Analysis Overview
SHA256
03a15123b54b8e5252af565dbc10e7c1d732ab8a92b905f6811e621680d7ff2c
Threat Level: Known bad
The file RNSM00476.7z was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Chaos Ransomware
Gandcrab
Chaos
GandCrab payload
Renames multiple (176) files with added filename extension
Renames multiple (74) files with added filename extension
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Drops startup file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Drops desktop.ini file(s)
Uses Tor communications
Sets desktop wallpaper using registry
Drops file in Program Files directory
Detects Pyinstaller
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Checks processor information in registry
Checks SCSI registry key(s)
Modifies registry key
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 21:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 21:08
Reported
2024-09-21 21:13
Platform
win10v2004-20240802-en
Max time kernel
275s
Max time network
277s
Command Line
Signatures
Avoslocker Ransomware
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Renames multiple (176) files with added filename extension
Renames multiple (74) files with added filename extension
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url | C:\Windows\system32\taskmgr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cntrlphse = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cntrlphse.exe\"" | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Explorer.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omsyi2ijtq = "C:\\Users\\Admin\\DEsktop\\00476\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe" | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\plbddsybgrx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bieiih.exe\"" | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe | N/A |
| File created | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Program Files\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe | N/A |
Enumerates connected drives
Uses Tor communications
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1550356177.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.exe.exe.exe | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-150.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe804.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-200.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1194130065-3471212556-1656947724-1000-MergedResources-0.pri | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1 | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4_Loud.m4a | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCommon.Thumbnails.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\166.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skypex-icon-white.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\1px.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-20.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-64.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.exe | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-125.png | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.exe | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zbhnd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\ChickiMiki Design.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Cntrlphse.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00476.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00476.7z"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe"
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41~1\mouranth.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe""
C:\Users\Admin\AppData\Roaming\Cntrlphse.exe
"C:\Users\Admin\AppData\Roaming\Cntrlphse.exe"
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe
HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1550356177.png /f
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\AppData\ChickiMiki Design.exe
"C:\Users\Admin\AppData\ChickiMiki Design.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00476\GET_YOUR_FILES_BACK.txt
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0x40,0x128,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8
C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 65.49.8.96:443 | tcp | |
| BA | 77.238.193.186:4444 | tcp | |
| US | 128.31.0.39:9131 | 128.31.0.39 | tcp |
| RU | 45.151.62.188:443 | tcp | |
| US | 8.8.8.8:53 | 39.0.31.128.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 188.62.151.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipv4bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | comaddutilspec.work | udp |
| US | 8.8.8.8:53 | comaddutilspec.xyz | udp |
| US | 8.8.8.8:53 | comaddutilspec.com | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | imzombie13.tk | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 65.49.8.96:443 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 65.49.8.96:443 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| DE | 5.189.155.39:9001 | tcp | |
| US | 8.8.8.8:53 | 39.155.189.5.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 65.49.8.96:443 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 65.49.8.96:443 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| LU | 107.189.1.198:443 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 198.1.189.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| GB | 88.221.135.24:443 | www.bing.com | tcp |
| GB | 88.221.135.24:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| GB | 88.221.135.24:80 | www.bing.com | tcp |
| GB | 88.221.135.24:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 219.143.101.95.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:8668 | tcp | |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.98:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.68:443 | login.microsoftonline.com | tcp |
| GB | 173.222.211.40:443 | aefd.nelreports.net | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| GB | 173.222.211.40:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 98.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 65.49.8.96:443 | tcp | |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | www.msn.com | udp |
| US | 8.8.8.8:53 | c.msn.com | udp |
| IE | 13.74.129.1:443 | c.msn.com | tcp |
| US | 8.8.8.8:53 | browser.events.data.msn.com | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| GB | 95.101.143.98:443 | assets.msn.com | tcp |
| US | 52.168.117.170:443 | browser.events.data.msn.com | tcp |
| US | 52.168.117.170:443 | browser.events.data.msn.com | tcp |
| US | 204.79.197.237:443 | c.bing.com | tcp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| GB | 173.222.211.43:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 173.222.211.43:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 173.222.211.43:443 | img-s-msn-com.akamaized.net | tcp |
| GB | 173.222.211.43:443 | img-s-msn-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | 1.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.211.222.173.in-addr.arpa | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| GB | 88.221.134.3:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 3.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | www.torproject.org | udp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.120.202.116.in-addr.arpa | udp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | dist.torproject.org | udp |
| US | 204.8.99.144:443 | dist.torproject.org | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | 144.99.8.204.in-addr.arpa | udp |
| NL | 204.137.14.106:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 106.14.137.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 65.49.8.96:443 | tcp | |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| DE | 116.202.120.165:443 | dist.torproject.org | tcp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 204.8.99.144:443 | dist.torproject.org | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 94.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 65.49.8.96:443 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| KR | 180.80.144.44:9001 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 44.144.80.180.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 8.8.8.8:53 | nomoreransom.bit | udp |
| US | 65.49.8.96:443 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| US | 8.8.8.8:53 | emsisoft.bit | udp |
| N/A | 127.0.0.1:8668 | tcp | |
| N/A | 127.0.0.1:8668 | tcp | |
| US | 8.8.8.8:53 | dns1.soprodns.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
| US | 8.8.8.8:53 | gandcrab.bit | udp |
Files
memory/3036-128-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-129-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-130-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-135-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-140-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-139-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-138-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-137-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-136-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
memory/3036-134-0x000001C0E7380000-0x000001C0E7381000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/2356-157-0x000001D83C860000-0x000001D83C882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w013rfqk.5rt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2356-167-0x000001D83D7D0000-0x000001D83D814000-memory.dmp
memory/2356-168-0x000001D83D8A0000-0x000001D83D916000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
| MD5 | 3f37958d8846628731b5e49d2c525bd9 |
| SHA1 | d8e48e6d355c62a76dfa557c86efbe0cca9133dc |
| SHA256 | 40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277 |
| SHA512 | 880ffadae42902ba36d4536f04ba11aff7041972e00f7e6c370a72bacfe1e6ded220da739900b707a557de049d53a4013344560eb6d199e5dcb3bd998ff2c8d3 |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
| MD5 | 3af5a7b50dd8f9fa3fa858f445623c39 |
| SHA1 | 0d0deb521578ec8618111257615108acf109b4fa |
| SHA256 | 7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2 |
| SHA512 | 0630f2d4c6f40bf4cea157d877a2e54a6ef4c5fae3ca1d9e63d219aab30566ad8071f0f03b01c936cd05eb25f348e5eb494e599d3c68bca1ec52ac76f753319a |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
| MD5 | 665aab2ffae2eeeee8eb847e9bb69ebc |
| SHA1 | 8864a2662cbc6b09a557109111bd8b7d59d32b02 |
| SHA256 | d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63 |
| SHA512 | db56810f077a1a2fa8e41420c85e4b17287d4cf5616a4d8f59a2d2cb3e5cbb5becc28b4a956f13b1c13446c878d506154aa3db1df1f942dbe22704c9420ce9c5 |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
| MD5 | d962d419315bba0ebc87e52ac07525f7 |
| SHA1 | 6a42f7b6bde962cb6c091855de71ea5009252e59 |
| SHA256 | 5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766 |
| SHA512 | 53ebca83801b71e10832e87e203d1588f581fd3313b4d5070fb8c7ddb7361e6abd9620ba2624b689e5fc5f1c0c12ac1adf090bbe13327851f8a25f668722615f |
memory/3396-183-0x0000000000040000-0x000000000005A000-memory.dmp
memory/3396-186-0x0000000004EA0000-0x0000000005444000-memory.dmp
memory/3396-188-0x0000000004990000-0x0000000004A22000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
| MD5 | c3e3c86fde3bcd274d6ab8b34b317dcd |
| SHA1 | 3b8b97d4859df70429f616dda2ff97fc3100860d |
| SHA256 | cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366 |
| SHA512 | 25bef0a7edd508fb77b2852c1f9db4e4ccdc0ff40aa6201fc5210dcb4aaa97fc0e76a19e27331e1040e5821edfaf95aa18fca60ad33211fdc6c303c3defdcc25 |
memory/3012-191-0x0000000000E10000-0x0000000000E44000-memory.dmp
memory/3396-194-0x0000000004920000-0x000000000492A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe
| MD5 | a18c062bb0ce203fdff331c992de269c |
| SHA1 | eae83f7e1ad214972defb84c43ea036fc6d5115e |
| SHA256 | c097471fea6d03ff188f977d3ace14128fc5db56ec813e555bf3ac8d20e88b7b |
| SHA512 | 977fc4d1d72d742c3776233d15245f3e5dead9995b8d7a95c2f0235f42ee7ef4472fd384d24cda1d6ea266c220a25b1a695bbe50edcf289583da9763055a7a12 |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
| MD5 | 9ea73eb6b9b9bc5fb7ba8bbef5511eb5 |
| SHA1 | 100bc3545d192cdfd5952650c9ad14899562c322 |
| SHA256 | ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6 |
| SHA512 | a1e0df81d5737834cbcc1dde888f5aca4e1f21fbfa2d6b10782e221a44dadf5d63f8ffcfec44f924ea4a6545730d53d83da35910ec01b6746b1aaaf51733b1e3 |
C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\user.config
| MD5 | 8e9ad862b6889e10924f38d947c3d32c |
| SHA1 | 8dc1babaa126ae32f1ff5a9c1d08c259ecafbd70 |
| SHA256 | a4c828fd03725bf3ebbf4c4adbe40b5bfe70442cf89aced31cebedb4965cb749 |
| SHA512 | 400883a5b7f5eeef2d1f38e3d91f64ffe96686c0d4ef0f81de8bd8a03f591e10835512426a831386f6c8a0cda8c6aca546eda34c37dee01791ea14af1fa8c385 |
memory/3396-211-0x0000000007410000-0x0000000007476000-memory.dmp
memory/1216-223-0x0000000000790000-0x0000000000B5A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\ncl8f0dh.newcfg
| MD5 | aeef554f7bb401110b7c50c2f1a75abe |
| SHA1 | a27900dc1f94186caaeffc21cb90d8d0db38122c |
| SHA256 | fe13fc40951dea3c476fa603d87cf31c0e3c740ed37e28dd463db1b6a36a676c |
| SHA512 | db1086b775daf0712814b5f73a67c1da099bd71a83794313643cd5dbb8fcebc2d4387427208cc7dbf2829758dab42c6a423ed7c34c3c71d82961dfa53a47e39c |
memory/1448-232-0x00000000009D0000-0x00000000009DC000-memory.dmp
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
| MD5 | a2c3e21b413d84fd8b1042f7406c1e85 |
| SHA1 | dc7649c6893a64371cf991523a62de36b5dd991e |
| SHA256 | 0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff |
| SHA512 | 53ba022a28670728c0134f60bc3b784069ae956d047a68779ce06a9aff4ee5839d1ba3513416ed0c22e4d218f8b7aa8df3b551b2b5ead4056e39c93ff08f27be |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
| MD5 | dc8225b874f6f79023eecede84591549 |
| SHA1 | 6ac8b72bab5c4849238efbc1eb763a07801b90dd |
| SHA256 | d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823 |
| SHA512 | ce54ead3f6b5ab062a7ff4390b36e1ae043d4196780121372bc11343aa23885bb624593109261bbf95cb1c477d4d7dbaf50bd0e7456386d22825c52441a9a006 |
memory/928-243-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
| MD5 | 4a6651681f59dfa4a1a228a6d92a62cb |
| SHA1 | 5a95d72ec83668992837fb1bffb0d96a90f23ea0 |
| SHA256 | 9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a |
| SHA512 | be93f6d97f980c8d85f98d4fd6e07333d987a02305d56f4c1a6a40b099fad3e95cf24afb1f6dc7c4b25b3d467183e18f0289772f3068f24b57048cd16a725951 |
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe
| MD5 | 153c5b9bb7590a23c6a75259c5dd70f3 |
| SHA1 | e82069d4144e069b94ba51ec490e5a1cb9996286 |
| SHA256 | f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d |
| SHA512 | e46f86dde80e23bf6b306a7c9c9b439e36923811511c0c895b3a0956c0f1db66fba8855b03c8b8f71fb26e2d2033e35f7759a94634b0848f11258fcf7c385b82 |
memory/4576-265-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI41642\python27.dll
| MD5 | 838972583b872f2c503ec88f3cdf55c7 |
| SHA1 | 1e594b264f2ce7a4d621aef2bb7bc65343799b34 |
| SHA256 | fe55c3ad1e217ada3a1938f3f1fc7ad2d60e2e9fdf02ef751d6d0d2471350301 |
| SHA512 | 66dfd0671844674e5d8052be4b203617e0538dddd4d2c87159d3bce7f4cf6759248169c9dc444f472bed33b3bc5a005e664353fe194860e78762a36b8e0ce338 |
C:\Users\Admin\AppData\Local\Temp\_MEI41642\backdoor.exe.manifest
| MD5 | 5d3d187f76000b0e613abbf378c6c410 |
| SHA1 | 45dd9addadc5bd8815b995197ebc92bacece814e |
| SHA256 | f63a06eba4440c421cc75855fee87d32f2810ffb5ab8bb33c72d7d3da56afaeb |
| SHA512 | 0459610a779312fc6ae6f03132653f03958c64c02cae6b2eed95678a857c8097c1b1ea1d2f9b54fd39b1cc1e01dbbd9ffa346581cd332f29f2aa0ab162efcc7c |
C:\Users\Admin\AppData\Local\Temp\_MEI41~1\bz2.pyd
| MD5 | f42a2fe6bb38e14cc0282ff85dbc8366 |
| SHA1 | 2a83aa37c7820e027f500579be86374a394a8ae1 |
| SHA256 | 72411f5d024cf86753ef40cbeacf564fb71410760035360f2c89932594082f5c |
| SHA512 | 9c57be42d93af4ec10cdb84006b4a1c598485aefad8e93f6d0e3c9ab13298aa7514dbb8d7e1daf9c0d901b0224ecf8c3714961bddbdafed94aa7f9aa557293e8 |
C:\Users\Admin\AppData\Roaming\Cntrlphse.exe
| MD5 | 9c0b36c4e2475f9351a38b5cde98dcf6 |
| SHA1 | ed7da91f04af98e43fd86be1bbe13ad6a3eba765 |
| SHA256 | 0553a45649cd95b0da3c3b57bd9ae7b0419612f1915905b46709c13a4b23f7c3 |
| SHA512 | 9faa539c348a014a24af80e6572ec8972e0ed5cb6a1f026cdf5a56335fb802951c181dc04f9fbc6662ee6ebd1423673a2a9c9ec05ced590a23dd771e33f7230d |
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
| MD5 | 673e2a417475831d1aba63a2d77b1780 |
| SHA1 | 336c1294113bf68e6a0018729b9f304d0ec80e54 |
| SHA256 | 70dd320aaa397a3fd02dabc786d6c2b715754bb31a0c45ec1e338f135de91320 |
| SHA512 | dfc00b0d9af7736ddc71871006766b630aa5b7bde1e2cbcb1842cc6d48a2bec53e171dd91c0ce281810a1b5efc5dbf5bf61160683a1df19d09d99f47051dd692 |
memory/928-297-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe
| MD5 | c99e9d01743ad7e080344003b8f6b6b1 |
| SHA1 | 2b878de1c39aeadda71ebbd9b591a9190955c804 |
| SHA256 | fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693 |
| SHA512 | 4ae96dbe25cf2fd5c016c78d19cb442a8e94cd28df746f6b0b09681f5b30ae9676005e920d760ac985c10021d3c15b030249756927330692238f5c2109e446de |
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ssl.pyd
| MD5 | 1b4639e2970bc4a12e0715f161c26e15 |
| SHA1 | 69c9f8152410380ae4e2465d1711c6d577f7da96 |
| SHA256 | 260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774 |
| SHA512 | 2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991 |
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_socket.pyd
| MD5 | 542726bb334376b4ee0b20cb19853cbb |
| SHA1 | 66f88bffce320371e208b5993313b1d84e234dbf |
| SHA256 | ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279 |
| SHA512 | 3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613 |
C:\Program Files\7-Zip\7-zip.chm.exe
| MD5 | 8f32fe0be342c4030bd1ba8ebf11d1b8 |
| SHA1 | 5e7f2800f2a885f61b8edaabce27c9286f74beb6 |
| SHA256 | 2da7ba984a247d4a27c3c89e634eaa0ddfee60b6f8ddea5cecb9a7bdea22087e |
| SHA512 | d73b58c66f822d243bd0487a673fb43c654d1d27768f8ac52417dd4d450dcfbf2eee5ef2bdfad4f352785faeff747095b3a1a8a803c485b8f4b41a69a087e15d |
memory/3180-254-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/4164-253-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
| MD5 | 6e98d5dd95d00369316ba548e3c625b3 |
| SHA1 | d98da136d22d8e06079a1ce991aa3fc2d95bf186 |
| SHA256 | eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7 |
| SHA512 | 8da6ba5ece6e76be8551b964b6e3c4ff77ddab56d35d1347ed5304a36f82acf398a348d97c81d4d41178de86cc2bde55671587428c465c46d65d9fd578158792 |
C:\Users\Admin\Desktop\RegisterUnregister.mpeg3.chickedmik
| MD5 | 9dc595c7930adaefcc0eb36f4851264f |
| SHA1 | c33691b47b5af290d71fc7a21b08dbd35ffa365c |
| SHA256 | 9c7658b047cbf86d524a2bb095da773822526f958f7766606ea1ad8ed9f9d14e |
| SHA512 | 599a845b01d232441bfc0af4761432a6622f317b8ba753ab8e4df76ef4ea7e5c7e8b57f814a1211b384b07f844f52ee07f2ea583478efe5fb193497844d9da7c |
memory/7188-848-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
| MD5 | dc388a09ad16fcbc7c55ee04f2a087f0 |
| SHA1 | 8c4127428441d6bec292889e5bbc9cb5a18ae70d |
| SHA256 | cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087 |
| SHA512 | ced9e20a6d5488fef2800d9174775815d023013ab8cde2b44707f413fd0a7dfd3832a2fae64e6ab142adc7fa899ff689c65fb5d022184a5db9b3c902414613df |
C:\Users\Admin\Desktop\RegisterBackup.mpv2.chickedmik
| MD5 | 35ddd66655b7dd3d2353eb3869b43f67 |
| SHA1 | 3d7b618fe0724f04971bf92c837943f1508f5f4e |
| SHA256 | 0ad66fd427322f986a7b891c237415d4cb3a6432f1062d59ac758f36de057c85 |
| SHA512 | cf01e539fdce6de518cbb781eae53ce7258aa8de7c0faeea74a8ad0628759fe11f608fe20f594d36cbce846d61d54a7c4df8724b185409d0d1bce84ee7f885fd |
C:\Users\Admin\Desktop\PushSplit.aif.chickedmik
| MD5 | fcd8526b2ddc2cc743a197ca8c557e84 |
| SHA1 | 1d8aba7b31fb489731f22387e8b56c922b485218 |
| SHA256 | 413a0ec678a7139b30d2f471b6a72fa50029c228f9e7766946ee8b097e985719 |
| SHA512 | 5d96ad062e69065f35c4b71a6f2635572ab057c09a04648ba9f6e4a159a33ca3de3314205d3ea704586f645d4e2a3b11ee7f02afff1cee15cf04845eb5089430 |
C:\Users\Admin\Desktop\PopUndo.vbe.chickedmik
| MD5 | c9f2bb9f100db181a54480a145b3d689 |
| SHA1 | 1badfda5ee70b12cca02a6a10e3ab5b9685af865 |
| SHA256 | aa4bc9607c6734eb0644140b519d054bb20ad3ef1ccd9f7380ac2ce777de845b |
| SHA512 | 7cfc057d965f83a1631e985fad50307a8f8bc768329e5a1568b3318991173e6e5940f4e135c7b70461e5f6adc0861f4082ce456bf312abe9ff9c9aab0884261f |
C:\Users\Admin\Desktop\MountClose.wmv.chickedmik
| MD5 | 7c78405d22de63134dc18b0339eccd93 |
| SHA1 | 77f65d9e6e424bfdd4d19d2338ba39ffbc89f71d |
| SHA256 | 4355e0c95819f47ad7d8143bc91a080d453bc0aa25d9922f164184cfde1bc3f4 |
| SHA512 | c49dc490b2db71938b2fa6c8c54b7c29d4d7dc33e35c712af1e4fb106e4b04d94e78b5ea9474d7171fadef18c577d3d383206540cbe218bce2be80ed1ab511d1 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk.chickedmik
| MD5 | e445b1bfbf2371f4a31d45f36799f6f5 |
| SHA1 | 34ece4ffca6649cdb6324d4aeb1296f076866889 |
| SHA256 | 0463e97e841b8799143af90881f010c591da707067e47f8945a6186d517757f5 |
| SHA512 | 3b90628821ad279b8a29d7be93bfbae40536da8633a454e3c49919f4859f19a9b7f8d25d84321d25b78e95c6cd5476406f5cc6d31703284e44310e2d06d3b444 |
C:\Users\Admin\Desktop\MeasureStart.dwg.chickedmik
| MD5 | e484d316af296c2370603abe5553bb91 |
| SHA1 | d4cfd4c554faa99d7198383937ecd17895e2ec7f |
| SHA256 | 69c4fe867786f6326809c2be4bc0ada57ea188e9454f29bd7e8747f538001d7e |
| SHA512 | effacb48ee7e564b851cf0216bca65110530998537288e304309efe2b714aa310ce38ea2c7f94fcada5c38a2b1829e9ac19d4ff9e5c71724acad989d09754ec4 |
C:\Users\Admin\Desktop\MeasureImport.vbe.chickedmik
| MD5 | 82df88306ac8a4af2d298ece500bf271 |
| SHA1 | fa2f8c7c55d159294622f849303fcc16596b0aee |
| SHA256 | 0cdb39e281e037db607e43b13c075db4adbccd008c630ab052d4044ea5fb52a1 |
| SHA512 | 132d6ab62824b7fae8461bb6d74b46a56d6cc6f90fb892bb3730eeca846ff826205f8c6139e5c1e6fe0af85f5657de534d659a01e11fd74d3af00526a01af87d |
C:\Users\Admin\Desktop\LimitOptimize.MOD.chickedmik
| MD5 | 64875997c3eb0076ffba138fdea273b6 |
| SHA1 | dbf28dc9c0ad57e7d2b828b24ca8f3b5acc217fa |
| SHA256 | d14f5f150508318c3e4bb8c1103e3001ef67f2c151ea39d7442e3dc2786caa9e |
| SHA512 | b6c1369af30947121ee136e77367c583246f12f3e0681408f1faba8ecf1ddcbf883c4ae8e582f202f276a2c4fedc6d8f9eeebe56f91b3cb88fd9404c908930df |
C:\Users\Admin\Desktop\JoinOptimize.ttf.chickedmik
| MD5 | 47e951728d7ad96cba0034c37e159aad |
| SHA1 | 467a1d26420337cf78f78c9c71790a724ef5c6a6 |
| SHA256 | 45133150afe6f50c0191d8e5cb50fd1bf6a1b06709c17e575fe25c91b955c002 |
| SHA512 | c9035252d57c61fe25a2c42950730bbbdf1596ca9d16db316e1ffbb52305d98965ebf143a408daad64c7421a77c4de0b2b3049af72cec4b71efa8259661dacf4 |
C:\Users\Admin\Desktop\JoinEdit.dib.chickedmik
| MD5 | 0f1bd8926f8f32c4f23ed5714adca85c |
| SHA1 | 202acc2eec81db3e4ae7bd7fc27e04ee122d9de3 |
| SHA256 | 23f2f257dfb6b6c6feefb25eee200ddc1ab908b45ee9c1520775412ecbf52777 |
| SHA512 | a6bc5ef4601b44b30c8f36c0053c57541cac2a8eec5d165de65c53cf8843110a124b1364f67bab7d397871867096ed62d3637ab57fe898cb380ae43e3e7ce2b2 |
C:\Users\Admin\Desktop\ImportInvoke.wmf.chickedmik
| MD5 | dd4d9a2f0a4d32100640f81501550a84 |
| SHA1 | ae1a525510e801daaf6c65973fa965de8a92e42a |
| SHA256 | 4ca6250e9fa55509c7d683e1fc91d677e367908a29e3016c4b37a4122300842d |
| SHA512 | 3b231fd07af4f25e3062e4ee2bd5dbb593803262144723db769db58837098f7f73cd14cfeaa3d1544a1ca70425fec593e44e75f4d0e5cc80c9afaaf104f4a9fa |
C:\Users\Admin\Desktop\GroupExport.xlsx.chickedmik
| MD5 | cec8ef3a0caef451b4987e56e5847c21 |
| SHA1 | e115ce0298bebd7284f7a27f83e1d5190a79e5fd |
| SHA256 | f60f2958d136a6bdfad31c1d9e851d6568d59c22f54478d5b50573efc60efc6e |
| SHA512 | c0a81f9ac75bf78bd0861158b9604572e7420a2effc1158d611dd7f7bd48156ecb03b566f4e92559af4431e7e14458e71f87ef0270b389b73099d1a2dd01c1b0 |
C:\Users\Admin\Desktop\ExportSuspend.cfg.chickedmik
| MD5 | 2d6113d603aaa158f7c1f6906f458cfd |
| SHA1 | 261723cbceb44ad96dde0d4670e4261c5824313d |
| SHA256 | 6cd5266839830eade5acf595d66faa345907cd1db0804844d4fb177420bbdb8b |
| SHA512 | ae899489f9f143c85a442660b75f6fa5065de6fdf1959379f4cdc756aceafc515b6f8a8c69210abaa7ca36329072fd09f77fc13aedd610abbfd69c54e6e92be4 |
C:\Users\Admin\Desktop\ConnectUpdate.dot.chickedmik
| MD5 | aec1788704890c302d966867ba140128 |
| SHA1 | 266b5522bf41f94a1e7fd938d064314f80503516 |
| SHA256 | 390e852b5ea6c86fc680bb2d4e11c118b09ef0957fb1af89c29fdaf0ae480427 |
| SHA512 | b48c701c5905791c10e94362d67335fa280aa55b7d99cf548fbea039e7d357fe91eac9edb4eedbb1e42e249f084831263c5596ade279ddbdadba965dd570d418 |
C:\Users\Admin\Desktop\CheckpointInstall.vssx.chickedmik
| MD5 | d558c0805508c586500ba5f000584c45 |
| SHA1 | b293b35229164469cd9778b875657f59c1e681f0 |
| SHA256 | c99d3142dcf7234edd344408d481d487fb979f7c5d1c97697b1f782989faea3e |
| SHA512 | 1aa2aaa6bdf1fb3151de9595fb93540ff5ea875ea43a79e7afbb1d225384ff1fb1ac3d8e39c0fed8e92ca00ac89004dbf52d83160b33ec146b0ea2a4886ad9a6 |
C:\Users\Admin\Desktop\AddMove.xlsx.chickedmik
| MD5 | b94d78a46a60357c7b01da2f1f1c62fd |
| SHA1 | 866b794f0a05464807d06db9c700d0f2065ea26d |
| SHA256 | 9f1bd3e80cf6d297fcd9716403eb8eae372965226817fad305bef4e23f9f0851 |
| SHA512 | 5e2def37ab65cb504c7b6b3f34c45976b2a1eb24fa7e4093bb31fec913a0f7bb2847df89021c9b2e43ee1317e08687ed1826bd652d91724891e1a62169dcffdb |
C:\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
memory/3940-868-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\7e1c2faf6a5692aa96a780da183cd4d0_a53bb4ca-6113-48bb-9609-441860fdd0d7
| MD5 | 1a9f6d593f1d125c46f25dfbd8f5a113 |
| SHA1 | 52b65d65f3e96fa80c8e99c3932afd8906a3c689 |
| SHA256 | 3ec8577188e9bf641548629d689ced3b088ff434457415edbbfc7a6fb59d80bb |
| SHA512 | 553e92a5a76d6ef875473228b307f7911700752f5d491b8ea4f0af2f9edb878ebdfd86928d43771fa5b0e3ad287bc13b53299e40b0a17e2b24ba60bb0fb25068 |
memory/4576-865-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
memory/4164-864-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
memory/3628-863-0x0000000000400000-0x000000000041DF08-memory.dmp
memory/7188-862-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-861-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Generic-2d8ede0c1adfd042a2ece2482244275f62db138692f24187a652995fbf245a32.exe
| MD5 | c834ff9a9b14b3d123e9d38077c0fff2 |
| SHA1 | ee076f70629a1601fa59aa208b2cf0fedb7966df |
| SHA256 | 2cb3b699ed772a85ef255127e1f27a7e1082f41d883c6dcfb47f92188b9642f6 |
| SHA512 | bae016dae87cdbc2f8d9f1342e63f010ac9d8527c441c319847fb40d377041fdea8a249730ad7f7a171d6ba7646e14165eebde91663c8b189cf2be206a5fba6a |
memory/7352-891-0x0000000005A10000-0x0000000006038000-memory.dmp
memory/7352-886-0x0000000003260000-0x0000000003296000-memory.dmp
memory/7352-914-0x00000000063E0000-0x0000000006734000-memory.dmp
memory/7352-913-0x0000000006300000-0x0000000006366000-memory.dmp
memory/7352-912-0x00000000059A0000-0x00000000059C2000-memory.dmp
memory/7188-931-0x000000005F000000-0x000000005F011000-memory.dmp
memory/7188-930-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7352-942-0x0000000006830000-0x000000000684E000-memory.dmp
memory/7352-945-0x0000000006950000-0x000000000699C000-memory.dmp
memory/7352-990-0x0000000007E70000-0x00000000084EA000-memory.dmp
memory/7352-991-0x0000000006D90000-0x0000000006DAA000-memory.dmp
memory/3180-1010-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\ChickiMiki Design.exe
| MD5 | 37c874ea223a7bd53f628f04743374a4 |
| SHA1 | 7c98ac2a90fdfea3eb50341a7945e3a0c7223313 |
| SHA256 | 463b4b59650ab90bdbb6c5e1110e97106939a70d6cd81e1eec0dd7c5d4e6ca72 |
| SHA512 | f8f878265ce26943f69d89f29daa490a1d5c2b1edb84ace0a63084645b65317c5ed2cd6bfa114c0baaae22070c2e6109b23fb6425bc34b832f11dfc607758c22 |
memory/5960-1101-0x0000000000D50000-0x0000000000D5A000-memory.dmp
memory/4576-1596-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
memory/4164-1602-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp
memory/7188-1605-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-2530-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\Desktop\00476\read_it.txt
| MD5 | b8a00798dd2fa9a47675c6b066ec8306 |
| SHA1 | b63321cc77488b4a7c2b39437a90f22c84421e85 |
| SHA256 | a8b2ba39a129d6e5d64809a774131b7171cf63c9b9b7a4bbd429cfc67e26e57a |
| SHA512 | c16b6e5bd0e71f26ca0177da72356e95940c8497b774d5ae7c0e26565431a62e12a35ec832491f836707892fce32a748139389dbbfdf3a6a0dd9af068f799a31 |
memory/7188-4031-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-5976-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-8160-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-10754-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-12587-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7188-12632-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4dd2754d1bea40445984d65abee82b21 |
| SHA1 | 4b6a5658bae9a784a370a115fbb4a12e92bd3390 |
| SHA256 | 183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d |
| SHA512 | 92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ecf7ca53c80b5245e35839009d12f866 |
| SHA1 | a7af77cf31d410708ebd35a232a80bddfb0615bb |
| SHA256 | 882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687 |
| SHA512 | 706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a6c3e308b4668d45955b2868a523d1b1 |
| SHA1 | aa8f6ecac769eb57039e6c7451ed84b5e21afd5d |
| SHA256 | 7e7555ae2164a05950050b95e4ca8caaa6708a2846424e4d404d13186a61bc33 |
| SHA512 | ef621f6bfc1d7f6a0ea7eba8107ad8be4e0754f8c17e20e8c10018e9786fae1011bd1d7c81b92ac8c032e8f2d667f38650642bffdb4cef01b4ee2e4c8402d631 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8c171f01ccb9058df05a67843461d3b3 |
| SHA1 | a4134945249087d7cd60dabb7046902da992cfd7 |
| SHA256 | 53c9f2c4260dc6447016002b4dc50431a2ac12bd96a3a2ca5dc643aff1fc8710 |
| SHA512 | 35a1934ff3c510159d3d997bf3a0288c06d9d91feebdfd36af53805ae672881851fe2e07c28c18acfd9133f339ae84e46a632822724e6746e5077fc6848ba2a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5961a4ad5f041f8713fa2b724d6138a9 |
| SHA1 | 2bb096f09a886b829ca947204eea3cc3bd0f876e |
| SHA256 | f7adf48c98ae4b5458fa1419fd92893c7212d8cea68e7281c239973cb72321d2 |
| SHA512 | 9abe0577014e0a2ed1efd57393203989c61d3236f6c3d10acea77d01c7da9c7803ecb0f2c81c5ce9aa4a65a6b83388ccfb3fe713242b8a8acc2ff63d2d9fd452 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1e9a2a28469637ae8efb567263bda102 |
| SHA1 | d812e5cd2b03f355705f2bca269c38740688e2d9 |
| SHA256 | 4fe91e2605609995844ce703d29063d04895edef128ac61b538213098db128e5 |
| SHA512 | 3d241edc817a55890caa453d309b9724f49be9a4644753c5a9f5bce3cf6d575c274d26b3cdf41381a8f306b7d8b6ac1cdd20fe8c3eccaeaa3751d5928b97908a |
memory/3180-15593-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ad245.TMP
| MD5 | 0e70daa8737f6414c829911ea003712b |
| SHA1 | 4f6e5508792a4e73f7e695f734e88737cc135228 |
| SHA256 | f611c5355243eddacc0f647b024c1ab51a0fee5da8704dccbd556e10a87b80eb |
| SHA512 | bc32a59fdff4e1667adaaa39ff17950c9a27606a654bfaa70cf579459b3e470f47ac76e141bd0acf272b8cba4aa72c715521c6fe694788cacbea4d2eace8b7ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 41dcbdc888d2116f1991f68eca896fd5 |
| SHA1 | eb748250fb7df111515a585873cdfaaf0cfd6cc8 |
| SHA256 | 9bc5c2cfbce619e44106d9f43b7b065cf741a4b7fa06ec74df2766292a2aabcb |
| SHA512 | 61a6b48cfe160b1bb52795a28c1344ceed69492d965bf8e9effb517b57c47f3dd708d656ea887c3d881a7fcf9e01e55f229c489463b7005301b5ae6ec7a20726 |
F:\$RECYCLE.BIN\README.txt
| MD5 | a37cedf67a012117b57ade1229415b45 |
| SHA1 | a0ee65b70bf3199db296e13e8334ecee41b36102 |
| SHA256 | d47fc0d58b366cc3994dd776bf78753e06420830790e3885e59c41dd8c32a21a |
| SHA512 | 901cc83085087277d701dc0b4768a84c051afa7a8648d5341eb0711fba4903503cd5aea9ad71fbbf082224b0757687b112db68239c2273cfef4491ba84241146 |
C:\Users\Admin\Documents\OneNote Notebooks\GET_YOUR_FILES_BACK.txt
| MD5 | 83bd141137c030b53d47984db2a760b0 |
| SHA1 | 0cf203e27596b881fd771791b142359d20c8bb4d |
| SHA256 | 91ae1beb8b14086d175f98e865cab5f56110bfb2188f28e7d5f03ae244073ce0 |
| SHA512 | c3a5ae58dd34bf5da64971c3c38f7d463c5ef86b7e068fea53615c9c28dae8cd009ad36b31e05cd81ff9434966649202bc78cc2bb83c189911abcb68509cbc2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a078fb69afcd2b551362f817ff88b752 |
| SHA1 | 84fcb9a8772baca90d25c468047562a7fbbbfbfa |
| SHA256 | f8ff681036f889051f2acbf41dc234b26335bcf3e4242ca8c24486b82cbf00b9 |
| SHA512 | 4a32b4edcc1182f322ab733c83b30e9eb66d02bb12c82bace53277069450f046344ad572fe30576c086d842b0992f44f5dd72e9567d3e7ceca7d99c4df6e60a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8f47d84093a40164c7556f2d7ed5bd4f |
| SHA1 | f784182415e013deecc93e8c53c84f9390036b1c |
| SHA256 | 00b771590d108b369ee11ee5cc3b437535a7e0b80b9badab5122e71ce17ba91c |
| SHA512 | 968af6d57ff6fa6d68f88c1bab14d23c739a7d2cdcecdb7030ee6e97d11a79095e148dfc244c19afd13ccfabbd34c22356bae541052143465d183962b57583c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 23943430a0e697ace7ac8150492db05c |
| SHA1 | 3cbe35f57d4d6552425d5e6ae40eb418d872b5ae |
| SHA256 | 6ecd3b21bca7371537a3a2a093adfa3192c3931fcce7949bb0ef1a26a74c3b26 |
| SHA512 | ca88194d4ab01afeb4fbc9ea6d6e8d1ccc47a3e69be81aa61b5515e4f8ad478c6ac048b32bc3b2b46b9b3a1a37cf717d9667fa6fcb3537a725f022846489a45a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0561a632002527d19662b0bdbb9970ac |
| SHA1 | 11320eafd2e6d30b897a8c93cefef4edfbf02632 |
| SHA256 | 9888661536d2814599003202a9231f0b060fb019e1a131b4670bbeb957743383 |
| SHA512 | 566dbd4baa9709da412e5b4640a6778936be150fd812fd03c6353a70864940593b541124a488d8aef2b1e3881bf3f806c23bf8428d37f57c5591a445c036e976 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 041064247d01379adce0b5548cee1961 |
| SHA1 | dfd1c571f00c4909db619ce36a26f1b4dd92c7cb |
| SHA256 | ef53900b94be0a129723b70f175383a3eb03b06935da6b91c50b686b877a7dee |
| SHA512 | 447983a74a57074c21ea883c118c3849bae4c9b716c51ad81c3402b91b9eb0107f22f1f543fc06bd15caf733acc06bb50c50dae184ace52a670c5df543671c66 |
C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\oscgelyv.newcfg
| MD5 | 7da87c0a607285add8dddc26e8263d86 |
| SHA1 | 93ae73e6915f4a1c11a40bbe23c09b72db3f502e |
| SHA256 | f9ccb5c80fdbdce2490eb119b7885c3f19556d52cd8d2c0fe7a94801ac3a9799 |
| SHA512 | 3db1d43d1a049c7b4338ee3aafe85ffd39e5401763bb271a5e8510716e53e10e743f821e79cd3d28564b39fa445edd1570c49b326da9eb3fa9ab8a0818ff7a0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c3de5b5-9fb8-4ace-8238-8737436952b9.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a7bfa10861b5fbef1be1e59cad9b91ca |
| SHA1 | 4142b49d8fc1461d0391f72105bc7c6acd1869b2 |
| SHA256 | f0683202ff79b787fa3a6db145ddb43ffd01fab29459fc4b45bb5aa16948a54b |
| SHA512 | b362eb9655c5e5db8fa122099bddfe154b6ec18703ea1c84eca7907d122486d017d8ea9da6fb1a42bdd78e14010c7df3a9f146eda007b4e4e54076ccbe41d614 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 13773b926d31ee322aea3d70e8da2f00 |
| SHA1 | 39bd89e00a3eb49156e27574981432a211685888 |
| SHA256 | d823faa1e52aeb54269ce74e9c8fb4d01bbb1f396aa221ab1ebe60855063a78a |
| SHA512 | 208ed5f560df157f5410cd7c0c2a12dadb75d38ae55e1b94d25841c37ad1ced029499ea01b4dda26df594a8eeba2f9f503d5d87a9e76d6a38698ede06aa9d6c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f4846edccc1d68095592bca0ffb99040 |
| SHA1 | a06107192b4d9dafa935bc5a9e6f8745cff9cea8 |
| SHA256 | e6d91ad14d711d73c4629dd1ec0bb3cef5d16c9103dfecfd2bef19322a0f6bb0 |
| SHA512 | 3b2a79069cde09693227a42409ad0e7a99358c40b5c1784bafe8e2f5796fb134b71b037f738ec5fa09912da667f461ded06fac9597c092c8cb025d3e896fcdb3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 119727993a182c3423939a6e347e97bc |
| SHA1 | 901a4aad42edc0056e2d9ed8cb4b9b11be07c533 |
| SHA256 | 554524200eaa29e9d22b2f6b32c2ceb09200708c9af593ff75255210f0bb5b8b |
| SHA512 | c3ade93ee824f655f45c0313f34f20b49f33bac9af875e1fe7a17f73244444a055860179989747eaae55d3385cfdf24366f51ac1ed8709530ffe158f56ec7166 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 589c49f8a8e18ec6998a7a30b4958ebc |
| SHA1 | cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e |
| SHA256 | 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8 |
| SHA512 | e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | b0fac50b0bb863bd28214084ff688f2d |
| SHA1 | 0d1bdc117e81e3638c08bbd4b1335638aeac4910 |
| SHA256 | e30047aa3ccdbe3b619c73d8fd89f9fe4f500f4dec2ce2d8be1a6c49379d1932 |
| SHA512 | 698fc0c8e8410aa6d3a98c6292c41b47d3a1f6330527379a3473c209b4543bc32b29910687a46724641e082348a8b7f29085da6614abf437a793bbd4e77bf5cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | aee7c1c215db6ebb5d26dfcdba83988a |
| SHA1 | d921a193c65fc7ef24559272fafd475f64744413 |
| SHA256 | 88155969f085dc65c80460ffb1f504cd0d420436a466e5f24bfa02416f6428b9 |
| SHA512 | 7e9b5040ba7745eedd3583e43a271845d2dad668d66929136d36b8a6ccd9926464a25342a27a0a26e1a333874c58130c22a65a3a5c87359d7955d9aa0074c0db |