Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 12:40
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00431.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00431.7z
-
Size
21.6MB
-
MD5
51b913c77686e4d72c6754fe38eb847d
-
SHA1
33085b7950a0200a22a2c7f5ac7edd2c2cfed2ea
-
SHA256
df972b858ff10bcabbcef5ec116549330919b30d5be3cd5aaefef3e8e33726a6
-
SHA512
efb2431c3408deb0f707f55bec8a11432aa2bee55395f2776d58e48875591dc816fc5c562e91133bea43ea60cb5463c2b2982fbea80f3f776174d6628a984bca
-
SSDEEP
393216:0xeeAqc18J3CjLlhFUxA4zILUS5bvPsgYSk0Fg2zYBgtR7BSQM5pwuxNzSy2AHm:0xeeQA3slhFUOHNF5bkVuaux0y4RN2AG
Malware Config
Signatures
-
Asyncrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe -
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral1/memory/4684-102-0x0000000005790000-0x0000000005826000-memory.dmp Nirsoft behavioral1/memory/4684-102-0x0000000005790000-0x0000000005826000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/4684-102-0x0000000005790000-0x0000000005826000-memory.dmp WebBrowserPassView behavioral1/memory/4684-102-0x0000000005790000-0x0000000005826000-memory.dmp WebBrowserPassView -
Renames multiple (2195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeHEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe -
Executes dropped EXE 26 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exeHEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exetool oa.exeHEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exeTOOL XMDT.exeHEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exewindows.exepid process 4684 HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe 4664 HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 1940 HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe 2824 HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe 2808 HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe 2700 HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe 5616 tool oa.exe 5572 HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe 5212 TOOL XMDT.exe 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe 7088 windows.exe 4684 HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe 4664 HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 1940 HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe 2824 HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe 2808 HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe 2700 HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe 5616 tool oa.exe 5572 HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe 5212 TOOL XMDT.exe 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe 7088 windows.exe -
Loads dropped DLL 4 IoCs
Processes:
tool oa.exewindows.exepid process 5616 tool oa.exe 7088 windows.exe 5616 tool oa.exe 7088 windows.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/4684-101-0x0000000000B80000-0x0000000000E3A000-memory.dmp vmprotect behavioral1/memory/4684-101-0x0000000000B80000-0x0000000000E3A000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\sysnetwin.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Roaming\\readere_lm.com" HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSGatewayLayerService = "\"C:\\Users\\Admin\\AppData\\Roaming\\DSGatewayLayerService.exe\"" HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe -
Drops desktop.ini file(s) 41 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exeHEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File created C:\Windows\assembly\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Links\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Windows\assembly\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Music\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exedescription ioc process File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 icanhazip.com 64 api.my-ip.io 65 api.my-ip.io -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exedescription ioc process File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\autorun.inf HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\autorun.inf HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe -
Drops file in Windows directory 3 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exedescription ioc process File opened for modification C:\Windows\assembly HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File created C:\Windows\assembly\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe File opened for modification C:\Windows\assembly\Desktop.ini HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 4684 WerFault.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe 2020 4684 WerFault.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tool oa.execmd.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exeHEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exetimeout.execmd.exewindows.execmd.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.execmd.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exeTOOL XMDT.exeHEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.execmd.execmd.execmd.exeschtasks.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tool oa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TOOL XMDT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 6704 timeout.exe 5644 timeout.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
vlc.exepid process 6088 vlc.exe 6088 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exetaskmgr.exepowershell.exepid process 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 2588 powershell.exe 2588 powershell.exe 2588 powershell.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
7zFM.exetaskmgr.exevlc.exepid process 3944 7zFM.exe 5000 taskmgr.exe 6088 vlc.exe 3944 7zFM.exe 5000 taskmgr.exe 6088 vlc.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exepid process 4664 HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe 4664 HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
7zFM.exetaskmgr.exetaskmgr.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exeHEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exeTOOL XMDT.exevssvc.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exetool oa.exewindows.exeAUDIODG.EXEvlc.exedescription pid process Token: SeRestorePrivilege 3944 7zFM.exe Token: 35 3944 7zFM.exe Token: SeSecurityPrivilege 3944 7zFM.exe Token: SeDebugPrivilege 1284 taskmgr.exe Token: SeSystemProfilePrivilege 1284 taskmgr.exe Token: SeCreateGlobalPrivilege 1284 taskmgr.exe Token: SeDebugPrivilege 5000 taskmgr.exe Token: SeSystemProfilePrivilege 5000 taskmgr.exe Token: SeCreateGlobalPrivilege 5000 taskmgr.exe Token: 33 1284 taskmgr.exe Token: SeIncBasePriorityPrivilege 1284 taskmgr.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 4684 HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe Token: SeDebugPrivilege 2824 HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe Token: SeDebugPrivilege 1940 HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe Token: SeDebugPrivilege 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe Token: SeDebugPrivilege 5212 TOOL XMDT.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeDebugPrivilege 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe Token: SeDebugPrivilege 5616 tool oa.exe Token: SeDebugPrivilege 7088 windows.exe Token: SeDebugPrivilege 7088 windows.exe Token: 33 6312 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6312 AUDIODG.EXE Token: 33 6088 vlc.exe Token: SeIncBasePriorityPrivilege 6088 vlc.exe Token: SeRestorePrivilege 3944 7zFM.exe Token: 35 3944 7zFM.exe Token: SeSecurityPrivilege 3944 7zFM.exe Token: SeDebugPrivilege 1284 taskmgr.exe Token: SeSystemProfilePrivilege 1284 taskmgr.exe Token: SeCreateGlobalPrivilege 1284 taskmgr.exe Token: SeDebugPrivilege 5000 taskmgr.exe Token: SeSystemProfilePrivilege 5000 taskmgr.exe Token: SeCreateGlobalPrivilege 5000 taskmgr.exe Token: 33 1284 taskmgr.exe Token: SeIncBasePriorityPrivilege 1284 taskmgr.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 4684 HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe Token: SeDebugPrivilege 2824 HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe Token: SeDebugPrivilege 1940 HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe Token: SeDebugPrivilege 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe Token: SeDebugPrivilege 5212 TOOL XMDT.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeDebugPrivilege 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe Token: SeDebugPrivilege 5616 tool oa.exe Token: SeDebugPrivilege 7088 windows.exe Token: SeDebugPrivilege 7088 windows.exe Token: 33 6312 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6312 AUDIODG.EXE Token: 33 6088 vlc.exe Token: SeIncBasePriorityPrivilege 6088 vlc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
7zFM.exetaskmgr.exetaskmgr.exepid process 3944 7zFM.exe 3944 7zFM.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 1284 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
cmd.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exevlc.exepid process 1448 cmd.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 6088 vlc.exe 1448 cmd.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 3748 HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe 6088 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exeHEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exetool oa.exedescription pid process target process PID 1284 wrote to memory of 5000 1284 taskmgr.exe taskmgr.exe PID 1284 wrote to memory of 5000 1284 taskmgr.exe taskmgr.exe PID 2588 wrote to memory of 1448 2588 powershell.exe cmd.exe PID 2588 wrote to memory of 1448 2588 powershell.exe cmd.exe PID 1448 wrote to memory of 4684 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe PID 1448 wrote to memory of 4684 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe PID 1448 wrote to memory of 4684 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe PID 1448 wrote to memory of 4664 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe PID 1448 wrote to memory of 4664 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe PID 1448 wrote to memory of 3748 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe PID 1448 wrote to memory of 3748 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe PID 1448 wrote to memory of 3748 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe PID 1448 wrote to memory of 1940 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe PID 1448 wrote to memory of 1940 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe PID 1448 wrote to memory of 2824 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe PID 1448 wrote to memory of 2824 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe PID 1448 wrote to memory of 2824 1448 cmd.exe HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe PID 1448 wrote to memory of 2808 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe PID 1448 wrote to memory of 2808 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe PID 1448 wrote to memory of 2808 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe PID 1448 wrote to memory of 2700 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe PID 1448 wrote to memory of 2700 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe PID 1448 wrote to memory of 2700 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe PID 1448 wrote to memory of 5772 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe PID 1448 wrote to memory of 5772 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe PID 5772 wrote to memory of 5616 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe tool oa.exe PID 5772 wrote to memory of 5616 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe tool oa.exe PID 5772 wrote to memory of 5616 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe tool oa.exe PID 1448 wrote to memory of 5572 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe PID 1448 wrote to memory of 5572 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe PID 1448 wrote to memory of 5572 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe PID 5772 wrote to memory of 5212 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe TOOL XMDT.exe PID 5772 wrote to memory of 5212 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe TOOL XMDT.exe PID 5772 wrote to memory of 5212 5772 HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe TOOL XMDT.exe PID 1448 wrote to memory of 6368 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe PID 1448 wrote to memory of 6368 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe PID 1448 wrote to memory of 6368 1448 cmd.exe HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe PID 6368 wrote to memory of 2904 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 2904 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 2904 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5284 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5284 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5284 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 4960 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 4960 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 4960 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5340 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5340 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 5340 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6160 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6160 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6160 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6304 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6304 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6304 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6376 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6376 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 6368 wrote to memory of 6376 6368 HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe cmd.exe PID 5616 wrote to memory of 6432 5616 tool oa.exe cmd.exe PID 5616 wrote to memory of 6432 5616 tool oa.exe cmd.exe PID 5616 wrote to memory of 6432 5616 tool oa.exe cmd.exe PID 5616 wrote to memory of 6468 5616 tool oa.exe cmd.exe PID 5616 wrote to memory of 6468 5616 tool oa.exe cmd.exe PID 5616 wrote to memory of 6468 5616 tool oa.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00431.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3944
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 19204⤵
- Program crash
PID:2020 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe3⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
PID:4664 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bypass.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5644 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RarSFX0\music.mp3"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6088 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exeHEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\tool oa.exe"C:\Users\Admin\AppData\Local\Temp\tool oa.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit5⤵
- System Location Discovery: System Language Discovery
PID:6432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6B7.tmp.bat""5⤵
- System Location Discovery: System Language Discovery
PID:6468 -
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6704 -
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7088 -
C:\Users\Admin\AppData\Local\Temp\TOOL XMDT.exe"C:\Users\Admin\AppData\Local\Temp\TOOL XMDT.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exeHEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exeHEUR-Trojan-Ransom.Win32.Generic-cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC4⤵PID:2904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no4⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet4⤵PID:5340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT4⤵PID:6160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER4⤵PID:6304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds4⤵PID:6376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off4⤵
- System Location Discovery: System Language Discovery
PID:6564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable4⤵PID:6676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter4⤵PID:6768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser4⤵
- System Location Discovery: System Language Discovery
PID:6824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER4⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO14⤵
- System Location Discovery: System Language Discovery
PID:6936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4684 -ip 46841⤵PID:5012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3bc 0x2fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.exe.[[email protected]][MJ-XP1379526048].poker
Filesize544KB
MD5e9acf41a78a89e76ffc02ac85f9d4edb
SHA15d56a2aa47e13e490bf13d6014cd8ec364af9966
SHA2562d56e335cbe50f8310ff6f039d2408af9ef014074bfcfe4cb9dbd4d2be129131
SHA512594e94677af65c2f6fd69177cfd9e2851b8a3c1f31ab265660c5dd33f0f6c48856d1c05195bc91be2ace77e1cba462c2d069e57377f87f21ea9791a6d652bdf8
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.[[email protected]][MJ-XP1379526048].poker
Filesize192KB
MD5529f433323e91d9e3df4a9875965223d
SHA134a6045639cdda93150ecdb0a14dc26b5a63f043
SHA25656da7e9775a8799f5a22b94628aa2fbcee8168c75d8744d31b5d31d956768d2b
SHA512faa0d096469d1442be85d7aa126d6d10527fa0d5ae246b2137dea2d618b0e699191198e93c223e988cbe32f8436b0f564f1d563af402d0ed67ce52dfc5bca12a
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.[[email protected]][MJ-XP1379526048].poker
Filesize505KB
MD5e858b499b939fe03efc4be43079ec68c
SHA11b413def50d23bb854fb6f37c4f36b4d2eeb272c
SHA256b869c69b1b63d831942a3aebe01c4d1e11f9699887f2af1ed49cf7dd995ab815
SHA512fd3513cc882008c15caa6fb66d31dd0b04d1521bb698581f7154aec0e22a17a1c46e8a61cc4f345f0d278f31a62092fbfe28336f4cf104162c118d4748c787a4
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.[[email protected]][MJ-XP1379526048].poker
Filesize475KB
MD52244114bb9c5cfafb5384c8834b738b6
SHA1faef6e6bdf4f243d162dc536bae94556995109b1
SHA256848abb409a91698113ec71d1989d10fa4d1580a4982fd7d503909bb10bff4935
SHA5122b35a8c651a120fe5567127a0f305b3f72210efdb1b53b03a9bdc2242386c2ed34b3d7c7acb66af15b69447cb54923b70732f07e90b93676e945c88fda0417a6
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.[[email protected]][MJ-XP1379526048].poker
Filesize329KB
MD54889861c0008d91915cd4c40db3052ad
SHA1c13acc9d5c321fd33f6e49e17e412daac3c3d9b1
SHA256d0a26b79951e88a82f90f8a6e2fff19a9df0e43c3fe026d4289321356f6c8812
SHA5122f0f8c91a5076f564e04d6b5ff59718143ab097d81c8f5559ac2ccbbd4498f3d73663f3e57c484a023061379a1bee3e24e1a699a1017570974ea9a03c906fe41
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.[[email protected]][MJ-XP1379526048].poker
Filesize137KB
MD5ad582367f9cd78211662e8809ff95a34
SHA15e492a3666a3a8cda0bdea3be0ce1ef7fe0946c0
SHA256963f4d19cffa4ff4ea88710e6e0cca15ee225df881959b76e6203ddc3ef70551
SHA512b580c6303a24a90d2361e532a0a8fdd59dc71319dd158a4199a51d4174ed704dbbb15b85b150989a457ca1187d0295f2a054dd18c5bc0164184d43efdca37429
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.[[email protected]][MJ-XP1379526048].poker
Filesize345KB
MD5b5f79b474cec23be0c6491201c709664
SHA12e06f60bf990ffb83100b6a6adab9cf1f72d1c6c
SHA256f8424c8473786d32822d846e180d42d6849257303207c989e5ab2557dcb48f15
SHA512fbdde1876fde7b54c728b1a21d21477c5c8d16abdc5751d2ab633fa5cb8dc4cacd2fc2ac54bbc8003c13183dc7a8e54b97e1014d7970c76f14ed1bda1941dd57
-
Filesize
3.0MB
MD5e706e4aa836a73b7e2a9574f32cd4624
SHA11679b75de023b2df0a3961319ba77ac628bec307
SHA2564566d681b131d7c1a5c662aa2693d0083a1978d784b3b38563be536c06e39385
SHA5128a6e606d19ff7ce430e32b0b7f5f4a45b1f86653f404176c1e83d87cc18c9773a590d4c0d0903442becb43ebbc905dd4e76ea02f00467d2b2a00aa58228e7e09
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5d130f30fce10192900fddbf0fee5cc64
SHA1bd9ddca44bd5218bf2e6d86d935d1c86e02f5675
SHA25620f2db80649db1fc30a8dd81cdf26d367a9a9666a05a9d11c664886825de1ff3
SHA51241e43bb1990f38346706c1266410c8df9d4d6f7cb1fc1bfc18b3ffc4d4747e263f2ac9804c01e6d65d09556894df648ae9dfab457f549dda6484c39e7f010bf9
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
16B
MD5d7b9e7d6c65a1c99ff7c641e4e9b86ce
SHA1612e76cb818ab0c1e7e8f4dd87c20351a9f5ad45
SHA2567dfe7c11a54b177570c93911ca4b01eecaa3529e377ec676b8ffd9e28837e936
SHA512ef72b3592615ce83fc5ee478c5223b0c7f7b38532298dd25af3e2ca06aef17d1206b1b482f8c71d82ddb8677d7cbe5af90e2759054907e4f3bd04b727de22a1a
-
Filesize
41B
MD562f76bb15d2509d13831b2d8a770948a
SHA1d3bc353f468ede55c688156befe2684731639933
SHA2567df2658573862c6113f9562886724a03302b6db700f4d32112436decc4602232
SHA512505168ca5993b9eb59318948036089ed179f09355bc8e977a55908dd319702ffff36a6c4827a51b39202e808b7ea19db3f1a4b02b1e5155ca8e10cc4ce226b0e
-
Filesize
24B
MD53e0372d3375161ff91bbc3811654c8e8
SHA14360e47e2e5f965a8cb6c2f2971e536b0e9073ad
SHA256edb6836e0ac75bbae997b6bc7ccd64abd0dea7784b77ed0b08b99ce8e0fa559a
SHA512f1acde3f2ff6825e22707453a379688384ccd91e87ca9f431f147ddd56ca925229183146e6e7fd31eee3f62d53482617fd3f79efaa599552058ce6cbbc25d6b2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0
Filesize8KB
MD5e4e35a754fb6bb28c1b55211e475fb80
SHA1db256bc12abdcb65372b106a169fbc4c2db92326
SHA256b9613e74317ee1f4d6cd299cdd8fd92322f04af7280abb0d1f5568a361de1c3c
SHA51263cfab2e55c575b6037b5b3a924bda26413b9c53ce1ebc8ac051f03cdd8d69663c24b09d0bce66436d09d56c9372d5867bdc21d17286409c0a5b375552b13949
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1
Filesize264KB
MD5ef33fd0007e9daae52f109045374d639
SHA1711ff6a430c1bba67c2e22fb2f313cb5e5b45946
SHA25648bcb80b957b79462453441a5c857939affe2778ca1516b26e301ff9457c88f8
SHA512ae2a45a33b144910667eb286c217eb6f2da40cabf1a5c0ebd3894981bee9783b20b6860bd9c0c80a9a5f84e9f79ab1bdd629510a174cef8462dddc9a77a00546
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2
Filesize8KB
MD5a50f2edc4375c7b466ac3f4cf72a79cc
SHA10d0ce0d76953e2ad00084a216285040471017177
SHA25667fa3ea32770addbae190602417c01e344b16a735761d3cea2d590a7ade21a52
SHA512c0e9c0158985a3f176d4356167d2859ac759c00f53b544ed48ccaa04689cd57181881bed2a7de0a9ad202c7fe7f099d6a5137e5fb7e5053d1209400547146c59
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3
Filesize8KB
MD53cdb4978bbe467fd7f0d3c4aebce424f
SHA13673aa9206c7091bec328d58afbdf7a6e8a6edd5
SHA256dd78eace9d8930bbc119fd91772b185ec667e7e719bfe15e3e0bd27d723ecfb1
SHA512cbca3f698efa4a56d9781b508523f5795ac6cb753a5604c79b89e6d48d4253f8cec674dc6a1cacebf691d49662f655f9e1fa4809711288256bd6a35f2c8b5ef0
-
Filesize
24KB
MD51d4dbed57e565979711688d1587d6c63
SHA1ab545e65d87125c1e0e4626fb010f97bf348d5f5
SHA2561b43e3182131bd093ff688dd20c5140ec3a2142785db92aa734debd0efed5f8f
SHA512aed60080e243fd257550aa27ce41eded8b8847f816120f5d4faba2ed3f4cc2572c08d238efc4872638a261f153f23810f683870c870384226ecc95e3e583d87d
-
Filesize
174B
MD5f2fe9f39a4655a16820e9db947c3dcd4
SHA1bc7d3609245dcdec656e28f769e794a3b6a92ae8
SHA25686195565a56b8ab06ac29c21b2864217d1f4d9eb960e85e585f9f701b34d9fed
SHA512d6d59e2525430842ae49e82f521b0180e5127edbe18f2cbcce0fd971bb6dc0a9f1f4766130fde6b4c59641733af56cfcf1c8e1b6aacb3f3d10d060e47c91e47d
-
Filesize
106B
MD52b1c5abe21212a59de07a9f86616c1c9
SHA16365c887345d73f84ba83d7aff9568d7d0334507
SHA2560a592dfbae0593c5828c6652eca08d2d8e413b4f1a7503c5b745295e89791b96
SHA51244149b09b864170640d58f4b53bfd2d94fe6f616ca5d4b2c4d45d72143e31c0f811e3a01acc544dd335a68812fb2c2de71f89d5f2d0d1d383c332335a401af87
-
Filesize
53KB
MD524f98f3f54e40d46d7e6db28005163a6
SHA19c93c3d00e2274e9de1cac55b9bbb07cd8b67c95
SHA256f053d301d4f3e43913fe6a9de6dfd8b9887c31307b9f49fdab6627b234720764
SHA5126aadc2e2eeb09b9882fa53be46865809772eff3497b645c02b6209e58510ebadb346da39bee2894db55a3ca464739e2d48fd97834b873941d37db73fd1aba035
-
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5dc10532d5e4d77d8edc55b15fbd51ab9
SHA1fb050157bdcbb44b8ef94555ceb90139890f5138
SHA25659217c6818295a8d5ce7845823f84b1ff492719ed30a869fae86ce55bda844c9
SHA51280bfd31a5fbadbba5ac4265eab01fc31b15a3f5540cdeb8a5361c105aa1dd0b6f03180916d5ad3478ddce76d19475a2036da1bfe9a02215f7cf7fe977535ec48
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
Filesize36KB
MD5883f3cf66cc76b8be6fcdfdb4dc93df4
SHA1ea58fcd63f432bd15717b31aec4d96e504c2a8d3
SHA2568f056e26c2a06c92b4701a1fc22e2a4fe7b3f665fa7567718fcc409bd24e1a79
SHA512d2d7e3acbbce9ba2479e5d6f3e09981d8e6daeb52c6a87c3864f8dd9069375641b3b7801cbeaf730d00e786c351ee0b6e65928873b7f8374316bb9bba91cfc51
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
Filesize36KB
MD54c89e0aa8a95a131f3a7a271c019b79f
SHA17e1780a684a4733a05a3cd0e6fac274bd60e1218
SHA256fc78ed5bef347668b3a161bfd4859da96ec62a37618eda6f4264c93748a6739a
SHA512e333cb620f284d8d04de349ab4daafaaafe3c29ac6dc08519292aeeedd3a6626450edb6343b9c1c631fd1c9a0cbc5ac2624592d3121a6e8638fd60f7aa82d518
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url
Filesize36KB
MD5cbb72605c99c3ede43ddc3cfe6945f01
SHA1797542dbf8d55e064eac09f04024fd9a1e850690
SHA256bd6c2f55d9ce96e00a91fcf57cbad8264bdd28731eeb99bdbc869ac736b74424
SHA512db595bf6efa95d6f71da732ee81bdbdf402d251f49bed024109420947387ff6b7440fdc8987c330c5de1b8e4665928d3aee2a6e2ae33611c0d4674c6bb1b10e4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe
Filesize36KB
MD56c518e22481aa58c0f4b7811994fca85
SHA155b03f98f5819c7e23b5d7243875959ef04d4410
SHA2566829ca07d64126a781bd52f8544586554fa16dfccde3ab152248e730315631c5
SHA5127ccedb7d71aae7dc29adc34e188eedb0b694cc75d3261af0d0cbbff1b7b7fd324490856a13e58638e40a47e7fb755d9ff239282df4e2c09d910f63b6fb951751
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{86adf6ab-7c6a-4a39-b307-46b5e082d68b}\0.1.filtertrie.intermediate.txt
Filesize5B
MD52da7fe9fd77e4a9f66ef4671f072a749
SHA153f2a163db933bf81bbb4c1cafeed4f074cad09c
SHA256bf03bf8030f16ad1e345e9b4ded3521b9b228aac8b73975527777e7517559a6f
SHA5122b29f9b2ac0c7aa73c018cdf56a723b38c6b47bcd7c27a47f2ebab34940dac71adc9697ce03e04357263bdcce8a99fd7ed1348c13e2c39c4ddd9ee04fd20cf63
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{86adf6ab-7c6a-4a39-b307-46b5e082d68b}\0.2.filtertrie.intermediate.txt
Filesize5B
MD52a085185156a39f828d4736a3dbe531e
SHA169097d2fe850bbcde03dcaa477c630f2c027ea92
SHA256cbb9d4edcf223afc025fadcada0b50dd200cbf25cf92a8ca34281c2af4a8e9b5
SHA51202c89e46e77a4b981ed33a1432f2463a8f1e77c38d457b909e4a482ecbe1d1c9f60adec802877be82ab0249ca618738ba37fbd82a5d71a1363dfd3e89a36a734
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{86adf6ab-7c6a-4a39-b307-46b5e082d68b}\Apps.index
Filesize1.0MB
MD5a48a04bf19993f2060fd0685a2b1ca4f
SHA143da0bc9f92be7018de1b6b98964fbda028814eb
SHA25610a24d94bbce654de65781d79996aaf3511070f034597027f4ff7eec5b384d8a
SHA5128fb501cb61d5578d7846513f08c6d31ad934d8865f84b678fedacb1e3fa23b1a06e959e673fdf7949d2be1dd7f93339f4e40db820aaefa506066bdcebb3ec444
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658720680492.txt
Filesize77KB
MD51cd99ef1009a214c619bf6f23057af14
SHA102aac19a90c6d14306cf3a6f9b3f0b3e76e896a2
SHA256f2cab37f0c25736a24ee0261bcb4178791e9151fecc239bec3b7ba54ab92f3b4
SHA512eabfd269701f5e4be2f259b05c010820aef057f68edbe338069f44e1b6b29e351bfbef3b37f15f96463085c6f86aa027071ba90b06f1431c7bc7bd7a89f395f4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727659161166784.txt
Filesize47KB
MD5d7159d30090dc526504122a78c3641bb
SHA1efd91618d0d374129a3c71d16e2a40210c8f7edb
SHA256fccb53bcc0cad00d401bae170bcc120e3cc49846881f29c848b51b33877e46fb
SHA512af0ee6b92ac46beaedc174797a887a60ebb3a857ff182678f20b6ef658291a579eac777ef07bed8fec4ba4822bf1388000cabfcd96b4af98e1dd9f4b5cb42b2b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665191668352.txt
Filesize63KB
MD5c1d80797ffe9fbae0928b5360e18d86c
SHA1f8afca37c3f5180ba6d270131ebb03fe090c1c61
SHA2569a3982912969e9c4de73b76ac207d5c70eee3ed9cca42066e382440856b8edf2
SHA512708d6094e87d8766246f8c7a9c7a9979fcfcc76557078d8f082cb033c5bdc32a2c6de126fdb7adde304087504ddabb8ce1192038bd60c8f5633726892733b7b4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt
Filesize74KB
MD509b194f872cc856215adae55597f1e46
SHA1e81ef1967948857e093f9e80d722c71fed4734cc
SHA2562f2d2b54cf5445e6195ca154f509cff26a10cab4c0761f02b4712e76428844fe
SHA512efc2237c85246f5093598e5648a42fd2ce2847793b2b172bd60893936fe4a3ab275abb60678257d01d7b05772ba4144111657d7f3e18da8d944b16bfc88ce630
-
Filesize
1.5MB
MD56d808b1e1fdc6ef6cb6a456ce2b41b33
SHA12708e18b939522a7a9eca44f0cb0f1093e469579
SHA256fb4c6e58610977cf6f134d474c541641343ab7cf56261e704caac221c5e0d9f5
SHA5122376dc2cca6c55191e2b00a470e11036226108984496b66774465c5298b4664634a395c186bb952f3d0b03c3e808bf86160f155954718a2bd25b6476c5b33d0f
-
Filesize
666KB
MD530679a6ef0b0efc5719c2461cd5b8e21
SHA1311fcc484df4b5fe3da878116e18a876316b992f
SHA2562766bdf526089d2703ef54b14ebccb2bc60bbc229a7e4ab855066ce10fd34225
SHA512635b980803f7b426a881f9508a35612c9621e5ffca6d5c7d56ca9979b2bfdb1a1d525c5862726c3a4579b0fdffd161481f570fefe1e194aa8cc6ea5dc3b92a16
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.5MB
MD540a98f24138adcc1185612b5d7d8a644
SHA15891201825982460d3e538c709e8287e06c81510
SHA256b9caf8a1f300f0d6081e5ae0973d384593c267e264dc804aa2075228ac555086
SHA512ca6bd7d2f4d7b8224bd4f295dfcc48c0d265250838709f2169bf2523f48cfbd4de14792dd7ec62252498953cf4acabcfb338a29e0b8dc36f71e2ef36af948b2f
-
Filesize
1.6MB
MD57d8bdfc88af1a184871ca94b8c08c04b
SHA153d25abc08ef0a60f5e377adb334179f340b6cce
SHA2569252598e240e313b40bbb8301e199ea6a17c976a56687e11d04b82499afcefa7
SHA512e67107a28576e2c2417697eb561babf57da323df6c4c09f9ded64c76fd327165c518510d938a05f22bf24320a3f28df64c288a4c13c2bbd0bf36e159fa5db541
-
Filesize
63KB
MD5da9b4b193eb6c31191b11b469aab2181
SHA159de754c36c5bef61e29c8ec5db772fbd76929ed
SHA2566bd3113b84c2eaa890721828633e7dc5537e0b37bacdb030da327297151c2ffa
SHA5121954acafa3b4b21cd90483f4f7f2202fa1ba7ac4e56394adb7618b23c89b2f7d95715525478d6f52f531d23e5752cae88627c7c8ae6c2fffb3bcbb8502f7b1b4
-
Filesize
26.0MB
MD5c8e0407d827a044ce17a957ab5799492
SHA1ed6cce7030b80fc11676b55f4e63142a8a83be5c
SHA256f1ad00cadd339ed3f066ddec82aa1c2727b7de929367ff2b776fa721c7198e05
SHA512c6474a7b4c9af869e9bd474773ffae0e3f7a1ec78cf2d6d5bac17ef62f836659f0a775993c097e9b803784c8330c3fdf6e8762a0b48e9f4a66c470b9a5b2e7bb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD509e14166c72a65a2c194218e4fa7f28a
SHA18d410849b50b39d0af964037b6348007b6d4ee28
SHA256c93ff5ea3b94ea3ede0009d5dad27ac38ab8aa153181076af6304e220a9ba535
SHA5121c788a80d5ca17199398c192fc654613caaf7db0599630d7714566aa44dd54bec8ba88f28deac38b5a43fa863250f637a7bd7d4eb361fbd8be376743064be9f6
-
Filesize
30B
MD51d133e101d175a40da12fdead8e1126b
SHA1ff1174a579eda42a151294f2eed9fac61326f787
SHA2561d9fd1b36d56f4be14360b29b603c690994ef25843a92a23f0c9d224a2b39687
SHA512cb1d6f29e394f35f853cb5ab3dac061cc418171c5616163b89a29f5e75e1fdbacca86b5e3b3cd1aa20a183ee5ceadb22299e473e46dd44eb558dd74ba103819e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize5KB
MD5a14782118941bfad78cb2b78dcf5a8eb
SHA1b69b8ad5f1f1f48555e4bdeb31438d2048b7f233
SHA25631e34b19066992b765e82ae6f3c7ccedcbcb5f6b03c9536c5e41eec8a9ef1258
SHA512e3ae844ae3ca3cd37f12ee8f3b41ad693ecb2077bb6bb890c1bb8e9bc4b4db5672f269b8ef12641d445a5b9750df4b4944eb6fdce5908ba46404c6a5543fa0f8
-
Filesize
32KB
MD550f82f3ebcf8ea420e4ae14ceb156926
SHA195d8ec5db6f5e9dcc605e69d862c21f2f78a339d
SHA2568342c01d88988f849c1db77473a43e7fa1f48c9cc6e92e9db7c0463ebfd3cddf
SHA51224fce6ace9d88bae478675611bd9fb254f55a4a7c63496a57914f3b55b8baf090762c56eed74c8cec2a068a7049dc5440709bfb8edac9f74ebf997c16e541798
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Filesize48KB
MD5aa5bbf66d5c77db490e018849f4f2be2
SHA162a29925b1faa8f4e7e4e1d60bcd1442d8761dcc
SHA256baa88afe3c0c682fd31f28bec9a4c0bb5980bfec65cb06d3dee4a7ab9d615ddf
SHA51269916001b94ed8aeb00306508b65662cd79687e7414f5587339e49ec79abab2be4e488bb5bcf476aeaf46c2132bef2d91dbf911c0816af6e3aa89a2640ffe679
-
Filesize
135KB
MD5cce581b80ff27cad7d617eedfb1e4b04
SHA15e1897177c711d2b3c8279a6af2062c590beeb08
SHA2568a55fff14a187966ff02f0d2614cbb8c9b2b1d5c60a67c7ec38e258230d1b7ac
SHA512e9db923c1cecf2cbc2b66b340c25d229e671aea9e678400755cb9d42a6c3c8b1bc8c77d2af12381d40daef52c98d43963d1670562d1513bd90c4a6ce846c075a
-
Filesize
1KB
MD55558878edca8b3206ab6ee5fe57f6865
SHA1de18444b65432f299d87c2a3951e0ecc3aa52427
SHA256df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0
SHA512f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a.exe
Filesize26.0MB
MD57b9236bc5a36d4c4d184e1a90869d7e3
SHA13402a6ae36766c3c68aa8279581bff4ef4d52489
SHA256bca9f696e98765f7c6bf8c062b4eaf9f413606ca645870d04d3d46194a0d386a
SHA512cecf537484faaad7636843e6ee005151a0a224414a005e2b51036ba3fb7ae80ba221d88cc6bc7b1da01e55c8b61fa08a1dbc30b174872c31701e678626972099
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d4aeaa9cfc5cb8de65e5c713b1a6a8d23743ec815fe9e891fa4f3219962f3823.exe
Filesize1.1MB
MD5258bdbeb518d7c289ba85295548f0b12
SHA12873c21cfa8f80e6d05ce37a9e2ac0ca718d07b4
SHA256d4aeaa9cfc5cb8de65e5c713b1a6a8d23743ec815fe9e891fa4f3219962f3823
SHA512874255563e56f3c3aa8f022445f97d6faf24942a83f37f882bb82d22b6e88933c6a9b1cb3e136521da389014a59c41d9c8b9d423abe9e643655385ea9623f8ec
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-26b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280.exe
Filesize502KB
MD5401259a62421de8073c0fb49eefe83d0
SHA1127c345e228e74b22da1e488a9c676e40bcfdabb
SHA25626b8b4cc29db80361c04071aab96234fb31fdfdccde5b0e79e9b5855b0b30280
SHA51259e0cd03353a49baefb8eb52c3335db745ac1ac7ae19f7f9190e7523da760cde2ca6a90130e76c9b98e2a2df376ceca133287187cc00bb36edb438f16609694f
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exe
Filesize9.2MB
MD500aa8346510601a9ac8c7a18c70bcde3
SHA1bf7ee46d96a573a6b4e21c3e2cb2a28009378189
SHA25699f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6
SHA5126b5f004883ccf2b805ba51948cc11b7ffcadf118f08683d3ed45407fd89d782b575b6a9ba68cf13990920dcd70055f39a831d5453f5390767f0997da7a86c781
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Encoder.gen-c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a.exe
Filesize144KB
MD5bd21cd6f5b12827878dde5956f77dacb
SHA1d409876e527a28e7fae1915996a410898f710aa2
SHA256c021663b7fc43f303bc726530ea302b5240fbfb4ef4c3c1cb0fe6a8ee165679a
SHA5127096dd8e3f2a78a8bce74b1ab5516eab2b907f9aaebda623e8ca195115279e946c5420df64bdebd934ba400f2e7159a20137fed872a66e15723da8129c7781bb
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.MSIL.Spora.gen-35b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5.exe
Filesize1.1MB
MD5367c2a7bc803c47bdc4601098d9cb112
SHA13058d29cb0832ed1d9b8df1ba494ae10c700ac47
SHA25635b3d524a28e9cec4bdfe144ef2710a3d13121a8e006f4c68a41998e893849c5
SHA512d5fb4efd6fbde5ae79bf29310546ef08b5ec9f7bf77cbf444e529f1ff6843c05ed36d7748ab8baa4f35c37b126f823088ddbb4d5dfcd1f9a2ff3daf86fc6fbd6
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Blocker.gen-bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e.exe
Filesize135KB
MD5eb4b40dd93eba441bd95da11da29b66c
SHA10b7e5077e8d76580e267218caa71302bb664229c
SHA256bcc752bfd62b47a50bc3028e87c5d3528b54eae16666cf94895d91a335f38d9e
SHA5124a93e0d81f72b559b6a850cf28f32595c7f9f457bc6f328a01b508a4722fdb0fdb07fa13a3ace388a5446f14de08cc39360d5a8856bf0d2009fc6cf4acbfaa8e
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Encoder.gen-1ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161.exe
Filesize2.0MB
MD53f6d92bf3e21441caa83001747c5c128
SHA16a50a1b3f30a097d8ec8d1d2da44c07c4a8515ac
SHA2561ff82014dbd0e40028c9e1a5c108342ee93500d253b657e3e5a3eac984a98161
SHA512cc0e0ecc9bd8e44134eeb19a34e7195ed3a08bb8a6d421b721900a2d5c23dfb7a2c5bf322fc3da3acb608061fff8d2f3314c9357edd7aa56a5fbc1e4e37c298e
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Generic-b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0.exe
Filesize3.1MB
MD539f076942d986e87c6cc7e7cf1af7f34
SHA1cce7cde261b2e99d2b9772819aa33b6654c5feb9
SHA256b8388c13a0308124321317679b28ab84bb4c5035940770d670db14bf785361f0
SHA512562857d7307c909991573edaf595fcee36fbee19f4cdb1849aee719002ab532158c0db4df57bed47144ddbf81a82bdfcd37317e3be595baf63cb0c7eaebda2c6
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Generic-c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.exe
Filesize142KB
MD5f568229e696c0e82abb35ec73d162d5e
SHA171889fdf2d7616f366c38072ef3d24b021068ab8
SHA256c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323
SHA5127dabdd3526e9b5d5ba4055e15455ed7a87706c534be2784cf85e70e89249aeada3a3e4480c6896220431fb131aa85a5538100d928087bacb3ae64f3643cea23e
-
C:\Users\Admin\Desktop\00431\HEUR-Trojan-Ransom.Win32.Lockbit.vho-3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe.exe
Filesize146KB
MD56ea979c9aa0e6cfb1a1a6714755a8b10
SHA13920cd9b59afb0a5c007f0ced5ce7ca4d7890513
SHA25666ca1a2728477055a0a48b14ddf603a9d185025860fb59b72dbf478ed19451c4
SHA512905205a76e1a0f58224e64140dc5d1a4ff7c026db6cc1809d0b121a753e3de1f6903c063251ca18eadc283e2523727f814633009e8dc3347995665e6bdbe961e
-
Filesize
974KB
MD5b6347063d82d70a59548568717d1165e
SHA14fa4ea1e36ac73671692565e082af65edd3e5c63
SHA25616e78c209ee5d5a7e88204256f21551fabd4c4a935b2ac7c0a05b282a4d63ca6
SHA5120f3e89cd48924eba3b3b1a6624e7af0ea438df6856091af3db0f84d3589f1a5560d1cd3df25dc6c355b320c322423710fab2061b0de3df484565e63733e35382
-
Filesize
422KB
MD5cf4c11df9dd6e65c146c99f98cc567e9
SHA1d332cfb6036bf25ef734bb690f48a7e3bfc20a99
SHA256f7d9febe3345f8a71e0ccecc3da9eaf66aba0464ebd837f192528921dd44d951
SHA51266373343e637cceefd9d8b0e58ed27ebd900d8fb6998b006ef7290c79c67c041be4f98769c36f9d29260a0d2f7647a82444f865935d21a37ed16d832a07ece5c
-
Filesize
1.1MB
MD571f656ea02dafa7cd307c7b445f1a8ff
SHA18f16972fcf7f4b9915c5a93665e8370cb8998dca
SHA2562fe258aba76163bb419c2b578829da569c3edfe90659edc4dadd0446dde5662b
SHA5121b95a5d5cb135f69d14d7ebdbeea40ddeefc38f7402ef785b6ee063cc7ef284dcdf54d5c169314b2b53ebd5183c98ab4ab33d6a530fde8dd8c8a460cc10b581f
-
Filesize
18KB
MD5e80f7e4be2abca2439b504abd4a9370a
SHA1424f0adc6f6f1b1ab763c0f4976f7a96e6857bc2
SHA25634c22cb40f165d2381da5504fd7bfd52779ec160edc1ce59bf84c23fe4399ff3
SHA512a4d7bf7062c88c9d12485fa066b053a01016dd299682c954e3a9f93c32244630e93c3246a324cf6f9cc022331196970f0afbdba6e76230b15bc77b7cb9414b87
-
Filesize
827KB
MD59d39feee98c00c68f71d2547986df9ab
SHA17a46e203a5efad222a9b15e9018eafe1e2eb7746
SHA256e23f61eadb50e334475cd456d7504477292f4501387e285be8449db26d249018
SHA512b88f74860585b13d2dc82b581e16f016d2276a473fff8f0b17cb7c0c4611c364cd058af36a6bb2642361d24a50194b629005f72fce25c493b8a7995f5f35e09c
-
Filesize
459KB
MD51ec42ac8b2a0dce5e50621fc5ac44e47
SHA1348c32b2e65c6380d6f126159d2d75db86a6922f
SHA256e351e38d91c18e5f2a86c54b8377f6cd5c15be12037d11e3c15d8503543480f8
SHA5127dff2d0a4cfe43ee018229a8f194eaa49098db1f3ae0885c2df5aac618b5f04e0fdc3202c8504944cffe53a5bf5ed667097ce682d84a5f664e1f307f76e38099
-
Filesize
1.1MB
MD529acb3f3f1278adef37cd1aea9fd3541
SHA1730b15cc2a1b8980c54392493543b95175ba4483
SHA2561866265777d7c6a62c3f2445e85814cb81bbdcc8a261ada3fea83a17e09bc864
SHA512adb399404f0026b43084cef09579b78700a63f761a28869f9eaa6cf739393f3de8c096cdc1ebe28807c0370cb7b6dedfd17a6638218cccf853283ab6e06a3e42
-
Filesize
1.6MB
MD5e0c2450cfecd67a91f030ade8c108070
SHA165a22c03b0f283d5bbba9c82fb64ee21f2e9b143
SHA2561d168015ac198344f06d465b0e4328bab0863e7cb1eb5d70a5750be56e84852d
SHA512d2b32eb6435bb1ededbfffeca174bd334173eba05383ee2ae320a52791b8d798a21978d79edc7e3745bf42f9f4071f9311b8bc8d446908c1c8ff4d18097329e1
-
Filesize
14KB
MD5aad33feb31c7c0f15cba2438b2451811
SHA1ad54ac0f2a19edd6ec6e72f6f7c12399d6889093
SHA25669687360b98acddfe1623aa67cf51c727dd77e5d9081f22ad3e2ed1a9be64ba9
SHA51293c32606f84a97933bf5886f1ca4e25be77fc94dbd0524433ca75814a8a8466ab32108f2f71ef1fa868999c7b105984c7c2c20877b04fb8cd94a97d3883417cd
-
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exeV4-Shortcut.lnk
Filesize1KB
MD5f4c14283bf8bbd1a7d1174d492cc0796
SHA1fd2603df5b9fb03ab62578942063c8302c91b17a
SHA25667da93fa909b6d6e7aca97063f6c6e5f3f1f4df0304a5c46233b19bc4d0b5370
SHA51222cd74cf577ade43f54fa43a07e9de5feb7f306c28991edc13eb72e8507258b0ad62a65d014fd2026f2fe07f7ef3d5df677049215f40055a6fbb873d4b195f1e
-
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.MSIL.Encoder.gen-99f19a6bee0e579ed1120d67ba4edf52492e2452bfadca984b5b086473c26ab6.exeV4-Shortcut.lnk
Filesize1KB
MD5ace3502dd902cffe5b102cadb5043c0d
SHA1566652cfc0ba72d5a4aa5108dc60a7ab609fd633
SHA25679190be9ecdfa936ecbfb76b416219cb12db8263213f5b64abd00ac875c55115
SHA512b47dde11f5d54305af4a0f4c84637b82e8d130dae85818199d6a86283f263da37154ffa8f25e28306adc521b45c835c91dd1194cf88f55705bb5a81a99e43941
-
Filesize
533KB
MD592d4fba53e98b6acb4e7999369802a0c
SHA1a95ddcb2d9b20be96dfcbb1462e60f4eb6ebb436
SHA256cdf5510731f34175acbf3e3572451eca104802efa35b601bec5c80770e526cd9
SHA512403a845614a2eab4ae0f90317920c86c9caab4a3aebfc4e3eb11e78195911aaff1f6eb336ecc09971c3d40af6716c833bf7fd3b43846a55d23a33c3cc221ab14
-
Filesize
2KB
MD5d6f0ba396376ea76d674247e8e74f50a
SHA162329e2a26ed5a20a73389cda46ea0dec9d15464
SHA2565f1142c485313cc224c17374617410ffbeedc1fa622d93fec8b48c4c0e762f30
SHA512d2b3a619a327ee708c8f95a71af3f16e08e52ad836cbdfd0188bc41bca7c69bdf553b86f292402233bf749a17b1a64df1759ae433f866094bf8c727a0e506ae7
-
Filesize
680KB
MD5742844a3d06d5ebaf120b031ef5c85cd
SHA16478bec963a45a6a87f106a8d53d9902aa99aa3b
SHA2562b32c8041f6edc57e50f3f86dc94fe5dbefea4b3f832969d85df10cbe2bb82cb
SHA512db25fdfddc3190b76498a5bebeb082fc009bc428e0020b1a8cd6a364661be56930d6516d769209e6c6ea0cc464d16046160a7d3c955068ed29f39ca81291dce5
-
Filesize
1.1MB
MD58dfb015cef40a9d4e309a4393af72392
SHA1f2309c30743722f582e7ede72a5496aa4bc42a53
SHA2561f3108ce765de494040f753a9bbc4840aad0972104d518700a455ae3cf491068
SHA51248b201a21c39502cee63fb2d72ba8fea2be8b740b1086a4ec2e6a60a4575ffabfdc22c246a87afc7236934bff9dca1638c2b7c5f540e309f7fb6da8a932596a0
-
Filesize
1011KB
MD5f5d80fa3b0113e113f271dec72870fae
SHA1a5f981845215e980bbfe8f21cd172f1e4eb40e11
SHA2564fbec893f1228ca53893cfabdaaa1474cd6c75c3ffea2fe669801da7933e8504
SHA512961bb008b30cdf5a6dca7a7d3609768de39c9b471ede451922bf8395383dbfc290e1602426fbfa539480d6a6790b90db9f2d6a0a6fed199caa1046a3fd6b35de
-
Filesize
937KB
MD5e81318ddf90894cef098714559df7588
SHA11783e520d7d51cd4aa394d3c584453238d12eec5
SHA2562625edc7f1aefada7152c010e1d1dc8c47fecd546c352141ab51e9cbb8a1d9b0
SHA512a68edb44669841776186740bc471d560425a6868ca56aecb70c7f1418104d21b80e973d786d15af3ceefe9578bc7e1f64c3411ee80ace5e6364ed36511eaa5c6
-
Filesize
1.2MB
MD5b914b307cf6fd72dbe24f6d409bf22e4
SHA147b24f6183f1f6498a8e272945721319b80ebaca
SHA256274e1c0d3d619e2b0bf65a039b396caa5866c7cc33412cf4429cc38e56a7b416
SHA512c030f10a842eb6b63f3cf5f96e89f76122c0d99a311622c6661a2d2c3b2b06be2d6079122fe026b2d4f45f0f8599c031f706780b2ff092c0a3d01592ac09cae6
-
Filesize
606KB
MD5a070e675a89d984c0b5a986d95754f0c
SHA184ffe8b3a24692e2624ecdf2880023997c00f6c0
SHA256e32a52372128936fd07386241f279d9045cb4bd501d187f91c14a3204dc1f296
SHA51235f5e6d285dae9d2c62123baf20545eaf03dcf8d6ddc682529358d14d4888f7d87cacc1d66a72df14eabe180d6bc348b6fe64206c265b4e6cf337c0c5ae164f2
-
Filesize
753KB
MD5339e52b3a973f5d386286cba655d8071
SHA13717cbd4863b0926d7aac62ed758df546d679718
SHA2563bd733c63e759def33c6ab2b766cc629a057fa2bdcf6938aab58fcd85feb944f
SHA512543c45e0ce3640a506f2640f4307a8c58c4bda8b2b3751bf2cb3a2fdc9da003a315473a29e5332749bb6c92260c89f74abfe3afcda447fbc787994bea7604937
-
Filesize
790KB
MD5cd68da599530aa078464590fdfaf18d9
SHA11a24711068f9ce1717408b3c4d6a425a1f236fd8
SHA256f77df4ad043404980872330e8f9cd4a5304aa168a606cc20614021a9cb2cab68
SHA512d5820e48adf711432038acc5178a8157686f84b9c6914cedd6894dd367ea8ec942e1db8b2e068cae47f778df126ee5391fe4a90d199f6181ffe848386d5e0553
-
Filesize
21KB
MD58ce3c9f706abcedd26d2d4a5a98f5ca6
SHA1ad9c0c6b4e9419b0e8002345bfe8366c218c6566
SHA25674612db5838b343889d524c3e3900c597f0029cb2014c5bfdb04cd65796a7743
SHA5122f118045834a22244daa84a6650c7356494a7df87f790576ec82e25fd9479eb51e35ceeed3b4d9eeb7b06a019dd997032634223c66edaa5616f4c3527a3d9f35
-
Filesize
717KB
MD5e2dc4303754cda3a5d1612b013ff7fdd
SHA160153e61df52a1e79753fc7349018203fad5beaf
SHA256ab7e75963982742e15fb914b86b9f6be2b0753147b8dad0c7190c0c100ac615e
SHA51232f9e25a07a9a79c8c5dcbfff76a148687194821627fa4cb2047dcc9eaa5a62071137bbc72256d3cede3e55d50f8ed3fe5af09339e19578d396aa69a0c057196
-
Filesize
643KB
MD5663169a4487d4113bb03c0ca15b8c4f2
SHA1ff6956eb11532f613c41a6255bfe18fb1e5dbe9e
SHA2562574e57e41fcd95377ffd2bd4a88ff35ba10627ab3a1d0964454576d1a4499f2
SHA5126267aa152895c42131aa7a2c1a190a34d2ccfd3944452904ef9332c82a568a2d14df5051c53d789c23af786116087d6cf4d0aa5b49b347e88fc75a63b95a5849
-
Filesize
1.0MB
MD581c5ff618521e30defabe47388dc6197
SHA1d3981b45e382dc7ffd69346bf86345b21de6107f
SHA2565fde8dfe0be613d594105f9c5b4df17800abe2cffb65f1cf94da7ba07e7a2be3
SHA5127cd6b5e1c358e9ea3ed727d45708b636ab885ba6593c56b9cbf2fa1a7a933894c5edccf9adad10b06201794c8360f31476ae03ff889b12c24e84cb48487db99e
-
Filesize
864KB
MD57d3b47581e78515283d0de3642c68862
SHA1679d0ebd2bc65b3810d94a7d301e73b7efa3eaff
SHA2565ddc858a569ec5d084526193bb0d75415a050433a6cd55a1a26b6630d073a20e
SHA5126f02e37dd7df73648ee1a25e0912b91a02e703f53ce18e6b181e7e75e484f35e5ffc71d3ac7eec33b0835ea87d6a04c967f9281945dd6bb09e2c7a23b51cdc56
-
Filesize
901KB
MD5b07769b3d6d33477bed95e51de7b55b9
SHA1714d5cf75141229978ffd34083f329f8467b69e8
SHA2563e3ce74b98e9959103b58097ca1fc433a174345a91bfe900f9b04fe7640a0b6e
SHA5125b0cf7a44ffd92d5bb1fe89ee827718c1c0d00d2da867357a5b760c4ce0a66b12a63b24b9753d66a86659d014048f0e0af52b3c59c3f7e1ac1e006861cab36e3
-
Filesize
14KB
MD559b9a81c27f7add589e383eb3cfb7a61
SHA165c750cb4baa212ae9072a84d285333ac760dcb5
SHA2569bfa48ea228a814bc40887a2d3b4b21433d7015d9cd8692c999d555cae398d55
SHA512493500d907adc7c99d50e01db56e54aa97d980a88eeb6d592a0760bb01e33e512223df734fb8ef3fb39b187f20a4731a8f9018a38f8f86e1c969352e3376664a
-
Filesize
496KB
MD58fe7bf995faf42eab4fe6231a1429fb1
SHA103fd576bf51e02c80cd8a488c17cd2df9beef4c6
SHA256dbd1bd3bdbaf388c6580adbbd2281d606a95d87cc3732cd14ecc6e52db85343b
SHA51236a613c1340a0bec0b4af290c1234a248986c3a425b7e277c21faa4965998c7b6f48c844c5094e574daf290f5070169a89dd48aa8442b3e824c2fb065ba65576
-
Filesize
570KB
MD5e461561ba90da2b44450b03126c4515b
SHA111cf2a738480b7e97631665da1d227996f8587f6
SHA2566b1ffc52bfaa5965bc40c3914a36ffd7baef5fa259dce91c7252bbd3c6c35204
SHA512403bb612f0fc8f8afd054134fabd3864d472bd195914ee28c255fb121ee44b30e70a8e7e1bd859319dd806aad8da54028f117ea4321d2608927a159a8c10689f
-
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.[[email protected]][MJ-XP1379526048].poker
Filesize380KB
MD5b675f802d6941d4d09179b74cf1cc95d
SHA16e984fc76c3d7050a0e24cea32d006bd2a9cd2dc
SHA2564ed8254efb49ddccc4fd67571f4c6dbc5e4977084dc23910714d21ed7060ceb9
SHA51255d2c5973bb35e66b86448045ee28c5f3aeb838055218fb70f609f5a29dc8cd6542bd79695f40751da115833ae8ffa23c8050ae492b05a05110b918e65d25548
-
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.[[email protected]][MJ-XP1379526048].poker
Filesize395KB
MD5f0447dcb04f890b82e4b4a6e2c5e24d9
SHA17466fb907cbf460b6c3776b1c383720cd188171c
SHA256da4876e2e015adb3edf6c03384b26e5d3df6208157e4287826f0c7a63d109dc2
SHA5127d7465b8b6fa80cc2d6dc5e9f58df2aca1a2c838006ae3423275b49fdb765fa67a0f1f79319bc35b957d34dcc09e5a2a157474b43a09838458f0e205da812aae