222b0cbc0

Score

10^/10

gandcrab backdoor evasion persistence ransomware upx

Malware Config

Signatures

GandCrab Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1332-94-0x0000000000280000-0x0000000000297000-memory.dmp	family_gandcrab
behavioral1/memory/2208-104-0x00000000001C0000-0x00000000001D7000-memory.dmp	family_gandcrab
behavioral1/memory/2348-111-0x0000000000300000-0x0000000000317000-memory.dmp	family_gandcrab
behavioral1/memory/2360-149-0x0000000000230000-0x0000000000247000-memory.dmp	family_gandcrab
behavioral1/memory/2884-164-0x0000000000240000-0x0000000000257000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2852 bcdedit.exe
2248 bcdedit.exe

pid	process
2852	bcdedit.exe
2248	bcdedit.exe

Executes dropped EXE 9 IoCs

Processes:

Tilde Ransomware.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeCryptoWire Ransomware .exeCRYPTO~1.EXECRYPTO~1.EXE

pid	process
1720	Tilde Ransomware.exe
1332	GandCrab 勒索.exe
2208	GandCrab 勒索.exe
2348	GandCrab 勒索.exe
2360	GandCrab 勒索.exe
2884	GandCrab 勒索.exe
1904	CryptoWire Ransomware .exe
2924	CRYPTO~1.EXE
1840	CRYPTO~1.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\CryptoWire Ransomware .exe	upx
C:\Users\Admin\Desktop\CryptoWire Ransomware .exe	upx

Loads dropped DLL 3 IoCs

Processes:

ToDesk_Lite.exeCryptoWire Ransomware .exeCRYPTO~1.EXE

pid process

992 ToDesk_Lite.exe
1904 CryptoWire Ransomware .exe
2924 CRYPTO~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GandCrab 勒索.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	GandCrab 勒索.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\truvmjnonss = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xrczgn.exe\""	GandCrab 勒索.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

CryptoWire Ransomware .exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CryptoWire Ransomware .exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CryptoWire Ransomware .exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GandCrab 勒索.exeCryptoWire Ransomware .exe

description	ioc	process
File opened (read-only)	\??\H:	GandCrab 勒索.exe
File opened (read-only)	\??\O:	GandCrab 勒索.exe
File opened (read-only)	\??\U:	GandCrab 勒索.exe
File opened (read-only)	\??\x:	CryptoWire Ransomware .exe
File opened (read-only)	\??\y:	CryptoWire Ransomware .exe
File opened (read-only)	\??\L:	GandCrab 勒索.exe
File opened (read-only)	\??\M:	GandCrab 勒索.exe
File opened (read-only)	\??\b:	CryptoWire Ransomware .exe
File opened (read-only)	\??\K:	GandCrab 勒索.exe
File opened (read-only)	\??\V:	GandCrab 勒索.exe
File opened (read-only)	\??\Y:	GandCrab 勒索.exe
File opened (read-only)	\??\r:	CryptoWire Ransomware .exe
File opened (read-only)	\??\w:	CryptoWire Ransomware .exe
File opened (read-only)	\??\t:	CryptoWire Ransomware .exe
File opened (read-only)	\??\u:	CryptoWire Ransomware .exe
File opened (read-only)	\??\P:	GandCrab 勒索.exe
File opened (read-only)	\??\T:	GandCrab 勒索.exe
File opened (read-only)	\??\X:	GandCrab 勒索.exe
File opened (read-only)	\??\Z:	GandCrab 勒索.exe
File opened (read-only)	\??\m:	CryptoWire Ransomware .exe
File opened (read-only)	\??\q:	CryptoWire Ransomware .exe
File opened (read-only)	\??\s:	CryptoWire Ransomware .exe
File opened (read-only)	\??\B:	GandCrab 勒索.exe
File opened (read-only)	\??\J:	GandCrab 勒索.exe
File opened (read-only)	\??\R:	GandCrab 勒索.exe
File opened (read-only)	\??\a:	CryptoWire Ransomware .exe
File opened (read-only)	\??\j:	CryptoWire Ransomware .exe
File opened (read-only)	\??\f:	CryptoWire Ransomware .exe
File opened (read-only)	\??\k:	CryptoWire Ransomware .exe
File opened (read-only)	\??\n:	CryptoWire Ransomware .exe
File opened (read-only)	\??\A:	GandCrab 勒索.exe
File opened (read-only)	\??\N:	GandCrab 勒索.exe
File opened (read-only)	\??\Q:	GandCrab 勒索.exe
File opened (read-only)	\??\W:	GandCrab 勒索.exe
File opened (read-only)	\??\e:	CryptoWire Ransomware .exe
File opened (read-only)	\??\p:	CryptoWire Ransomware .exe
File opened (read-only)	\??\E:	GandCrab 勒索.exe
File opened (read-only)	\??\G:	GandCrab 勒索.exe
File opened (read-only)	\??\I:	GandCrab 勒索.exe
File opened (read-only)	\??\S:	GandCrab 勒索.exe
File opened (read-only)	\??\v:	CryptoWire Ransomware .exe
File opened (read-only)	\??\o:	CryptoWire Ransomware .exe
File opened (read-only)	\??\z:	CryptoWire Ransomware .exe
File opened (read-only)	\??\F:	GandCrab 勒索.exe
File opened (read-only)	\??\g:	CryptoWire Ransomware .exe
File opened (read-only)	\??\h:	CryptoWire Ransomware .exe
File opened (read-only)	\??\i:	CryptoWire Ransomware .exe
File opened (read-only)	\??\l:	CryptoWire Ransomware .exe

Drops file in System32 directory 13 IoCs

Processes:

ToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exeToDesk_Lite.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\service_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log	ToDesk_Lite.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Tilde Ransomware.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Simple_Encoder\\img.bmp"	Tilde Ransomware.exe

Drops file in Program Files directory 6 IoCs

Processes:

CryptoWire Ransomware .exeCRYPTO~1.EXE

description	ioc	process
File created	C:\PROGRA~2\COMMON~1\38260081373826008137	CryptoWire Ransomware .exe
File opened for modification	C:\PROGRA~2\COMMON~1\7318006283	CryptoWire Ransomware .exe
File created	C:\PROGRA~2\COMMON~1\3826008137	CRYPTO~1.EXE
File created	C:\PROGRA~2\COMMON~1\CryptoWire Ransomware .exe	CryptoWire Ransomware .exe
File opened for modification	C:\PROGRA~2\COMMON~1\CryptoWire Ransomware .exe	CryptoWire Ransomware .exe
File opened for modification	C:\PROGRA~2\COMMON~1\update.txt	CryptoWire Ransomware .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exeGandCrab 勒索.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab 勒索.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab 勒索.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab 勒索.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab 勒索.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab 勒索.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab 勒索.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab 勒索.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2676 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2460 vssadmin.exe

pid	process
2676	schtasks.exe

pid	process
2460	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CryptoWire Ransomware .exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	CryptoWire Ransomware .exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CryptoWire Ransomware .exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CryptoWire Ransomware .exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ToDesk_Lite.exe

pid process

992 ToDesk_Lite.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ToDesk_Lite.exe

pid	process
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe
1620	ToDesk_Lite.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

CRYPTO~1.EXECRYPTO~1.EXE

pid process

2924 CRYPTO~1.EXE
1840 CRYPTO~1.EXE

pid	process
2924	CRYPTO~1.EXE
1840	CRYPTO~1.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

ToDesk_Lite.exevssvc.exe

description	pid	process
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeTcbPrivilege	1620	ToDesk_Lite.exe
Token: SeBackupPrivilege	340	vssvc.exe
Token: SeRestorePrivilege	340	vssvc.exe
Token: SeAuditPrivilege	340	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ToDesk_Lite.exeCryptoWire Ransomware .exe

pid	process
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
992	ToDesk_Lite.exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ToDesk_Lite.exeCryptoWire Ransomware .exe

pid	process
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
992	ToDesk_Lite.exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe
992	ToDesk_Lite.exe
1904	CryptoWire Ransomware .exe
1904	CryptoWire Ransomware .exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ToDesk_Lite.exeGandCrab 勒索.exe

description	pid	process	target process
PID 1620 wrote to memory of 992	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 992	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 992	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 992	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1536	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1536	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1536	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1536	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1012	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1012	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1012	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1012	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 864	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 864	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 864	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 864	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 972	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1164	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1164	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1164	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1164	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1440	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1440	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1440	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1440	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1052	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1052	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1052	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1620 wrote to memory of 1052	1620	ToDesk_Lite.exe	ToDesk_Lite.exe
PID 1332 wrote to memory of 1072	1332	GandCrab 勒索.exe	splwow64.exe
PID 1332 wrote to memory of 1072	1332	GandCrab 勒索.exe	splwow64.exe
PID 1332 wrote to memory of 1072	1332	GandCrab 勒索.exe	splwow64.exe
PID 1332 wrote to memory of 1072	1332	GandCrab 勒索.exe	splwow64.exe
PID 1332 wrote to memory of 2064	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2064	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2064	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2064	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2100	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2100	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2100	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2100	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2140	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2140	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2140	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2140	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2172	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2172	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2172	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2172	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2220	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2220	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2220	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2220	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2272	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2272	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2272	1332	GandCrab 勒索.exe	nslookup.exe
PID 1332 wrote to memory of 2272	1332	GandCrab 勒索.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe"
1⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" server_start
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" clinet_hide
2⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1536

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1012

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1972

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:864

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:972

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1164

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1440

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:1052

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:3040

C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_Lite.exe" vp8 session_video
2⤵
- Drops file in System32 directory
PID:2128

C:\Users\Admin\Desktop\Tilde Ransomware.exe
"C:\Users\Admin\Desktop\Tilde Ransomware.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1720

C:\Users\Admin\Desktop\GandCrab 勒索.exe
"C:\Users\Admin\Desktop\GandCrab 勒索.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1072

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2064

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2100

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2140

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2172

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2220

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2272

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2304

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2372

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2412

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2504

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2536

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2568

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2600

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2632

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2668

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2700

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2732

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2764

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2796

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2828

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2860

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2892

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2928

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1704

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2024

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1956

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1280

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1152

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2180

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2228

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2212

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2276

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2332

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2380

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:900

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:872

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:188

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:784

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2204

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2528

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2556

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2588

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2612

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:960

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2708

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2748

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2768

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2808

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2840

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2896

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3048

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1824

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1444

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2136

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2156

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2196

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2224

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2288

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2208

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2316

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1636

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:276

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1744

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1736

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:824

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2428

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2520

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2540

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2344

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2628

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2660

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2684

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2728

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:952

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2744

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2820

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2848

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2876

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2920

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2940

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2884

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1912

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:376

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2104

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:464

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2164

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2188

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2232

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2284

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2260

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2352

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2480

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2396

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2496

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:536

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3000

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3004

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3032

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3068

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1740

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2512

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2576

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2624

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2404

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2696

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2716

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2756

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1060

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1480

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2868

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2872

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2168

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2200

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2240

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:336

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2376

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2484

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2388

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1644

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1412

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2108

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2560

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2580

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2620

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2644

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2672

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2816

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:556

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2832

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2456

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1832

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1652

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2296

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2476

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2468

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:268

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1004

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3012

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2572

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2544

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1692

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2592

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1544

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2068

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2788

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2264

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1324

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:840

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:444

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2844

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2432

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2688

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:828

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1656

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3056

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1960

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1512

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2996

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1548

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2972

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:832

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2760

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:224

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2192

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2680

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2312

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2960

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2968

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2712

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2368

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2596

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:552

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1728

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2112

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2444

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1932

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3060

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2988

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2424

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2880

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2916

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2952

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3020

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2236

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1292

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2440

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2912

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1552

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1340

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2256

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2152

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3016

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2080

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1952

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:208

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2320

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1432

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1288

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2636

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2336

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2804

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2964

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2784

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1300

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:852

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2664

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:216

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:108

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3028

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1700

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1688

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2300

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2792

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:600

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:372

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2268

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1660

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2492

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2324

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2984

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1676

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:220

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1668

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1328

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2532

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2864

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:812

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2740

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2448

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:920

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2088

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2992

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2616

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2436

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1500

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2516

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1580

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2564

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2132

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1252

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2280

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2292

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3024

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2096

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2692

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:204

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:572

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2752

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2904

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2552

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1296

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1532

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:752

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1664

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2244

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2824

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2976

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2360

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2452

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2944

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2416

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1460

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:924

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2120

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1072

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1640

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2508

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:996

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1272

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1064

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1376

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2800

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:808

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2472

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1792

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2980

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1076

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1800

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2420

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2852

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2216

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2308

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2092

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2328

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2640

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1080

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2908

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2548

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:816

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2648

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1968

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2724

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2856

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:1752

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2184

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:280

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2836

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2252

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1904

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:2812

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1992

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2384

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2524

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1940

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:2148

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2936

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:340

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1560

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:1584

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:2076

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:2676

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1896

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3080

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3108

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3136

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3164

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3196

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3224

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3252

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3280

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3308

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3336

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3364

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3396

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3424

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3456

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3484

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3512

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3540

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3568

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3596

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3624

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3652

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3680

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3708

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3736

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3764

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3792

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3820

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3848

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3876

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3904

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3932

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3964

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3992

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:4028

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3100

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3132

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3140

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3188

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:1032

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3212

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3232

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3292

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3328

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:1572

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3352

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3372

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3436

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3460

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3508

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3516

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3556

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3576

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3636

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3672

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3704

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3712

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3752

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3772

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3832

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3868

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3892

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3912

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3976

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:4012

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:4052

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3104

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3156

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3184

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3168

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3200

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:3240

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3264

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.cloud-name.ru
2⤵
PID:3304

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.cloud-name.ru
2⤵
PID:3348

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.cloud-name.ru
2⤵
PID:4064

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.cloud-name.ru
2⤵
PID:3416

C:\Users\Admin\Desktop\GandCrab 勒索.exe
"C:\Users\Admin\Desktop\GandCrab 勒索.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2208

C:\Users\Admin\Desktop\GandCrab 勒索.exe
"C:\Users\Admin\Desktop\GandCrab 勒索.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2348

C:\Users\Admin\Desktop\GandCrab 勒索.exe
"C:\Users\Admin\Desktop\GandCrab 勒索.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2360

C:\Users\Admin\Desktop\GandCrab 勒索.exe
"C:\Users\Admin\Desktop\GandCrab 勒索.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2884

C:\Users\Admin\Desktop\CryptoWire Ransomware .exe
"C:\Users\Admin\Desktop\CryptoWire Ransomware .exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3826008137 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE
2⤵
PID:2584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc onlogon /tn 3826008137 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE
3⤵
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 4139863|vssadmin.exe Delete Shadows /All /Quiet
2⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 4139863"
3⤵
PID:2880

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 4632181|bcdedit /set {default} recoveryenabled No
2⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 4632181"
3⤵
PID:832

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 7098827|bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 7098827"
3⤵
PID:2264

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2248

C:\Users\Admin\Desktop\CRYPTO~1.EXE
C:\Users\Admin\Desktop\CRYPTO~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2924

C:\Users\Admin\Desktop\CRYPTO~1.EXE
C:\Users\Admin\Desktop\CRYPTO~1.EXE
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ToDesk\config.ini
MD5
993d67428ec5e4960b65158f74cb971b

SHA1
7c8b1bc56d3fc86a5a9da05f543484ce0add584a

SHA256
02a0debb95b072421dba82013b690c96422641001169146c08f2a9043c3aa5ca

SHA512
e4462c5fd3df43f0cdb8895a8dbb2e5b786c5a7e41ade98d16e1fc24333672264327b4d91ffc44dffd9f7e83d8ec6137d17ab13f3e0c29f477ee06964cc7d9cd

Download Submit
C:\Users\Admin\Desktop\CompressPush.vbs.~
MD5
1d2feb0173b6097c5259aca2c4c90e5f

SHA1
87fd037b30d36e4e9dde68989e3fdae56fe684b5

SHA256
6d5e188d9b67992b977777cfe549b1bf90727a8d4fd66765ceec08ba614332bf

SHA512
0e42df7b45481607bec4061e05a795767be62e594607efc01b9145d3f49cd24d2d2bfb984a59bb416d37469b143aa5bdb4eed3aa623724e1395dc9daa4682adf

Download Submit
C:\Users\Admin\Desktop\CryptoWire Ransomware .exe
MD5
8d7da99f1beaeee4fd8fc6264f0c4471

SHA1
27f199f7d944c941b0518b98f2b993181d930f92

SHA256
2f07a538a2edea2e14c9e402e57b24912e0ae794fe9df81c660791a4be8ba0a4

SHA512
7a9c57780f413b0326229f6fee2473f065f7a014244cddf78b278ebd0e4883893289993e7ac43a8c8daed887f857512c16893bdabd8d8e5330cb983bf026e9cb

Download Submit
C:\Users\Admin\Desktop\CryptoWire Ransomware .exe
MD5
8d7da99f1beaeee4fd8fc6264f0c4471

SHA1
27f199f7d944c941b0518b98f2b993181d930f92

SHA256
2f07a538a2edea2e14c9e402e57b24912e0ae794fe9df81c660791a4be8ba0a4

SHA512
7a9c57780f413b0326229f6fee2473f065f7a014244cddf78b278ebd0e4883893289993e7ac43a8c8daed887f857512c16893bdabd8d8e5330cb983bf026e9cb

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GandCrab 勒索.exe
MD5
90c137b149503d4dc83e4e2227401c29

SHA1
924094e7b2aec85d9c9282d8c8b0b596a24695bb

SHA256
149febedc64a1241f4b75d6877563f7a447bc5df03ccb6cc90af92d884ac3367

SHA512
d003127ed672442bac193ee83ef9b8337a8f5c74b17210dd7a9cba35ca7b9e379628d297ef44d005d2b33fddc821acfcd0e00e6f47b078f667e9b5358f050b4e

Download Submit
C:\Users\Admin\Desktop\GroupUnregister.xls.~
MD5
78da4498ade7996336fa4aba134262a0

SHA1
76a7863b41636cf6b74f9332dfa756a115bd0474

SHA256
e5f6a451c7acf3fbff38b5ef9636f09592b4f8f79944eefd88d9d72a45209224

SHA512
6f0c942feb4d9829d3047d51fe786dcac316f84a2fa24f46c76854ea8e2e1c1e3e4b54edd974862edbe72f715b56a5e5b580f9100ce5511c419f636c77436323

Download Submit
C:\Users\Admin\Desktop\ReadEnter.bat.~
MD5
f3a3b68af294b9c793127742fb3ae0ad

SHA1
dd456a675a1a0df3d62565c4155508dd3f76f58a

SHA256
7244bfff7d39294213291acef4cde491125e62f5a5470e7990e8fb7a60d5331c

SHA512
3eda93c1056116fce98b001e674c5dd7af1057f7dc30d4c903c0cbb6113042ca20b78eb04f0dad82692c0d9bec23ed36fafb9e55cc2fa2beac16b801585481ae

Download Submit
C:\Users\Admin\Desktop\RequestOptimize.avi.~
MD5
3bac5573d4c09dbaed66ef3b43ad36d4

SHA1
46a37fdeced8deebc05311e08634428dd2034e21

SHA256
f9a922edb838bcd59c8634ac12e23480462053cfaa2455aa07e174f94a17c0fe

SHA512
f220f0e28e69a61b40e4cbf0a7505171beef09390a7d6b28a61c40d1acb1cb003279de2db1fc5c1d9b4de91b893c476d954e826fd3126b7208fc8b1d86c62992

Download Submit
C:\Users\Admin\Desktop\SetUpdate.mpg.~
MD5
de8f9c72fd20e7244ac0603595c2f836

SHA1
048709f395f32379a7954f17916778308f2d9ee7

SHA256
909bb645a72b4fb1d2699d6ca6a7c4dbda5c5e16c236af4f2433c26e273d3559

SHA512
fdcb8a11dfda1cb61343de0078b7f186c1a042b3b8ab8a9bb6c6b335b261facc46c6d311ab4e3c505bd0123434c72c358532dd329e23eebe411734ee57b461f0

Download Submit
C:\Users\Admin\Desktop\SplitDebug.png.~
MD5
5177c91091c4c87102f5e1222dd3b8be

SHA1
cd8c123169d68cbf12c0d9855faeb12316716fbd

SHA256
1d782fa2051bf79e17ad96973870534e31c33bf4a9f87bd433e0af4eb5fdbefc

SHA512
650238ecbb354c49c2ad6e8ceaa75b5044e5e4b995b94ce43424873629895b9238504472e8a01acc817a384aed7f478520fa181f3ff646cd7c5f3b57cd79bb10

Download Submit
C:\Users\Admin\Desktop\StepDisable.xlsx.~
MD5
d66fad64bc40d439d17c01d2c74c35f3

SHA1
0a4f3cbedfa8f9180edaeb0fe20c58a254ae8dda

SHA256
2c4d300529baef84f6274d7249cfebd62a1b0d78f2ab93f36b550517c1685065

SHA512
79f2ccb3ea47a4ee3304b4ce8e4838d911767ce0cc565b39821c217c5c32e702494f22e8c390e111376c3de8071779f57be94037d99ba3a0a6321acd62677480

Download Submit
C:\Users\Admin\Desktop\StepSelect.avi.~
MD5
a457d8510fc3869d5efa999171d15978

SHA1
f541833022559c7687f11880532cdfad33ed82d1

SHA256
519225ed42fbc944ea56af6b0ddc6cc05f7a59b814138fa6afc9b6e7e8892931

SHA512
843050c762d4bf0087aac882e3b5d9710adc700be55c3bccd82e2fb1915d7eda75bd01bd6fcdc924bfcbe642926a2735a15bcf072a9b29fc3b2c842d9125dcc9

Download Submit
C:\Users\Admin\Desktop\Tilde Ransomware.exe
MD5
d7eab96f074b593c3fc7139c6eb818bb

SHA1
8d2c81ae64c4a534af5299b9110aaee5bb74011d

SHA256
7784ef4f0c425eb5578559102faaa99c4fba0ab2c2ff7dbe5fcc3c9e731a97a7

SHA512
0d5b13641716d78b759e78fcdf41d23a5df48593737019072d7272f9cb0f8691b4c7c924439a72356e40f078d908de78845f5006e81173326f87dcd73cc24e8a

Download Submit
C:\Users\Admin\Desktop\Tilde Ransomware.exe
MD5
3d83ed39ffc379a1608a7a341fc01e33

SHA1
b0edd30d27468dd056da58f6c3ad4808f9c4eab3

SHA256
165f6a9f94265fff5602882ae53fd92a1ab3c353a301630db946561fbf40f9b1

SHA512
799e72329611dcee4ca221a63c252941286a298565067a35e7d587e69936f1aa7bb031b0cff1658942bc66d69d02311114a5db064f939b01707bb4e03b443934

Download Submit
C:\Users\Admin\Desktop\UnpublishStep.mpg.~
MD5
b344a429bd6fe514108748da6a3582ae

SHA1
bd6de0b372c980e310d7f77cc85c4b0deefddbd0

SHA256
2762a3cff602466fe9b1cfdcc28cea38165410f4b9499256b2be35891d64199a

SHA512
8e77d8ade6b9cd863ec80f02e3222b3b72cf5d4b3276a656838bd5ede874297fa1d1989d69816f0dbcdefd304437bdec715cd33cc2c2e9c726f228fe6c3413ea

Download Submit
C:\Users\Admin\Desktop\_RECOVER_INSTRUCTIONS.ini
MD5
1dd27ae64ed6573ca668533583acec4c

SHA1
18d44a97f1acd8df94db0d60fc5573843d6294fe

SHA256
12c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b

SHA512
043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00

Download Submit
C:\Users\Admin\Documents\AddOptimize.potm.~
MD5
e2aacc26b39e18cb02d8e57707687fcf

SHA1
d4f935c5334e9027edd0c9c654caa7189721d906

SHA256
eccbdb5b8ea2ac7183cc7d7ae83f7ebc76d4078300fef4ddf5d54b3b7b190ba5

SHA512
a435b404628c75204165d7129430a5a57486784c47d0461d9a472651526dda819786e4c8e9622d5f35f8d53afdc5a03d56459e324d40ce2d9e1083f0d926bf08

Download Submit
C:\Users\Admin\Documents\Are.docx.~
MD5
977e65af8c86d3d5de0ca39d4855691e

SHA1
0b3c2bb95fc0316846d94a4fb9fba6a8da2ad27e

SHA256
a81831e8e0e368cf7b39c6bf4b8a48d231f110a4b22857f14cb0daf70f5dd2e0

SHA512
07f5143c0add645376219f7d3969db5c40412370be8e73462fe10d4a72eae8862bd9ce140b736de915004d8e467d50de2a09b60e202feeaf9e9a039423aaf8e5

Download Submit
C:\Users\Admin\Documents\ClearDebug.ppsx.~
MD5
5b90028a85729192577f8db7c6116403

SHA1
9baee739257dbb9cc43058d6aaaf1d70c7ee93dc

SHA256
44d8ea036675afac53a4591968438e3d3e6886a622366408d5981804c9541e66

SHA512
2ca8ff6dc338f822b8a6b5c888ba79abd3b1fdc609f0eb3140db95be909fd1f521c49fbc2c9f31dfb6f7d87f8216cfffed09de4344b5586c7fe5bde8f339eb9b

Download Submit
C:\Users\Admin\Documents\CloseReset.xml.~
MD5
649b6d947426557143584ab15f7947b4

SHA1
e5f3e08de2eb48754a288603863c2e5672671559

SHA256
a1e6d0a50f2f72f203c3ba746353018d80f69f2b896512fd2818b3024e828055

SHA512
3f3d1d8d5de8b4fbca8bbae8064bdfb93cc977351ec9d8ebe780857e831fdb2afc68307ab0a5c5192cc53a662b0d9034cbdace9017d61ac8ec1bc18b602b9f92

Download Submit
C:\Users\Admin\Documents\ConfirmPush.dotm.~
MD5
640e06293c81d479eaa57245bb816ee9

SHA1
2482eda22687bc39d9dd24c199547f9eab99a7a7

SHA256
ddd217957d07db3e45715b9dd516de7ced4e3a4a3ce94984b9ef09d4cf563764

SHA512
d26b15f42a33f9b741868b2896c6e18fd8e197eaf78c0e40536e4e2ea75dca80131a18f884acbd9078fd7cd480796246d56d4b13f7d5c71a632cf3c9d621c4e5

Download Submit
C:\Users\Admin\Documents\ConvertFromUndo.docm.~
MD5
ac0861ffd0321c63ede1a2dea4992cb9

SHA1
021e0f0bdd0c8056d9b54504e3c664ccec525618

SHA256
9b825797e534c2b7c700a99148fa2caf9a9042cdeb122ce729dd1e6ccc0e0e87

SHA512
ee991027a54ded46f072f755ee71fae7335fb90184530933805fc8864dda9ace70efa8073da9eecdeb223342c2b8107d8298cfa87b66cb3dcfd0d280eda8c190

Download Submit
C:\Users\Admin\Documents\CopyDebug.ppsx.~
MD5
474d4fd5abb593f95bfc8a44ca38be44

SHA1
069478a5786526d0fde3ce82e7c4d7a911727fca

SHA256
d730b97be66ef18ed86f3d3fc58abe9363974bf6613105aa79cb78fd29897c31

SHA512
9f2a5956f7f5e36c44e5c28eaffb9e61761d7822c20e745e6ecc1867dae5455fe2cadfa06422e8fad27cab3663da741790934abdfbb6c83db8914433c4035f4c

Download Submit
C:\Users\Admin\Documents\Files.docx.~
MD5
6c64058c9a8c185b6cd944b2e925bcd2

SHA1
cbd5a2a7cdc3406729318c27b40a179fb31e180b

SHA256
26de854a26859cb4daa97433006f059e059ce9cc0202e14b69343f656663ef50

SHA512
c7470865b4a22fd932cf2edf43ce7dce6a80f538ccb469e855ab8409aab28cc85f946a55b0ec350e69b53afac0da3a23c13ba9b32cf104721ea97e126fae99d2

Download Submit
C:\Users\Admin\Documents\GrantSubmit.dotx.~
MD5
73c0d3f6469e4a1c2d48e6a109c3a2c8

SHA1
314f5c5715d19090929ec45a0234596e02e2261c

SHA256
da9ccf672805650fb398e775c0ab3a367296ba4ba423c544497ae0bf32b257a8

SHA512
9d8511f00c9f3c5f4bde212e319abbc67adbd1005ff026799c2ddd57300e91981045173cd6a3aa4ff97b06e24bd1695a19214beb0cf36240319f5f8e6b4e1271

Download Submit
C:\Users\Admin\Documents\Opened.docx.~
MD5
6c64058c9a8c185b6cd944b2e925bcd2

SHA1
cbd5a2a7cdc3406729318c27b40a179fb31e180b

SHA256
26de854a26859cb4daa97433006f059e059ce9cc0202e14b69343f656663ef50

SHA512
c7470865b4a22fd932cf2edf43ce7dce6a80f538ccb469e855ab8409aab28cc85f946a55b0ec350e69b53afac0da3a23c13ba9b32cf104721ea97e126fae99d2

Download Submit
C:\Users\Admin\Documents\Recently.docx.~
MD5
977e65af8c86d3d5de0ca39d4855691e

SHA1
0b3c2bb95fc0316846d94a4fb9fba6a8da2ad27e

SHA256
a81831e8e0e368cf7b39c6bf4b8a48d231f110a4b22857f14cb0daf70f5dd2e0

SHA512
07f5143c0add645376219f7d3969db5c40412370be8e73462fe10d4a72eae8862bd9ce140b736de915004d8e467d50de2a09b60e202feeaf9e9a039423aaf8e5

Download Submit
C:\Users\Admin\Documents\SearchUnpublish.doc.~
MD5
6fb9a4a876ca216a5010dc4b951b24bd

SHA1
17082793116a719cd4c42244c61424d36a4fd728

SHA256
499f94a61313a087d2e4356a4c8e24b985725ef1475c3290cb07155a45903727

SHA512
b010a19a8fac04f561508938fc8840f170d2099266d03d0ddc72b86fed792caae549869e6d1301ac8f004d0c7706cb9a7d0afb1386ff912f9c535760cbab3041

Download Submit
C:\Users\Admin\Documents\SyncExit.ppt.~
MD5
d9c9da89867490d7a037103c5ed037cd

SHA1
b7e866ad11353c35db0df9f64369053e2ee97251

SHA256
c424645463ec39a284a20d917022e23ce2270ba0840a302cdff90e5c708343f0

SHA512
1ec85f06f7a17f21eac1bd86dffb2f4d86c43ee1053424e0bb684bca75e6ae47136c31d065637e939a8cb0a04a0788aff7417c35b91363149666a89bd4aa2487

Download Submit
C:\Users\Admin\Documents\These.docx.~
MD5
dc3d46991fe82636753e08c9d82e40a9

SHA1
6221e66f8668817da7c14502079cd49e1c2a7234

SHA256
bcc4922821f675e94f05dab4d9ae4eceefbe8d4def52c0ac1e485684b4bc95ba

SHA512
ed813c8e6a024ca2150088efe471084c6c61bee5e16f55c1234e77375ecbfd1daa371f027c446369e8815c17f5fe8f14b4a96806e13075b6d96d925d14b18d45

Download Submit
C:\Users\Admin\Documents\UninstallExport.dot.~
MD5
7fc6b36597ccc2b3ba21d8e780b4960f

SHA1
c9974906b9f782ac05f62c5c352a63dc02d2db9c

SHA256
88411b73423761f66c0df0a1cad9c5edb0dbbf545adfee57ddae6797fae5f05e

SHA512
1fbe3c5a67962444201b6b21971c8aaa9ab4f42635894db289699d97768d2bf51e26e22093d9a3169c380c89d4c0887e41ebe342b2f1ccf5a652a524d2b26032

Download Submit
C:\Users\Admin\Documents\WatchLimit.xltx.~
MD5
4c5a9df227b28be333747d0712da39c3

SHA1
479497793b78e062a284dec33ded844a2f0f8083

SHA256
426e32da73308205504682603f9e2fd19e9089cbcc03565fbfd10b396bc318d3

SHA512
955d31aa52e8ee3092e55627577468eac27e7647b689b202372102d4d3573a40b7dd40a069a14cc4fe1c6ebd8113249cb821ca0550d80a7799a01d5781715be9

Download Submit
C:\Users\Admin\Documents\_RECOVER_INSTRUCTIONS.ini
MD5
1dd27ae64ed6573ca668533583acec4c

SHA1
18d44a97f1acd8df94db0d60fc5573843d6294fe

SHA256
12c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b

SHA512
043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00

Download Submit
C:\Users\Admin\Downloads\MountRestart.odt.~
MD5
cf991f1eea7e344a15f009dd0feb02ec

SHA1
50a5bae733ac745c441edfdd15395872b613972a

SHA256
7fa8f1634aee30b90c44f6c96bc3f0f5a6ddab88e61db13be930dc0237742b86

SHA512
11411db17c72592a65a7fcfa7b1928eb700e318f5ad4ea082ded822e417bdcf78911c28f4ad784ec6837ddd735a6399c3844f6d007a9bdf7cb8bad1495e5e9bb

Download Submit
C:\Users\Admin\Downloads\ResetConfirm.bmp.~
MD5
fc63ec3665e07cc427b9349e2418e79b

SHA1
c278908c82d116c18870f540cfffdcc25340a669

SHA256
aade923f07933e1f68047238f9cde9b8c0d18ff72025629029f90c25ebe7d1f0

SHA512
afc34d2ce8a6088d6c835e5f41d6d57ecde66f85f32463ea772369802ab589c836156a66caadaec85136305948fe250309d44f404808ac0748341fc947a56dc1

Download Submit
C:\Users\Admin\Downloads\ResumeUnregister.txt.~
MD5
fe3cc8861c12cdb5e2ebb5365fe74bec

SHA1
cfa5e75105ed8c5e2440fed4188ad9229469edd2

SHA256
6c82ead96b7974f1b62c06893b964816e229fd8cf7b424aceb2cabb8f6e735b5

SHA512
4f7e7d864a9d91b0c828f2aa21a13d425ced48a5e5b11c5591bb372f1137ebfaf14765a078488ebee9b2b9f7e46c39e5b166e8290b2d737664a6cd8319a19818

Download Submit
C:\Users\Admin\Downloads\RevokeWatch.xlsb.~
MD5
61142c7046526718b0cdf8ad77e5909b

SHA1
f2a2aa2aefc9493cf511ea0ec3cc4b599fd63a44

SHA256
18fe7770cd5d204c9cbd3c0123c0f25508ec3196c45ca7c15d40415baa96a6d5

SHA512
2a23833cc3c16c4fadd4e54b3b6810e0b2fdfe2663075cd3e4559f5a34491e60ea0cf35802f8319fe2ec3890b530b04162408db1382596bac09cc0e5a6d840f0

Download Submit
C:\Users\Admin\Downloads\WriteRepair.asf.~
MD5
cfb11b6f7fe9ca525bb27412f2c00c7d

SHA1
7fe56e1a296abd68cdcb1dbbe1f491851e688968

SHA256
3590f707f270b7e937ba8ab753934419d073829609362a412e27ebc0b00c12f7

SHA512
2040bb00729b80e68d439867788719a99782885cd4e802acbe158b3e28044336c7d4d0cf1139f805236112861e8dc3543cfa2d6ac8c288cae67340746dd71c20

Download Submit
C:\Users\Admin\Downloads\_RECOVER_INSTRUCTIONS.ini
MD5
1dd27ae64ed6573ca668533583acec4c

SHA1
18d44a97f1acd8df94db0d60fc5573843d6294fe

SHA256
12c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b

SHA512
043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00

Download Submit
C:\Users\Admin\Music\ApproveRedo.rtf.~
MD5
aefbb693dddc9280750ded23cc1ff150

SHA1
71af792039ed0e309fbf927edf2f333af3b64acd

SHA256
3e66a03c3ab2ec3f2c6f37f7cedc2231c517f0338c288d7cb580b13fd2fb09c0

SHA512
ebc09388d52a3a421e91a57c9539db9abca7bace9142e6efa42463bc9c3886f3aff24f2264275a0d66cec85e5eee825f9256ec85a9a08a0ceaf5e5ad99ff151d

Download Submit
C:\Users\Admin\Music\BackupMount.xml.~
MD5
592136a3df6bc53ec0a6ae4542b8795e

SHA1
49dce28f6f32edc300dd02c4583ba43a8e034314

SHA256
ff3beb6b7e4b1bb3e5a007696c4cb4e01ee77a6c4e5607a5996179ba83b2a619

SHA512
1b73ce4878041fa98c9690be19aa76a0c044fa8c700b1c9c06a5ed91be7b590bd24f027279a6a321bf310e19daeecf8b3bf687be27784bb0b88c019329fa1f7a

Download Submit
C:\Users\Admin\Music\CompressSelect.raw.~
MD5
9db43859117784c1007329879242c5c1

SHA1
512717722dc219a06355a684f74353c6e38f8589

SHA256
f7152d430af75f3744151971e569e2ae41074315c0609f8f19a53207617da027

SHA512
09b771c42c275b1e7d3824147462a616c29baeafb615091bb454e7859ede550d227605b6e43913731b0af054648cdb2b7cb6a1c7e26e64fd6977d65ae40e0940

Download Submit
C:\Users\Admin\Music\ResizeUnlock.wma.~
MD5
f61a6619084dcd21146b2d72bef7efce

SHA1
f6f83562a1debe69b5f49f521fa2796237a5b6fd

SHA256
aef68b869296649f6665547dc64adfe10a7a3eeac80c12af1922d9a156acd77d

SHA512
a0ce491f6c4e8d6184371cfdac1ae4d54b7f7860ebee69bdb521fa658cd921d57ca800d74033bce7f77e14b76469621bf660c2fab5f6471a41d6b8c2e5bacbbd

Download Submit
C:\Users\Admin\Music\ResolveAdd.sql.~
MD5
7a559a705ffb88c07d1ac5420e233ec3

SHA1
2691b64d666065a3c546ba35c32ef8248d98d514

SHA256
15dcf3a0149e60409af6b4515924dab445e79521f0cff03ecd31309563da853d

SHA512
06047c103ac47937b3244c6510f8a48afb76694d7867916aefeca870a5bc6db921fd5b90599ecab11474c0ee033a879f224ff3f16e950e0ff40021c9b838360a

Download Submit
C:\Users\Admin\Music\StopAdd.jpeg.~
MD5
14eb169c5efd4d25541ed8061416f02f

SHA1
425e5671d55f12e1dd5b30524b0e47dd08ceb2d6

SHA256
e2a75d1099f0f5f60f5555192cfdf4da3ab5aed9f2de434a5e14f5323ff3eb99

SHA512
f83023a8a527f16e9c1f5e48c2b6e0e0d1ad66f93d665a2093d28dd03fe9c8b2c32b919b44589dd9e7bf0b87fd5ae700786da12a79c857f258763205cf2c5092

Download Submit
C:\Users\Admin\Music\StopBlock.xls.~
MD5
1ef824751b2c3384c15f4083e36b9546

SHA1
7dad41b851084bdfe9a3201942505f5c0804fcd6

SHA256
b8f872a97f08a9cd215b81a58af55788291b80fe540a6e98ea4e5919bb1c0263

SHA512
e321f1b2150cff400fa54278ead68e2c54e44ed24dbe5f96f68223fef48c2fca628041804ec31ad66338d722c6848dc6d1fb303a8e9441038f3d2ac8ba0a6a4b

Download Submit
C:\Users\Admin\Music\UseResume.rar.~
MD5
21c80421e632e113bce870ec5938c09c

SHA1
d5cbbf0140e349f29378ff65ef6d3c876550e3b8

SHA256
4ca3be1ff170f1e94a77dd368bd440f9bf54dff1d2f3d5b6f187cdda3981593a

SHA512
0510c72d3b9694bd388122476abd8fe14cba870dcbf7aa44f93ce3e4c43e3773bca24b6eec857f50e670d34bacf91f5c056045e6b343c0c6c6bf9ab97b6fa20e

Download Submit
C:\Users\Admin\Music\_RECOVER_INSTRUCTIONS.ini
MD5
1dd27ae64ed6573ca668533583acec4c

SHA1
18d44a97f1acd8df94db0d60fc5573843d6294fe

SHA256
12c6e119fe0c5c165845f9a9ada9802419c3d6dd98b64fc3e2fbde9565dfb73b

SHA512
043251a6ae5edb93ae0fe70fc126af0443349984426992379e87dca09e3c3d25fe960c36b4f243daaaa7c6e059c387ee848d691ed2aa5be1073f958b887a1f00

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
7e5620ca93b3f8db0d8902571c8d8858

SHA1
e59293fcdee1f495aa36871370ecf0814d7da671

SHA256
851c8e6cecf9d807f4d8300563096c891dcce2f008f4996e7a924ee50dbba20e

SHA512
058f419760de07cc0445b770631b29eab4696e68705624cba27f761cb39c67b2b51e93f0e68441a43019de04b7916fd80050558d8b8da8712bbd7a16eb3cffd0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
7e5620ca93b3f8db0d8902571c8d8858

SHA1
e59293fcdee1f495aa36871370ecf0814d7da671

SHA256
851c8e6cecf9d807f4d8300563096c891dcce2f008f4996e7a924ee50dbba20e

SHA512
058f419760de07cc0445b770631b29eab4696e68705624cba27f761cb39c67b2b51e93f0e68441a43019de04b7916fd80050558d8b8da8712bbd7a16eb3cffd0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
80ef353e87d5c400afa9e6dc91bc3a79

SHA1
addaff4001e98f48cdc6eb07a885e3a14c9a9252

SHA256
1ae420009452201cf192fa912a18ec05d9342f80895c4716b099b8087215f41b

SHA512
fc7244301a52697568b33dc9232fd3ba7f1d07d5ad11149828a6135abe0f5344954f5976bda8e841de158168f14f2963bdba47bc35041a8448bc00fecf6da1ee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
519eabefb0c4f60c72d4a0c58f26e2bd

SHA1
15657decb81f730b08b8599161eb58faf572daba

SHA256
5605a755f5345e0f04ea1e6d447e8d7eb6ac6adaa74e2f13f25b50d0d7bba230

SHA512
2cfaf025575fe045b1482469e1bf91e2db656759abfe70bacfaad7a2bf25edd50281886ac9f247445976700917a20bd480d8ca29e45f53842ab08d2f194a4d73

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
7aa6d4660d5141c31551003847a330aa

SHA1
cc5db3e38830a1db13c26edbbfbb6fe6904e2cba

SHA256
24ab151a95db3c904c380e99a6b166673a90f2a681115fe461acd3b254aa5a3d

SHA512
4c657ce550b390d42abfdbcb7cb15b2938a877fb029b6517dbd42f40d2b6766f08961c8ec82dd896b332a0a15f409f1114e8ffef14e73c203681df8f3dfa2836

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
e54ace05b678472f2c5d19f0ee41fc73

SHA1
840d01d970e90bd89aa2001c4ffd04a008272601

SHA256
d3f591a7c5dc095c9db6686143e870baf35e5dffd8e486bfe2024b0fd72086ba

SHA512
49bb08e7d697dd9d5a27e650b708abf1885838548335b0d787b371ae30abfa13315fbe0d07bdfd400a484e122d42f513463e7ef5d5a0e71220c911f96040e762

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
7b85b183f306bf21976c053f3cfa4ecf

SHA1
be3c5b07824d2ec13dc299d601fb87f5aac9ed68

SHA256
4903a9fed78755adf230d0f019c86d95393cf3470fe79b1efa60fad1ed6d2ebe

SHA512
4f7b5f46c4c730d8084c72162a2e701900a0128e059435c1e7eb84805a33bb6ae7735b4f7f91b2e08a56321d89f669297c65ac2d7bc7b0770e6592b3f59df4f4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
4f04388359db224cc38d5461b2e4a1ff

SHA1
e70776a0fc07b19b228559ac996ff45eb3e91cc5

SHA256
6e7eec0ddfc681628cdc7e9572482fd762668ac59d9af5e9683368cfbe2545d5

SHA512
99e80963ea62a8d7e72ecc72c721f504245f1a599b6181e7f8e9b1e937fab4890ec0322716fd1294be2ad114d3d980665b6b4845573b9e6b219b5ba1639e44d8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\Logs\session_2021_07_02.log
MD5
863f9f040ca2c1efe2e1deaec62ae9e2

SHA1
183259da8636f62af361fbc8762c22a1f4dedbd0

SHA256
5d850b6810e8f35b8088778075d5547b060af08b2f9423bec6dc06dea56715e2

SHA512
5ff4905c5056c28f233df8fd9f9f889300a6ecb887fc6b407cda983012a01768a37360cce760de5cc4613d011ad240cbc77afc2c7def109c8ca0ca2c1bc9788c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ToDesk\config.ini
MD5
f521075099c64c96dd7bef7b0d173ac2

SHA1
d6fbbfad3a41414e3337e39d726c348e3bcbb6cd

SHA256
55fa0e72a80049b9415c5be0c14737971aea2fce4d50395f363e135e7b0ec084

SHA512
036ed2a775d96914808f9b81483917c224b87a255e297fca6a2105c8f205647ae23f3eda3fc06eee1618cb74d65ddb431588b2d8dcdc676c6669879eb404420b

Download Submit
\Users\Admin\Desktop\Tilde Ransomware.exe
MD5
3d83ed39ffc379a1608a7a341fc01e33

SHA1
b0edd30d27468dd056da58f6c3ad4808f9c4eab3

SHA256
165f6a9f94265fff5602882ae53fd92a1ab3c353a301630db946561fbf40f9b1

SHA512
799e72329611dcee4ca221a63c252941286a298565067a35e7d587e69936f1aa7bb031b0cff1658942bc66d69d02311114a5db064f939b01707bb4e03b443934

Download Submit
memory/188-143-0x0000000000000000-mapping.dmp

Download
memory/784-144-0x0000000000000000-mapping.dmp

Download
memory/864-73-0x0000000000000000-mapping.dmp

Download
memory/872-142-0x0000000000000000-mapping.dmp

Download
memory/900-141-0x0000000000000000-mapping.dmp

Download
memory/960-154-0x0000000000000000-mapping.dmp

Download
memory/972-76-0x0000000000000000-mapping.dmp

Download
memory/992-61-0x0000000000000000-mapping.dmp

Download
memory/1012-67-0x0000000000000000-mapping.dmp

Download
memory/1052-87-0x0000000000000000-mapping.dmp

Download
memory/1064-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1072-91-0x0000000000000000-mapping.dmp

Download
memory/1152-134-0x0000000000000000-mapping.dmp

Download
memory/1164-79-0x0000000000000000-mapping.dmp

Download
memory/1280-133-0x0000000000000000-mapping.dmp

Download
memory/1332-94-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/1332-93-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1440-82-0x0000000000000000-mapping.dmp

Download
memory/1444-167-0x0000000000000000-mapping.dmp

Download
memory/1536-64-0x0000000000000000-mapping.dmp

Download
memory/1704-130-0x0000000000000000-mapping.dmp

Download
memory/1824-166-0x0000000000000000-mapping.dmp

Download
memory/1956-132-0x0000000000000000-mapping.dmp

Download
memory/1972-70-0x0000000000000000-mapping.dmp

Download
memory/2024-131-0x0000000000000000-mapping.dmp

Download
memory/2064-96-0x0000000000000000-mapping.dmp

Download
memory/2100-97-0x0000000000000000-mapping.dmp

Download
memory/2140-98-0x0000000000000000-mapping.dmp

Download
memory/2172-99-0x0000000000000000-mapping.dmp

Download
memory/2180-135-0x0000000000000000-mapping.dmp

Download
memory/2204-146-0x0000000000000000-mapping.dmp

Download
memory/2208-103-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2208-104-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2212-137-0x0000000000000000-mapping.dmp

Download
memory/2220-101-0x0000000000000000-mapping.dmp

Download
memory/2228-136-0x0000000000000000-mapping.dmp

Download
memory/2272-105-0x0000000000000000-mapping.dmp

Download
memory/2276-138-0x0000000000000000-mapping.dmp

Download
memory/2304-106-0x0000000000000000-mapping.dmp

Download
memory/2332-139-0x0000000000000000-mapping.dmp

Download
memory/2348-110-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2348-111-0x0000000000300000-0x0000000000317000-memory.dmp

Filesize
92KB

Download
memory/2360-148-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2360-149-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2372-109-0x0000000000000000-mapping.dmp

Download
memory/2380-140-0x0000000000000000-mapping.dmp

Download
memory/2412-112-0x0000000000000000-mapping.dmp

Download
memory/2504-113-0x0000000000000000-mapping.dmp

Download
memory/2528-150-0x0000000000000000-mapping.dmp

Download
memory/2536-114-0x0000000000000000-mapping.dmp

Download
memory/2556-151-0x0000000000000000-mapping.dmp

Download
memory/2568-115-0x0000000000000000-mapping.dmp

Download
memory/2588-152-0x0000000000000000-mapping.dmp

Download
memory/2600-116-0x0000000000000000-mapping.dmp

Download
memory/2612-153-0x0000000000000000-mapping.dmp

Download
memory/2632-117-0x0000000000000000-mapping.dmp

Download
memory/2668-118-0x0000000000000000-mapping.dmp

Download
memory/2700-119-0x0000000000000000-mapping.dmp

Download
memory/2708-155-0x0000000000000000-mapping.dmp

Download
memory/2732-120-0x0000000000000000-mapping.dmp

Download
memory/2748-156-0x0000000000000000-mapping.dmp

Download
memory/2764-121-0x0000000000000000-mapping.dmp

Download
memory/2768-157-0x0000000000000000-mapping.dmp

Download
memory/2796-122-0x0000000000000000-mapping.dmp

Download
memory/2808-158-0x0000000000000000-mapping.dmp

Download
memory/2828-123-0x0000000000000000-mapping.dmp

Download
memory/2840-159-0x0000000000000000-mapping.dmp

Download
memory/2860-124-0x0000000000000000-mapping.dmp

Download
memory/2884-164-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2884-163-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2892-125-0x0000000000000000-mapping.dmp

Download
memory/2896-162-0x0000000000000000-mapping.dmp

Download
memory/2928-126-0x0000000000000000-mapping.dmp

Download
memory/3040-127-0x0000000000000000-mapping.dmp

Download
memory/3048-165-0x0000000000000000-mapping.dmp

Download