Analysis
-
max time kernel
60s -
max time network
404s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00430.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00430.7z
-
Size
25.3MB
-
MD5
f64fdcf697c25f9db959e055e05a440b
-
SHA1
afcee1ea932aafbf2dac520fcea835cc3548ee4b
-
SHA256
4c659f57dcbdbcffb9c0d0d06b2d02a74ee2d306c52300a3892e4418c0d1c863
-
SHA512
c1b3d40bd0255833ddded8ade13739cce94d69387b7c6949d65d489c2fd949848fe38f2992808d6fdd4eeb50a0a0a7ff825dfbc9dc287a4dfe3c2bfd6141a88e
-
SSDEEP
786432:bLPIJ4PoBXVOi8Zh+OBOjX/GRBduIekAbl7jR:bLPIMoBlOFT+4Ojk/uIrAbv
Malware Config
Extracted
crimsonrat
185.136.169.155
122.216.201.108
Extracted
fickerstealer
lukkeze.best:80
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Extracted
C:\Users\ReadMe.hta
color=Blue>[email protected]</font></div><div
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README
Extracted
C:\Users\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/85a561daffd57e8d98486ad0647dcbb578c2a6d0f0269a4c4f9acce1798ade42/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/546838a4129734c99d8356153e220af78e7863cf49ac908304b07cd97192508f
Extracted
C:\Program Files\READ-ME-NOW.txt
jormungand
Signatures
-
Clop family
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023b8e-122.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Fickerstealer family
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/2444-195-0x0000000000600000-0x0000000000617000-memory.dmp family_gandcrab behavioral1/memory/2444-194-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Jormungand Ransomware
Ransomware family first observed in March 2021.
-
Jormungand family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe -
Modiloader family
-
clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
Clears Windows event logs 1 TTPs 64 IoCs
pid Process 7192 wevtutil.exe 7752 wevtutil.exe 8080 wevtutil.exe 4892 wevtutil.exe 4892 wevtutil.exe 7236 wevtutil.exe 7920 wevtutil.exe 7872 wevtutil.exe 15412 wevtutil.exe 8708 wevtutil.exe 8252 wevtutil.exe 5920 wevtutil.exe 7128 wevtutil.exe 7192 wevtutil.exe 7356 wevtutil.exe 9656 wevtutil.exe 9160 wevtutil.exe 6640 wevtutil.exe 6320 wevtutil.exe 7344 wevtutil.exe 8120 wevtutil.exe 4000 wevtutil.exe 5400 wevtutil.exe 7460 wevtutil.exe 9860 wevtutil.exe 5288 wevtutil.exe 8540 wevtutil.exe 9328 wevtutil.exe 6528 wevtutil.exe 5564 wevtutil.exe 6892 wevtutil.exe 8840 wevtutil.exe 11408 wevtutil.exe 7120 wevtutil.exe 2940 wevtutil.exe 5740 wevtutil.exe 5208 wevtutil.exe 11292 wevtutil.exe 6484 wevtutil.exe 9500 wevtutil.exe 9932 wevtutil.exe 8340 wevtutil.exe 8804 wevtutil.exe 5740 wevtutil.exe 6828 wevtutil.exe 8300 wevtutil.exe 7120 wevtutil.exe 7676 wevtutil.exe 17240 wevtutil.exe 7156 wevtutil.exe 5460 wevtutil.exe 6296 wevtutil.exe 12804 wevtutil.exe 5844 wevtutil.exe 7636 wevtutil.exe 9200 wevtutil.exe 7584 wevtutil.exe 7472 wevtutil.exe 8332 wevtutil.exe 9476 wevtutil.exe 6512 wevtutil.exe 5516 wevtutil.exe 6480 wevtutil.exe 8020 wevtutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9c-317.dat modiloader_stage2 -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 13892 bcdedit.exe 1320 bcdedit.exe -
pid Process 11368 wbadmin.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 10708 netsh.exe 1464 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 4444 HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe 3260 HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe 4744 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe 612 HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe 1592 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe 2448 HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe 4056 HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 1600 HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe 2424 HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe 1480 HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe 2444 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe 2028 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\open = "\"C:\\ReadMe.hta\"" HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1892 set thread context of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 -
resource yara_rule behavioral1/memory/1592-133-0x0000000140000000-0x00000001402F7000-memory.dmp upx behavioral1/files/0x000a000000023b8f-129.dat upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\windows\utox.exe HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe File created C:\Windows\pghdn.txt svchost.exe File created C:\Windows\rwjfk.bat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4444 2444 WerFault.exe 121 8296 4080 WerFault.exe 333 10984 4080 WerFault.exe 333 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 12348 vssadmin.exe 1700 vssadmin.exe 3676 vssadmin.exe -
Kills process with taskkill 41 IoCs
pid Process 852 taskkill.exe 6408 taskkill.exe 12236 taskkill.exe 9928 taskkill.exe 11336 taskkill.exe 10940 taskkill.exe 10848 taskkill.exe 3756 taskkill.exe 11464 taskkill.exe 5708 taskkill.exe 10124 taskkill.exe 12912 taskkill.exe 13176 taskkill.exe 11504 taskkill.exe 12740 taskkill.exe 12380 taskkill.exe 6680 taskkill.exe 10096 taskkill.exe 11076 taskkill.exe 11632 taskkill.exe 5680 taskkill.exe 9304 taskkill.exe 1304 taskkill.exe 4152 taskkill.exe 628 taskkill.exe 9424 taskkill.exe 7272 taskkill.exe 9540 taskkill.exe 8828 taskkill.exe 6416 taskkill.exe 8048 taskkill.exe 9904 taskkill.exe 11588 taskkill.exe 11468 taskkill.exe 8624 taskkill.exe 11772 taskkill.exe 12076 taskkill.exe 10852 taskkill.exe 7600 taskkill.exe 13228 taskkill.exe 11380 taskkill.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell\open\command HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell\open HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell\open\command\en = 0602000000a400005253413100080000010001000d82427af99fcd1aabfc421815cc77ce4a7516e3b4fe5ff493f376b8253ec63ed88e95ef1f06a042d3829d4d3b4fbd957791630f64140021004b5f40d55ed6a5c46af83da932a3ae4913d8a21cd28fcb2ba33796738c65da60b62b38cbd7bfbbab49bfb4ef1d9cbe6219f1f86c8323e09049ce071eb87a94c33e2ac5a72931e9efe08d0a9d14150ddd7cceedbac8d02b98ace13e00ca06c0b8697747187543943ecef01824a28039a6a9d7f3c88080df4535ac241ad0e2b53bb9c5d0fe51b3fe0300012a21b4e50f6f8db40f4784032834b91a1ef574c0137b2a63a19554472a6c3165e4866840ac8119429d0c53d2cea06e157d2e5e80944c5a1e438fabf5e6 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell\open\command\n = 027608aea52fbb9fd963014ed97bd936adac5bea4f42626fb223b497d93b7f3482b90e563e61964ec13ca7ad829323c382dbb9e478017b59b3e2a48e1a013a7e649415f8e1fbb0317d8011b322f4fe92ded4f5404449cc5ac195fa53fe1ced6b36ccdaddb612e0910883f57eb8146e6f4fa9466fa21011b9fd99ecda036718013899cd890b61dc684b708824bea1d0b9578c6b01595fb98b53b40db0431482ccd07d96a8d86c5c09f8c797744f0b2b0608dce9e7d777c22a338d66c35135bb8eed4891aab8d4971601cf8d92df0ff06ec26f398cf3231b3e12f293769c38670fc853155637bde1fe4c9f552b23dcaf8f7989dda42531df10dfb1ee1f7af4e2b44c560bdd6bb6130bb2731bed74444903224ddd24b4d6ff724a513c68bbeb2a1df6b699acad2aa9897400faa1d91318356970d8f4fbbc78c8dd84220d314133ba7d4ea0ec4aa22dbc6abf8db59875dfa35a6ab2325467bbaf6f28aaa1d5028fdc712020ed220d9f4abbe58c8172ff101724da462d942cfb6953ece75af9a027f82a792763c3209d37d05c9b4e1f1449ee4b1d2365708d2573ad31a771e726ecaf022692809177b16367312821c52653dacf3c1a8da7e7209e935d7b04d52944cd1bab9c9d6544b51eb7fef3397d056440554d83581c0ec69a75d55db1e2bbfadf28b22d0a5598a96497046cb83b00e6577602963078ba03875fcc6330ff4d039b304ba2cf3eee6f90f348eac26114c53ac13442ebef08035cbbe596b9234435ce19f178e1869db7cb9e5715e4b7c31795589f0a44ac4d6d14c7dd613f9a7aee1dad94235be9077f63591cb5f18143c6151fe5b56a849a83cc1e221b219fc6c3316b33cd887ae251d41758ba35752f5ab529608ccbbe481d3c876c21ab08f8bc5d701b71b9b76e81159f4d7e7e5f1370e14f50e24ed82fcb60e5a32046bdd26f2cff5b82a6aeec100cd8b16cba91952f5be695e75443340881d4c60a1d6c3629e7d4cbe223bda21ecf0d0b4cb2341aae6d137223d6828411313806871ccc69b27ff9da3c578dadfeec98034d17bd3a3f1b217886fa7e6d9d14dcc04167c731f1b7abcf24aa6709e9b38ab8d4d607c31378d442bf4a7f7f58da8255d0f565ec21bbd54084e0187e9aabf04e69d63086eced6d5e223b1a9ab9bbb76ab916aee26488bf8d8fc27ad4a00eabb3e973bf5dfcd08552e26f9b2f785c0689586a89ef03cce010b218e3034bdf0ec92ce086859bdde94d5cd8d3a6c165e31dabedf5872a67482c7120ff4c88c52bdccfaa387cb272a6208383c5a81ccd7dbaf63dc5ee2e106f52f2a85a208c1941a18140bdf1357ca930a4709c647b9025908101835b206ccf65ef33e983f5a083b9787e580d44005f51d4ef7429743ada882aa34e6ab8ac8bda4ed3f392d57a4e2bbd7aa4a129fd39d2c6e1c7e28ef31c0ce05c75921b2baacdf965dd3bc1d933fcb3be5c5e525ba974bbfeaec461451a5b65517b9e4e518bc69a84de0b42952407041395cb643feb40e3bcc41e9d48034c1b9a1aef32037a1efc0d2527f276157a982ae1f08ae1c1705b1b3a4aeb3ed5228630db1faac2febdd4b23e7801bbc5dd3cf647b9088489c476de0a9367d052b12e1138f975c6436945ce8f084ab0f2cc5c31c2d956051ee19ad5b8e40aa99ac18d4d46c07eb32b4e7bb8185bc29d3bd2c78eeeee5981483281dbcc183faca0ebd0723bc275868d8586f5c76a3fcd1f8f1b37b49f9bb0c68e54e30acd78be1f0b846276ec9436ae9a70f1c9c914c2d8a048fc29d119299d98d53c01662c95778f6b3a987a0283 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.waiting\shell\open\command\ = "C:\\Windows\\System32\\mshta.exe \"C:\\ReadMe.hta\"" HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3844 7zFM.exe 4492 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeRestorePrivilege 3844 7zFM.exe Token: 35 3844 7zFM.exe Token: SeSecurityPrivilege 3844 7zFM.exe Token: SeDebugPrivilege 4152 taskmgr.exe Token: SeSystemProfilePrivilege 4152 taskmgr.exe Token: SeCreateGlobalPrivilege 4152 taskmgr.exe Token: SeDebugPrivilege 4492 taskmgr.exe Token: SeSystemProfilePrivilege 4492 taskmgr.exe Token: SeCreateGlobalPrivilege 4492 taskmgr.exe Token: 33 4152 taskmgr.exe Token: SeIncBasePriorityPrivilege 4152 taskmgr.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1592 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe Token: SeDebugPrivilege 788 svchost.exe Token: SeDebugPrivilege 4744 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe Token: SeDebugPrivilege 3260 HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe Token: SeBackupPrivilege 3100 vssvc.exe Token: SeRestorePrivilege 3100 vssvc.exe Token: SeAuditPrivilege 3100 vssvc.exe Token: SeDebugPrivilege 1600 HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe Token: SeIncreaseQuotaPrivilege 2228 WMIC.exe Token: SeSecurityPrivilege 2228 WMIC.exe Token: SeTakeOwnershipPrivilege 2228 WMIC.exe Token: SeLoadDriverPrivilege 2228 WMIC.exe Token: SeSystemProfilePrivilege 2228 WMIC.exe Token: SeSystemtimePrivilege 2228 WMIC.exe Token: SeProfSingleProcessPrivilege 2228 WMIC.exe Token: SeIncBasePriorityPrivilege 2228 WMIC.exe Token: SeCreatePagefilePrivilege 2228 WMIC.exe Token: SeBackupPrivilege 2228 WMIC.exe Token: SeRestorePrivilege 2228 WMIC.exe Token: SeShutdownPrivilege 2228 WMIC.exe Token: SeDebugPrivilege 2228 WMIC.exe Token: SeSystemEnvironmentPrivilege 2228 WMIC.exe Token: SeRemoteShutdownPrivilege 2228 WMIC.exe Token: SeUndockPrivilege 2228 WMIC.exe Token: SeManageVolumePrivilege 2228 WMIC.exe Token: 33 2228 WMIC.exe Token: 34 2228 WMIC.exe Token: 35 2228 WMIC.exe Token: 36 2228 WMIC.exe Token: SeIncreaseQuotaPrivilege 2228 WMIC.exe Token: SeSecurityPrivilege 2228 WMIC.exe Token: SeTakeOwnershipPrivilege 2228 WMIC.exe Token: SeLoadDriverPrivilege 2228 WMIC.exe Token: SeSystemProfilePrivilege 2228 WMIC.exe Token: SeSystemtimePrivilege 2228 WMIC.exe Token: SeProfSingleProcessPrivilege 2228 WMIC.exe Token: SeIncBasePriorityPrivilege 2228 WMIC.exe Token: SeCreatePagefilePrivilege 2228 WMIC.exe Token: SeBackupPrivilege 2228 WMIC.exe Token: SeRestorePrivilege 2228 WMIC.exe Token: SeShutdownPrivilege 2228 WMIC.exe Token: SeDebugPrivilege 2228 WMIC.exe Token: SeSystemEnvironmentPrivilege 2228 WMIC.exe Token: SeRemoteShutdownPrivilege 2228 WMIC.exe Token: SeUndockPrivilege 2228 WMIC.exe Token: SeManageVolumePrivilege 2228 WMIC.exe Token: 33 2228 WMIC.exe Token: 34 2228 WMIC.exe Token: 35 2228 WMIC.exe Token: 36 2228 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3844 7zFM.exe 3844 7zFM.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4152 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe 4492 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1480 HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe 1480 HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe 468 cmd.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 4152 wrote to memory of 4492 4152 taskmgr.exe 97 PID 4152 wrote to memory of 4492 4152 taskmgr.exe 97 PID 2044 wrote to memory of 468 2044 powershell.exe 103 PID 2044 wrote to memory of 468 2044 powershell.exe 103 PID 468 wrote to memory of 4444 468 cmd.exe 104 PID 468 wrote to memory of 4444 468 cmd.exe 104 PID 468 wrote to memory of 3260 468 cmd.exe 105 PID 468 wrote to memory of 3260 468 cmd.exe 105 PID 468 wrote to memory of 4744 468 cmd.exe 106 PID 468 wrote to memory of 4744 468 cmd.exe 106 PID 468 wrote to memory of 612 468 cmd.exe 107 PID 468 wrote to memory of 612 468 cmd.exe 107 PID 468 wrote to memory of 1592 468 cmd.exe 108 PID 468 wrote to memory of 1592 468 cmd.exe 108 PID 468 wrote to memory of 2448 468 cmd.exe 109 PID 468 wrote to memory of 2448 468 cmd.exe 109 PID 468 wrote to memory of 2448 468 cmd.exe 109 PID 1592 wrote to memory of 788 1592 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe 10 PID 1592 wrote to memory of 788 1592 HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe 10 PID 468 wrote to memory of 4056 468 cmd.exe 110 PID 468 wrote to memory of 4056 468 cmd.exe 110 PID 468 wrote to memory of 4056 468 cmd.exe 110 PID 468 wrote to memory of 1892 468 cmd.exe 112 PID 468 wrote to memory of 1892 468 cmd.exe 112 PID 468 wrote to memory of 1892 468 cmd.exe 112 PID 4056 wrote to memory of 4172 4056 HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe 114 PID 4056 wrote to memory of 4172 4056 HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe 114 PID 788 wrote to memory of 1432 788 svchost.exe 116 PID 788 wrote to memory of 1432 788 svchost.exe 116 PID 468 wrote to memory of 1600 468 cmd.exe 117 PID 468 wrote to memory of 1600 468 cmd.exe 117 PID 468 wrote to memory of 1600 468 cmd.exe 117 PID 4172 wrote to memory of 2228 4172 cmd.exe 118 PID 4172 wrote to memory of 2228 4172 cmd.exe 118 PID 468 wrote to memory of 2424 468 cmd.exe 119 PID 468 wrote to memory of 2424 468 cmd.exe 119 PID 468 wrote to memory of 2424 468 cmd.exe 119 PID 468 wrote to memory of 1480 468 cmd.exe 120 PID 468 wrote to memory of 1480 468 cmd.exe 120 PID 468 wrote to memory of 1480 468 cmd.exe 120 PID 468 wrote to memory of 2444 468 cmd.exe 121 PID 468 wrote to memory of 2444 468 cmd.exe 121 PID 468 wrote to memory of 2444 468 cmd.exe 121 PID 2424 wrote to memory of 4392 2424 HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe 125 PID 2424 wrote to memory of 4392 2424 HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe 125 PID 2424 wrote to memory of 4392 2424 HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe 125 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 1892 wrote to memory of 2028 1892 HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe 126 PID 788 wrote to memory of 1592 788 svchost.exe 127 PID 788 wrote to memory of 1592 788 svchost.exe 127 PID 788 wrote to memory of 408 788 svchost.exe 14 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\rwjfk.bat" "2⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵PID:4768
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵PID:5160
-
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AMSI/Debug"3⤵
- Clears Windows event logs
PID:5564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"3⤵
- Clears Windows event logs
PID:5740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Clears Windows event logs
PID:5920
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵PID:6064
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵PID:5264
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵PID:5468
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
- Clears Windows event logs
PID:5516
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Clears Windows event logs
PID:5844
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"3⤵
- Clears Windows event logs
PID:6480
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵PID:6548
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"3⤵PID:6732
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵PID:6812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"3⤵
- Clears Windows event logs
PID:6892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"3⤵PID:6936
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"3⤵PID:6984
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"3⤵
- Clears Windows event logs
PID:7156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"3⤵
- Clears Windows event logs
PID:6484
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"3⤵PID:6816
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"3⤵
- Clears Windows event logs
PID:7128
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
- Clears Windows event logs
PID:6320
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
- Clears Windows event logs
PID:6828
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceMFT"3⤵
- Clears Windows event logs
PID:7120
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
- Clears Windows event logs
PID:7192
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationFrameServer"3⤵
- Clears Windows event logs
PID:7236
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"3⤵PID:7288
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"3⤵
- Clears Windows event logs
PID:7344
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"3⤵PID:7400
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"3⤵
- Clears Windows event logs
PID:7460
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"3⤵PID:7548
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
- Clears Windows event logs
PID:7636
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMP4"3⤵PID:7744
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"3⤵PID:7844
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
- Clears Windows event logs
PID:7920
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"3⤵
- Clears Windows event logs
PID:8020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
- Clears Windows event logs
PID:8120
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵PID:7424
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"3⤵
- Clears Windows event logs
PID:7584
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"3⤵PID:7668
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"3⤵
- Clears Windows event logs
PID:7872
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"3⤵PID:8164
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"3⤵
- Clears Windows event logs
PID:7192
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"3⤵PID:7856
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"3⤵
- Clears Windows event logs
PID:7752
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"3⤵PID:7236
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"3⤵
- Clears Windows event logs
PID:8840
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"3⤵PID:8948
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵PID:9072
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
- Clears Windows event logs
PID:9200
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
- Clears Windows event logs
PID:8080
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"3⤵
- Clears Windows event logs
PID:8300
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
- Clears Windows event logs
PID:8540
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵
- Clears Windows event logs
PID:8708
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"3⤵
- Clears Windows event logs
PID:7472
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"3⤵
- Clears Windows event logs
PID:8252
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"3⤵
- Clears Windows event logs
PID:8340
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"3⤵
- Clears Windows event logs
PID:9500
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"3⤵
- Clears Windows event logs
PID:9860
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"3⤵
- Clears Windows event logs
PID:9932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"3⤵
- Clears Windows event logs
PID:8332
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"3⤵
- Clears Windows event logs
PID:9328
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"3⤵
- Clears Windows event logs
PID:4892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"3⤵
- Clears Windows event logs
PID:2940
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Analytic"3⤵PID:3524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Operational"3⤵PID:5204
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵
- Clears Windows event logs
PID:5288
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ASN1/Operational"3⤵
- Clears Windows event logs
PID:5460
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵PID:5620
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
- Clears Windows event logs
PID:6296
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
- Clears Windows event logs
PID:7356
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"3⤵
- Clears Windows event logs
PID:9476
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"3⤵
- Clears Windows event logs
PID:4892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"3⤵
- Clears Windows event logs
PID:6512
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Admin"3⤵
- Clears Windows event logs
PID:8804
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"3⤵PID:10052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"3⤵
- Clears Windows event logs
PID:5208
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Internal"3⤵
- Clears Windows event logs
PID:7120
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵PID:9896
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵
- Clears Windows event logs
PID:6528
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵
- Clears Windows event logs
PID:7676
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"3⤵
- Clears Windows event logs
PID:9656
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"3⤵
- Clears Windows event logs
PID:5740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"3⤵PID:908
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"3⤵
- Clears Windows event logs
PID:9160
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"3⤵PID:5912
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"3⤵PID:5552
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"3⤵
- Clears Windows event logs
PID:12804
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"3⤵PID:6052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"3⤵PID:11448
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"3⤵PID:10476
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"3⤵
- Clears Windows event logs
PID:6640
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppSruProv"3⤵
- Clears Windows event logs
PID:4000
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"3⤵
- Clears Windows event logs
PID:11408
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"3⤵
- Clears Windows event logs
PID:11292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"3⤵PID:11684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"3⤵
- Clears Windows event logs
PID:17240
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"3⤵PID:6696
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"3⤵
- Clears Windows event logs
PID:5400
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"3⤵PID:13436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"3⤵PID:3652
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵
- Clears Windows event logs
PID:15412
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding2⤵PID:5580
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:3916
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵PID:10176
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding2⤵PID:10836
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding2⤵PID:15760
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding2⤵PID:16304
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:8940
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00430.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3844
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4492 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:13824
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe3⤵
- Executes dropped EXE
PID:4444
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe3⤵
- Executes dropped EXE
PID:612
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exeHEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exeHEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete4⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe4⤵
- Executes dropped EXE
PID:2028
-
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\grpconv.exeC:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe4⤵PID:4392
-
C:\Windows\SysWOW64\iexpress.exe/cfg "C:\Users\Admin\AppData\Local\Temp\880B.tmp" /crypt "*"5⤵PID:5868
-
-
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 4844⤵
- Program crash
PID:4444
-
-
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Generic-4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99.exeHEUR-Trojan-Ransom.Win32.Generic-4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99.exe3⤵PID:7788
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Agent.aztk-430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9.exeTrojan-Ransom.Win32.Agent.aztk-430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9.exe3⤵PID:1504
-
C:\Windows\SysWOW64\mode.commode con cp select=125 vssadmin delete shadows /all4⤵PID:1492
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im msaccess.exe4⤵
- Kills process with taskkill
PID:5680
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlagent.exe4⤵
- Kills process with taskkill
PID:10852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mspub.exe4⤵
- Kills process with taskkill
PID:12076
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocssd.exe4⤵
- Kills process with taskkill
PID:11588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im tbirdconfig.exe4⤵
- Kills process with taskkill
PID:6680
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlbrowser.exe4⤵
- Kills process with taskkill
PID:10940
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mydesktopqos.exe4⤵
- Kills process with taskkill
PID:13176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im dbsnmp.exe4⤵
- Kills process with taskkill
PID:11772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thebat64.exe4⤵
- Kills process with taskkill
PID:12912
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thunderdird.exe4⤵
- Kills process with taskkill
PID:9904
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqbcoreservice.exe4⤵
- Kills process with taskkill
PID:12380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im encsvc.exe4⤵
- Kills process with taskkill
PID:7600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im winword.exe4⤵
- Kills process with taskkill
PID:628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im dbeng50.exe4⤵
- Kills process with taskkill
PID:11336
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocomm.exe4⤵
- Kills process with taskkill
PID:9928
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocautoupds.exe4⤵
- Kills process with taskkill
PID:10124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im visio.exe4⤵
- Kills process with taskkill
PID:11468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im firefoxconfig.exe4⤵
- Kills process with taskkill
PID:9304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlservr.exe4⤵
- Kills process with taskkill
PID:11632
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im infopath.exe4⤵
- Kills process with taskkill
PID:12740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thebat.exe4⤵
- Kills process with taskkill
PID:9540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im excel.exe4⤵
- Kills process with taskkill
PID:8048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im outlook.exe4⤵
- Kills process with taskkill
PID:11076
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe4⤵
- Kills process with taskkill
PID:12236
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im notepad.exe4⤵
- Kills process with taskkill
PID:5708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe4⤵
- Kills process with taskkill
PID:6416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im powerpnt.exe4⤵
- Kills process with taskkill
PID:11380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im msftesql.exe4⤵
- Kills process with taskkill
PID:6408
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im xfsssvccon.exe4⤵
- Kills process with taskkill
PID:7272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im onenote.exe4⤵
- Kills process with taskkill
PID:4152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im notepad++.exe4⤵
- Kills process with taskkill
PID:8828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im synctime.exe4⤵
- Kills process with taskkill
PID:10096
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im agntsvc.exe4⤵
- Kills process with taskkill
PID:1304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe4⤵
- Kills process with taskkill
PID:11504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysql-nt.exe4⤵
- Kills process with taskkill
PID:852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im wordpad.exe4⤵
- Kills process with taskkill
PID:10848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im isqlplussvc.exe4⤵
- Kills process with taskkill
PID:9424
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mydesktopservice.exe4⤵
- Kills process with taskkill
PID:11464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im oracle.exe4⤵
- Kills process with taskkill
PID:13228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im steam.exe4⤵
- Kills process with taskkill
PID:8624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysql-opt.exe4⤵
- Kills process with taskkill
PID:3756
-
-
C:\Windows\SysWOW64\mode.commode con cp select=125 vssadmin delete shadows /all4⤵PID:14960
-
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Babuk.a-f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683.exeTrojan-Ransom.Win32.Babuk.a-f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683.exe3⤵PID:4036
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵PID:12908
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:12348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵PID:4208
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:3676
-
-
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.goxb-cb1b3b9b288a43eb267a75615da401aa7aef23624aeab21757707a7aea461728.exeTrojan-Ransom.Win32.Blocker.goxb-cb1b3b9b288a43eb267a75615da401aa7aef23624aeab21757707a7aea461728.exe3⤵PID:11420
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exeTrojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exe3⤵PID:7472
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.lckf-6d516f7d8af7bd535416236e60299dbcaad38f490716de3eae65c641f08b941b.exeTrojan-Ransom.Win32.Blocker.lckf-6d516f7d8af7bd535416236e60299dbcaad38f490716de3eae65c641f08b941b.exe3⤵PID:4176
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exeTrojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exe3⤵PID:7128
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:3872
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1700
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:1676
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:13892
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:1320
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:11368
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4764
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
PID:10708
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:1464
-
-
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.DoppelPaymer.bo-dada1919d1be39ad2a5edaa90e0ae2b45aa9550cd705628e30314d71cb3525d9.exeTrojan-Ransom.Win32.DoppelPaymer.bo-dada1919d1be39ad2a5edaa90e0ae2b45aa9550cd705628e30314d71cb3525d9.exe3⤵PID:4080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1524⤵
- Program crash
PID:8296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1524⤵
- Program crash
PID:10984
-
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Encoder.mbm-9e4addf136a3502fabc6a54723f08dc3e3ba50f5116e25a9027aef140788eb92.exeTrojan-Ransom.Win32.Encoder.mbm-9e4addf136a3502fabc6a54723f08dc3e3ba50f5116e25a9027aef140788eb92.exe3⤵PID:1740
-
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Encoder.qfn-8f3ce22b16c07fff1a586feb9eea8ccb5aa06e918657a0ae4a3f41b14de83995.exeTrojan-Ransom.Win32.Encoder.qfn-8f3ce22b16c07fff1a586feb9eea8ccb5aa06e918657a0ae4a3f41b14de83995.exe3⤵PID:3444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:7728
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2444 -ip 24441⤵PID:4460
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\8c7d1a4dee1642599ba3b43bb8d92150 /t 2208 /p 14801⤵PID:8080
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:10320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4080 -ip 40801⤵PID:10980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:15692
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:9684
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:6140
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4Clear Windows Event Logs
1File Deletion
3Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a033f65cc101fd273b4ee1d2fb85ea91
SHA12e775653a05d96bdc98f1f396ae76f3fc1fb3d04
SHA256f7fa9c61717882b40fc0bbec40b23a5014d1670e2dc643bb14a795e4031e87b9
SHA512977d1c84b6f4a33c75a827ef3f7d986b41b20016b8c270f62848cb3d900cbdfe2618895d411aedd18bf86db3d2f64c1e1f79bd1c960ca722341d32f08f0bb6db
-
Filesize
414KB
MD5c0a1c5419506619e4764cb1be97a4ffc
SHA161307d112b790022bb1defa18e3c34fd4a1dbff3
SHA25660caa59b542f0b6389dca76801c597fabed42892a92ceba3fed42361394fda43
SHA512920a55362f9f0d0ab4fb891f92a2b4663568278ace63d1c565c625d99f8d4121bf578881e3cfc6e4005bfe1cb077d6879af70f0ca071bb9263261ee0d839dc83
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll MUYKSRQK7.waiting.pysa MUYKSRQK7.waiting.id[AF2E6DA0-2822].[[email protected]].eight
Filesize2.7MB
MD565db2a9e41d0e182344387be7a8daa31
SHA1bb15627d815d80974c2846414c9fa88fcb19cfe0
SHA256888efe60e57f7ef7d6d1868422e819e161b0f97e18c37fbeb0b6e9e7a382488c
SHA51285a7aef73130e9e85e0e0b7c4de605fe12f6510e3ea80b774c17f81931b669de6211643c1caf63d17620e851423b179619e13033dcb66bbc0141cc374e333612
-
Filesize
271KB
MD503545770455830124100063b157b6ce8
SHA19e22484d696e3f7adea8f5776af666eb87d5aa27
SHA2568f0adc41e562326932299aa5881681361115ecee36d534e5a142a76363f7b600
SHA5129440653bd70a1bb0b5716b7fe60f2025c0fd84298f7940337bf66bc2b39644d8296bb1e3e30353584958232efc929751af25af3d7e09aad5ea784f3165684a68
-
Filesize
59KB
MD5120deffe491179676c1adee2477fae06
SHA167b4867c41815cf5eaf7aeb6bf8b0410131f4141
SHA256b3bb9805ee3342e307fd5f385ce9311c250aaa47bfc36bdf0c25e08e06fee0e2
SHA512100d58820d52eb833e1a3f2a18f09618d4738e6500546d7ebe2ed4ecb57cc72a88cf24643d732c953221864676339d3f90ecb715a4be930bce7db70900df6e1c
-
Filesize
1KB
MD5c55489c93b312a00aafd632fbb9f07ea
SHA1d55b00a1fde3e2db257c9179125a99ca07eaa9b2
SHA25623bf2a149a35162c2caeaebe24a1d9c9fa3b61f215437422528ff4e75a662ee6
SHA512664cf177c915552739a330b21cc34a500ce97d3a578786b6b56cd56638d8a72f26b6c3afd03c9b84efce08462992a2d127436fda664c84a50f399dd8e70778ec
-
C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3227495264-2217614367-4027411560-1000-MergedResources-0.pri MUYKSRQK7.waiting
Filesize7KB
MD5f68787570eccb3939e761812312dbc7e
SHA13fe0c160f89557bff32b58fac12795adb9c00ad9
SHA256e15cef222252b3f016aeb6be99942a14da13d7f6e02f8a298207b9f4fdd05ebd
SHA512b6c5dbc46efec3e6950d9409b7d93f233e1205b71a7630c9aac3eb26463bbc4b959a1f12ede97139650230c41bdc333a3d3149fc5bbf27e2c35d1dc29601ba00
-
C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3227495264-2217614367-4027411560-1000-MergedResources-0.pri MUYKSRQK7.waiting
Filesize131KB
MD567b5b1f499e71f80044f70ddfbe65415
SHA16d7c4bf5ceaec6e1b70c2c13e7b2b34a1c5f48b6
SHA25684ccc1a0a4aa5ae3015e3722f09fbc55e14d38c323589937d1838134b8e52540
SHA512ccec7b7067e6ce730c2304e69099f9b750622a9f5672dd31a01aa14599c4f637a765bc2c2ebb212053634589911aaea1d7948a3a9cff58286b6b845f9c1ff6b1
-
C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ReadMe.hta.pysa MUYKSRQK7.waiting
Filesize12KB
MD5f07cd84d83ca4dc1f76cc9e286b14b50
SHA135ca52af4309edb144220c75a60515c38215477a
SHA25676bd279a5144c5147935185301835662504489d1a8d059fe8c1823e0bbb59ef7
SHA512f51b992a56a2b5fc74abf58025545b55fc7b9511651b7f44afa6e4f3dddec6378e2b00377ab9e152dc86295abab487e20cf38d79d8c17788908f783c059b8d72
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Trojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exe
Filesize137KB
MD5a34ceb9c75ceaceb5998ca0af804c50a
SHA1944c5d84adf205ec927aa7d31b083dc49dcb7cc3
SHA25697c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e
SHA512893e070cbd6a7ddd04e66bb19ee5c5658429aba76185922c3c0813e349ed7646381b400975c6d3193b0dbe137c86ec3b3a51a0538184a772647470e8da5173ad
-
Filesize
6KB
MD5ab8de01b82ba7b66ca05e5cdc2a770f3
SHA1513800aaab2994632de43bebcc5caf71aba87c5c
SHA2568ffa53207f59fcaba6e27363469db61cbd283c1d9fac96480cbbbe6824a41599
SHA512481c81f422f916bbd1f75b4fa1ec6ba8e66cb28ec4d08cff12efa1a04b87421d7920dc3050986795701dedbd654a9e4628b65705a1ebcbfbc694ee7939c62134
-
Filesize
13B
MD517bcf11dc5f1fa6c48a1a856a72f1119
SHA1873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA5129c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25
-
Filesize
547B
MD59697603eeb04802ee78ff9be2e5bf21c
SHA10cfbd0208e0370a67ecb9c8d7a74ad14287ce15c
SHA25617546cb99dee8dc6adce9423383ca1ff5b2d59ad0717899dc26c2fbe8cb9a681
SHA5127252caa45705d18e1e88059df53481406c908dbbdac8ac0651fabf6154ef100095c967d7181c703257ba2c28009bf6b9c38d1408c69c73e4ca57cd42b54c5caf
-
Filesize
1KB
MD5bbb9819791a10c933a1e75bcace17373
SHA157cdbc1e9df14cb0a5a1d2bdff746ca0200f06a2
SHA25647cfbbcacb8ac8bc75aa21b3e65aa61f2db207e7bee00c64543e2346feb0f1f9
SHA5127f29ae4075d00d1c9268d57298f1bce676ef94ae4d78d1c6ce003ebeb06ef3dd659d2c668324bf7524db851319dfe2ab261a9711603b3642aae6b8493990a005
-
Filesize
7KB
MD5d4bbfded6e00ad21ed03ff918b0ba76d
SHA1ba14c3f3007c340421c1e4e0ee7b58574b585e43
SHA256421c96c4a3fc845662f15f6b618050f6f5f34df85e89f05056547a0d720299bf
SHA512f18ee8187ada6e77b5d5606aef00c72fd339456abb250ca6a60ecd30e7c8103604daada153fc6a7d0fb399f95d7cc70aa090c0e8e6ebd076dd2fd334e269e3e5
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000068.bin.partially.aes MUYKSRQK7.waiting
Filesize5KB
MD5ca6752c456bba4d797b1e1bb82eb13a6
SHA171257311b8c24ee38a53ecc41e649cb524b0f5a3
SHA256f273ce5751a88048f59cbbae5f5830e8db28fa50c437250bcc2d7ea310d8044b
SHA5120823d2cc89f80a76833767148f6eda1e46d5bd30b0dae0d61b28b95549a75e20b9e637535d9614b7771fde7e4700e7fdacb004a83ea4b2e9afd1de32a4fad49e
-
Filesize
174B
MD57a0207dd7569c94f65dae87a53b04abe
SHA174fa2d2ae2e1f4520310d423cd94261612bc8fed
SHA256075e73157d59a2b725619315d6b66d3aac434238aa080d53954c0d5e72901741
SHA512ec3b7327d8f017f76bceae5d2bc3a3be8d647d8ad1dd9718387acc14261d1d91472f0efbd11c73f478bbade1ed271bbc60bff1d13d5cc8a657e9a445f9dd61b2
-
Filesize
1KB
MD51024b18a84933715b346c8d0a20624f7
SHA16b73e35fe9d0f20c7de06bfa1223613127c98d02
SHA2561037144a0b7c06523ef7025038154df3c659877a6b0cde2d1190f0766adf40c9
SHA51201fefc285b2490b62704778ab9fce38e54f662f92aed904065a6f171327adb7392714e26374e8fae8541088c299b7c9bee8edd0e351a71513bc1c7df0a6e55ca
-
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5f5b7412faab6ae4ed7f3ab8dbba8e437
SHA1200f4cb8f76e5bd9408fa20af9f893d0a0214818
SHA256149d35f6dc91ea3117b7e49148a116481e37d0f540a24f954213c99c9c5ba18a
SHA512c07da75f5ad2430bac9386470853590ca8ef136cc84634b6703d8d14cd6c8fcedbd8153a95ec94f4c7491bb8dd2c3dfbf27badc981ee4d17752e788005cd7859
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
Filesize36KB
MD5af56de276c71c3a4a25f1efa8f147de8
SHA1af3d36fb24702776bff6998064e5658b8c9020bd
SHA256fccb8aac8f20f98c649ff0372481e80d749e3228d6aac3b013b925ffcabfcc34
SHA512122c6b1f1949a259432dfd7c4e48234b766f1bfb77982929da8f7fee1315ec3ba2a7f762ae61440d951031b79078434699d1094211c8791c64eaee76410a1e62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
Filesize36KB
MD51dc0f879e2a49917350b4c7b6abf9c0f
SHA1f758378f8841309c9b1b151dfeb4038b84a7ae85
SHA256966b4e27a700c58754a5658d8cb3021b7c1e95eecaaaee1d910cc1c09c3ce289
SHA5129da8dab2e0b606d04e42f1d6ab3d46a738f612e969b47f14df6cd6f47810f171a03a5d6ceb5b5c9180cbc0678054733316e108cd956cad90fe3c1458d09c2042
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url
Filesize36KB
MD5bf0d52d439d0eb26012195513854edca
SHA1ff24a2b387bd9b1a192c0aeaed4171b5792ef339
SHA256bafb223d62f5138e0ac6ffb4b0a8a41e95f8033938cc08df1544dcd275a159f0
SHA512808b8bec7acb3c312b8b45adeb7524470fb333d0d470092033859bfc241d1b11213cad0974650afe16b3f2e430d64d3d2d9fff1f44152d7c47923330e7332a77
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe
Filesize36KB
MD51a4225cf01f8fa4988f19de6b64a8415
SHA1942ea70fbc1f37da024ce31db1ae4bbd6a313003
SHA2565bb9e54f296d62fa0cf09f7e4f87e623d5ed351f9a92a033d1979542bb9eead5
SHA51253dd8d989691f69ef00beb968cba0067c308d55a2b6c5731784acec32c03560a07c5276a8bc1b1ab42037e22f799c63c8dddd5b536aec7171342de0700176d6f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\0.1.filtertrie.intermediate.txt
Filesize5B
MD56c6ded8e7989aee1e3d530433063c05f
SHA184580f52e49cc537cf36074808dd8eec67475a4b
SHA256423770d76d4809a8ce01e6749df9abed066ef318f6c44f9604682ee26714671c
SHA512aa0a6eae661a7f89a84304cc4e3bdd2afa0203787d15629806e38bf8cd947fb6557d73b4dd02acddf45d6e48952d2096c00b123767e9883fc33ff1d18c3f0fe6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\0.2.filtertrie.intermediate.txt
Filesize5B
MD50f6ce70311a12d9a275da7943dbfceca
SHA1fdf4d24925ef25686a08814df7feac8995b4591a
SHA2562ec39cda54c74f5d7d584951a6fa63984df3635c66c011627a7f642ec0936ea3
SHA5126e72271baf6d1db28a6b0b081137bec0ebad9c0636cec3de5f4bc7fc142e799846228751f6d1eb71d3c5d7d94cebf34da44e54cb6c449b5c8bb06080dee4db77
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\Apps.index
Filesize1.0MB
MD588b44bd9703f2c9e479fd7322448d4ad
SHA19af24549869fbae0a88599d40028727cc687711a
SHA2561dd4dd0779a6bad373ebdeba56a05380fcdd358e30cf0d70fbfd957a807580aa
SHA5124128113af2bff9d1a909b2c6d6f06308e9037b56ea186413943b96f2a6f12d1aff60cfe695903e7105492e3aac3d4f667b772e644dad3885bfab5beb61fa3de8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656226049089.txt
Filesize77KB
MD547cb265d93248bab1a8f0b35c6c59ca7
SHA191372d90d38ac17d084b0df2d31455c80dfd9ac6
SHA256b74ac3385a2fb67d1ba7a603d0acba6a1976c33375f6889e4a9016a6763f97ab
SHA512d488ec4482d09d594c882d8783e7a3d976d52d4bb3fb7f8b324f20ad340a9c761b49b2d0909249da4cbfdeecd796f1eb455527efe254081a70e945658f2b815b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656623420834.txt
Filesize47KB
MD580e813b17c241c6926575e82ffcb810f
SHA1fe11dc450c2ae0aeaa9418bcf8cf166bc628df9a
SHA2566490092d9ed143371558e53edceae4fffdaaccb46efa6bc57a21e7943ad192e9
SHA51229931c0a3e7fb3cd98a9c6d72c85872db8be9a40da9dd62d9d42f4a256e233b9df8704e08b7dc304badabab34e9e1c9f26610626235c82b24082d65850ff50bf
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663536793873.txt
Filesize63KB
MD594016bfe621814f5f12a6979ce3d2817
SHA10e53eb7212398e7481b11d415ce31f512b2a4328
SHA256bb0c1a0d719308667dd8b28be8c54ca334f4ca1a52a43d2e19465740537a4597
SHA5127e76070d5c2d8de5bee472d6c82244e36c1c870b25c82afa9d8cd374155a8ca3993067143b981e2d5e4b16911f186025501bd7ac55e35a46a8de1a1298d1e448
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt
Filesize74KB
MD54f0a3dc4015eaf46572d54b7aa438b12
SHA119e967f4ec486b24babdb58167c19ceed828a658
SHA2563173bca1511cc2678b66513c23390ce360b98324b3465e3afe52120b8ccdf138
SHA512abbacc5f0207883871781313e6e4362e73f6c5f6b82a5def6c44e137b972b528692ff30becaf18088dff07c9c8026d05c9c5782e043fcebe39423db3221e0918
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5699f919670390a0000346ea408390a4b
SHA1dfeb4a168b860d1f4ed0276bf861ad0aa89081e9
SHA25698a9850f70e63835c02106167d2b602e97c85e5a71bd54f625f59a0a48e004dd
SHA5122b13dbffc605ba6c13701d7935c62f29a2e4ddf3d0d759f84db39cee3c4712db5cbd19b7209b0ef7f46b7ada8d90ecc5cd1e777ca7e3ea174a32f019ce6a3faf
-
Filesize
63KB
MD500327a89177bfd4eff28c0e102aae8fd
SHA118901e5ad2e5155c37eacf2290c2da2e02484a4d
SHA2568c30240a8521a571915c2e24a1231a48d100f1de632bbeca272ae184bbf0d2b9
SHA512f0b259abedba18055c0707935edb86afb9ce9514e3592709b0c30952893b7879523960282e465c61c3184f3cbee764aaf2288c36d1fff1ccd9ccb78e6e37408a
-
Filesize
4KB
MD50eb150c295f90b14bf7df3b237f37e27
SHA1b672955c0ad3872e09c56966fae2163b77fc2172
SHA256a8771351c1b3f0feea14ade74d1e32b548757680b7d87b0fcac95499011f2b7f
SHA512861744f8397080deba9467a57af9609521316067ed3c402c74ce52f9d9d736bedd1eed16602d1ec38c765da4c3ee5608bbc7b35af7ea6c8c85240c0de822374e
-
Filesize
32KB
MD58fd1da9d29e591c1ff5fb683206a6ac8
SHA1184b4179e206d539dfaeaf618b410f4e2d1a0029
SHA256f0dc64fadc0f2e3e53f1e9d432aba1f0be99160f7c73879194b9523453a2dcd7
SHA512afaac7f2a9b5ce16fc5dbc1370cccd0feb714f1a61e8a49a68aecfd3e0a45762aee1fa96fcca15f836ca1122b2a8ae4f872e103d0cf068a9a99bcd4a71084c0a
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
Filesize281KB
MD5729c2918dc64b8c7750a5efa59e215e5
SHA14ad60c973f975261924ea4bcbe3560a7dcda95b3
SHA2564bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba
SHA512bb9c738ad0844b95de518817a942d54c5b8e7b4b1a428f7c0d6f0625a6a76efad60483c51cbd1e9317694a04535ebf5e91542f63a20a8c0153801a93d96bab6b
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
Filesize281KB
MD51e1f873a11b679457ae26b099308f270
SHA1c793c1bc275787b3806b0b9f206b947ad5f6b365
SHA256e57eaf250758f9834f9a87abeab5262db96e90ee72852a8f2aadbdb315b6dc7e
SHA512dbbaee5eda2586c874c2d9f39490aa41824f149630d99ff6a6f463cf3fc66df4a444065a30a40007af9de46cafe67c0ead181f8f85ebb7f54649c68e0d1ab22c
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe
Filesize2.2MB
MD5fa4ef6c0bc5393889de62ed7488cd82c
SHA10bc55bd395b19179c5f0ebde318d2c64388c3880
SHA256f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1
SHA5124a40cce2fff0e0dddd607bcdf4427cf82585b9a528c67a08fa387d1eeb7a0a377f39c1266da3c466b952e630bf052ee35835779ba6a70820da608187a5ef6e06
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe
Filesize441KB
MD590f9a62dc1145821e357c795501ab1b3
SHA14430b9ff2ffacceb182e2cacdea530abd0174166
SHA25684c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb
SHA512ed2943c5ad9152b810ee3fd2abae0aface3aba11257f1b1f88093e59d475ddd10733b20b547e879dadd288d7298424e6f8383bda2eef471701fad3b9ed4af37a
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe
Filesize9.7MB
MD54a8fdd5b9b821830f1e4a392abd1b346
SHA133e50a79caafb463cec6941269e3e5c764933732
SHA2565dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c
SHA5123f91afbc9b847625489451cc8df409f4d909bce7af0433fa9070c80cbe579141d627424a3ef90b4db2d6286293e8714818e5c6bf492651da46646531c723879d
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe
Filesize1.2MB
MD5f062697cd7a2257c290f6c3f19dd845d
SHA115bb3203c9553009e0514626f5ad129a13a557fb
SHA25632eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67
SHA51234ff971291da6c4bc1bb2d4f59bf80502990f77c3acbf1f8b6f8b2b58c9cb124b501677d5df7dfe3f4ba2ce2535b50a9686ab06b7ed2f0deeba7066397644985
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe
Filesize2.8MB
MD5a26e45334639a5a2deefb0b6d493e1e3
SHA12ec9d5c824f632c49152def9ccc13a77a8b39ef4
SHA25691010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c
SHA512c5bb51864d070cbe3ccb6a2a5eb4e158219805d3d215ce1fa871534cb0ba182e7e5ce509d0707c48281eb7686522d173188116ff9084b78ebba2825f6f9f4350
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe
Filesize192KB
MD5ae099b31ac5cfeed0fc9b7df7f97178e
SHA109b27c0782e3111be54164264397e104dc4f5c5b
SHA256f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3
SHA512d5b6acf7208621cf2efc1bf60659f6b5035cfa90c63a47d99109919c097aec41fa760f85923c238300f70b58e848337642a375c6412f1fec59f1b7544d784349
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
Filesize292KB
MD55c6ef834006bdc8697576a9af6cea2b6
SHA1ffe4b0ce4d4cd098a1fc6954f1f2ebdfb78f0a1d
SHA25645ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca
SHA51256d42ce831f794ce694251e6e032ee7c1651afb9bd572491429665d33b42e55661e9d8092adca14723e498163fab7f6ca0a3c1f780c35e445bd60318fb457199
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe
Filesize164KB
MD5b748260b5276f53e7bb3deeb5120f796
SHA1fcac2d6612d27decb5ed77147a58c1b1d92218b8
SHA256ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708
SHA512fac74891f90159ccf12247d99edc8ea78f5c941a01f3301e6b2f22aa88e36da59422eaa5fc05a4ac035e8975e6ca30186a94046091e9e88092f2d38d5a8ab3d9
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe
Filesize890KB
MD5c839a6834522a00faa53b0e8873e4f22
SHA1731b4b98b798af8b27ece271305d2359832f4c81
SHA256e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
SHA512b4326c28761d5c6626f0cfb26c1e99027083b3b36e1c1793677409b0e3b9ea4376611fe87306295a6fcaa34a76fc642e91a2c6d2a522e063c6007467f46c7ae3
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe
Filesize1.9MB
MD5a41b43292a307dcafea70c0e12dda90c
SHA1559fa5315fe0954895b8d710c6e600981ca64732
SHA256ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245
SHA5128f51e443f9fdc63cd6fb1fee2e1186a5056cf11b6d1593dd3f0d9733d2d1ebfb08f86d7d671adcd983ec9f261f3d09a5f264c989e73c00e9d08379ad560ab0a2
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe
Filesize325KB
MD5721999202b6d70043184a5138f228f12
SHA1746c15f99988c523ba394c2dfb49ce35f0b89ff3
SHA256517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6
SHA512ceb52be491d175b8dc0540a93c99c10a5b3d0d36b0f29e0dcd2b30d78a5ddf82b22d8aa0e85d958ec1d6351ae77a654c0df495d64de4dc991d3bbcb3fe6a1c3a
-
C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Gen.gen-52ba4f096712966647ca4e74b654122d3741cb2b4d86b1c92d35e3788c0a05d3.exe
Filesize1.3MB
MD5cc2cd14ee6ad74361efdb10ba190fac1
SHA10849ec6ec0ce0a1b0231d4fda6d2eeecde3865e0
SHA25652ba4f096712966647ca4e74b654122d3741cb2b4d86b1c92d35e3788c0a05d3
SHA5127fe02261959badf9e31033ab7fdf6aa9d7962c0dde6c90f6c5aae335efc5b52c83de0c11b90a4abf67e24205701407618068adfbe0bdf915983a00edb6bed53c
-
C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exe
Filesize397KB
MD539bf0b69523b2716a776103541dbdc4a
SHA1345e29248228fdd8083bd4382f35949531b385ed
SHA2566899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f
SHA512dae39187d42daf7d2fc8ce7756e9ed4b174189f718db8f8e60c74d01ac40721a162fd5f6740e328146d830083bf75e83f74ae4a78908ce9cb8c49c18701b6b31
-
Filesize
238KB
MD56215ffe07f04a01f0897285d10706272
SHA1b5d42042eab75314a3865154cd5f8d27ec988191
SHA256851b7b5a938d26c116c86fa2e0ee879217deb8a02b5e7a423aa1d64dacfbf342
SHA5123237db19a9efd7a742484b929aafbeac6bbea197ad55669290ebf72ab77366fa44612672cda908c7b69534ce638709b9bd7172b3e1735fb753218a299df7f594
-
Filesize
308KB
MD545635db0bf0503b935382ea9a19316dc
SHA1c81edd72c3a5cc3fc6d76426084ee5e351b45f13
SHA256c6dc5dcf476c861f89fe1a4e4c06ae3c8f5808d193dee419858af8d072c1fb27
SHA51246b12537bcc6bfc4fa388ffed97c1b16f73f1ccb9badd67668b7728b420e692856670506cf5657629726a7d1b1ecfd1b8bf0f245ca01451c693846bc6fcb7638
-
Filesize
157KB
MD597911a70e501cba5de01043753096622
SHA100e2397f7126aaa51d71fcf74f0e63f00a31e1dd
SHA2566d8092cf5ff2b157d7d5a9c095ad48fdab5559890d3a683c7e55ee3ded2289b2
SHA51229e63072c3c149d22c7e9828f7e0a274f3a4cd3b4ebf0f5453ce80e766cabf46247c9eb7dd133f9775226ea75441e1097cd465506308708e5296a0976e4449ce
-
Filesize
261KB
MD54615f20cf89e7c1091b0cd1e7cb49ea3
SHA1baf494cf027a3cc69f3ff3f7faaaeebf66d06328
SHA256d301b3835c201f698e94602bac66078a487b50143afc1b5fe485c6fb34a8eef3
SHA51261f1ded71fb1cca15b30f0c56494a7af3ae8f3f00494f123cbfe119083b5ae706cd013780f1e6d9e200567322b109e50c09329734461f8732108f94448df7ef6
-
Filesize
273KB
MD5a1722393937116c225a00a5141cc9c49
SHA143dc1a5abd83981c7fed4f2750b85647864f3b7b
SHA256ec4993ae43074a1e80cf8663096afedbd75f00ec83e6472410ddd45e59df2f10
SHA5128c9a0f4534362cab280497412a701d162532fcacc9a5fcb6537cbe974e315c165e84b0439cad0636e692fa646f00ce97446c4081516009f8972b727e10003db6
-
Filesize
180KB
MD589a3f3c1b5559424ce1a1efb30b78929
SHA13d019e05e2be3169bfeb38d67f2e630f22c2961a
SHA2565c44b69e728504f2f3447a52d8f6dfaa01ae80f553a1f9560c500fd0207ad115
SHA512ab2c359ee0e8396f20f135a0301121a2e1745339d599ab50643496a50b17e2ec54b0e9190a572fe1ac3934a03ec286c9a5127d55988453ba18707f71032639f3
-
Filesize
284KB
MD59b03918ad1352aa14a8d6d9c3848f181
SHA161abec5acb5d8fa61f016f0315043616f50e042c
SHA256a07b83f191fbfa7daa6339aa4add7ab30624bbe38c3068b1c2ee4bdacd79fe31
SHA5127f2134823d43a1d4425bb2df0c72002a9dca57f581bfde2e693beb0762b6521cb94a0a2b8ed3b16e66eeed431026dd682d625f76c354a43df841e254c7c92141
-
Filesize
122KB
MD5daa687b60766afbcd67586cac258f007
SHA1ced647e66572b6b4badf05d18064a67a83271091
SHA256f9f12103d923f8595e5afdba7ebb94ffffb05e6796282b163cc61e73ddf4e6e6
SHA5122b93ed9aec5d2818c13f227312ff2a0d79d9a71dfa7812df2794a4a9156cf7756dbdbda5cbce7ac8277b9ada31a97a098aeae46c33b4bede7f660a43d1cbc773
-
Filesize
250KB
MD5ac06f3e63c079276cf8bc503af40a76f
SHA132204e0761aa6da0b799fe16de297325701659fa
SHA256e4e1d9642477014d93db7aff1e5a68a76dcd09a32ca055e5f2d87856a33c0960
SHA512110361f74df85da9cbc09a727c0265f8da97127cc472b77a283b68b799a21d8816146b2ad7d3c9775dd3b03e667a33290861e59745a7f67a2d8491fe56d99833
-
Filesize
296KB
MD5b8f735efa2b837fee64183eaafc0ac68
SHA1f2459b7d168dcedd8562a428d1a9a8e1ef951999
SHA2569ecec4337df08714ffaa8876f62eaa9994789d978836a424192bb6cca8951e64
SHA512ad8f667385ca030e466c45fa083ca7e357e2035f5870586a50e6aeff3e06d2cc18ab7d6aeeced079b742f0b7ce7be5afdda79f1373691db9fca1ee8608f7d365
-
Filesize
476KB
MD5a84d12602fc1ef15c7f75163c9fa0ad0
SHA15bb928e5e178a0facfe1dcfe66eee33d9e4c1777
SHA25640db4c51859691271f6e3b2754055e896ec837f289c599b054d20defec051f21
SHA5121920962aaf3fcaa126f9416c356d323d5a829664c436a81e342aff54a4b6650faa29671afd2215d0624657028f7faeb45ee0bb77b5911fe7e87abdfd397e9937
-
Filesize
343KB
MD5fde55d3eb21e490452671b93cbe511b8
SHA151603d8a51ad68296eb0ce5979b3b548c7fd05b5
SHA2561731706e8644a46d7ba12301baa06cda4cdfba74a6e495baa6a3dcdcd6c2c368
SHA5122231fd7b140cf9c03fb0ed39e00932bf8d2c88b41332edd93806304ff91176cabc3fc7f69a1cdecb60c8a6f95e588a865dbbbf7994171f4923f09cb9dacdf89b
-
Filesize
214KB
MD50f6d2761ffb70160c5ef5b32c2ca800d
SHA17d26c3c67cc30d61827ba18ff8fbc87c4a02bbe5
SHA2560c43a71ec340fd61c2428e12d9d430de9f6323a6354c8fb6c021abc828d5e2eb
SHA5127ccb622e90e320cdd95a76ed6b09c167944f2c7e9357b374d80aae2285b0e320c4e51a173c3e0ae75d1f76097b0c0026df946616f9f866d16fed3015cce7036e
-
Filesize
2KB
MD5d93405b696e5fca57543682db52fb523
SHA1d0efbe510a9022c066874c28ba53dffce896c90d
SHA256aa9ee69bc3028a4bea1f9733ab2f15f9d503e9c4cb16cabc30e33eea5a3b1340
SHA51277d2026ff2c2c129dc6bf42f591b847590cea9854e1c37a06a0fb16ce07f338f9fa66c92f2b32a246ffbf805495830941f08406c334f2e44216db36cbdffb210
-
Filesize
330KB
MD595ff2dd77104568ffad9861f33238acc
SHA1827deb26599123a8476659355bcafdb8d5cc4370
SHA256683ee914d3655fd4094bb25aecebfd074ef7ef3b38892673c6d2fd58c4611a86
SHA512c88c77e18b4dc1bb02ec05f8cfbdc7f6324064e0814efb6a163870e12c56e9f93cc493856a30c54d6d9174e07299cb3955e8019849b153d45437f74ac4a23568
-
Filesize
203KB
MD53904dd2bab896341752137b86d22abde
SHA1e71c895ecc6d0495dfb8f09acc728ac98423dd82
SHA256a02a86415e0c4a047fde6ca22dd5ec59aa26dd013513f8b322a778e0dfbfc521
SHA5125f9d1824672f23e18e57346d6dac4e2199745d62edcb8e2a2079f01ddc771a31782136c7d9f47cd5a9d7358964a19e2e7a743ef2fa62d396de4c97e5cdeaf89c
-
Filesize
168KB
MD5a6b5faacd527068e64251a04744df5c6
SHA1998e8dc38c8fc3ceebc43e7c7e5304b238059851
SHA256f4ad2fc5be0b3a0b2008f66d0b4c26c65fb6c34ceeac84403d58dbe33d33e3d0
SHA5121c75054dab7f7b8eceae7384dd0ddffca8cedacb63f1f5f5b62d9888ac13aa3cb250464bf5b76871e95ec2e86dd1f04bc31391b2372887b3a65f346272784725
-
Filesize
145KB
MD504d2a3cc015566b1efd3e37ffa7499ac
SHA1833c62b98a3cc46d50b59fee0c0c90e269ccef0f
SHA25630ab900f3d5669f09e9e33ef258e998d4fa5e7fe24afaae5eba1cb18071032aa
SHA5129ccc9f3ea38ec7643793a95a74e1d06deb642c3149a793706ee5c24aea87a0fe4d123c37d176db182fbd9d2eebb31efaf4885b69f108d5084f46b8661b9c96af
-
Filesize
319KB
MD595f03e820dfae9da6d5fbc3d7a4ee987
SHA1436138d2eaf97f32ee357c49cef752c56cff0f9a
SHA256e642848b12c7551812253874e9189b2e788c2252d154b89b05d1a8804ef135ec
SHA51254fcf7d205496ea3107f6da857fa7645287790908d3c3a230443159673f8ac3aa4167c2d9013944c60cf8b34f7557467d033b5b25867fb95beba46807aff2883
-
Filesize
9KB
MD5495ec50f1fd59fedf65deebb9f70209b
SHA16ff5df21870397eb8a007dad60c160ad3dc59ad5
SHA25667ab42f82ef6749cd722f5e1d358e1980c8c6836258f269b383203db53076c03
SHA512eafd514a495b92126ebef31fadc394ac504b59424d9d4b3fa26c55c675ca1b1e480d695b7eef810025db50e0ffa7a3d146116c62c79d69229591623cd6b7a25e
-
Filesize
134KB
MD5b5b032ed9d7d35996f96e4a138faa2ec
SHA143131981ea681273fc0b8dde843b449ea9839ab5
SHA256b80a3f5c729547dba5dbfaf473672ef977b3019d02112cd4ca53607fe0757fd3
SHA512a7379a30475bbe97f61b6e7052f9a86638b3806ebc1b20d58737b15d9ec02adb9470e27c62abb144b672823f334ceb24dccd97503a500b371a196954013f8062
-
Filesize
191KB
MD54049f9b9c446adfd446cf14d206c90e8
SHA18559ab77408b8283fa03ab2917a8e3d9146e53e1
SHA25678d25c532b2eed5532e7c6013ca2081903c26afddd466bcaaad512ba4fe15343
SHA5124625283499d1868a6972c069dc158b71f73bfa143c28122d9b65be0959afe157bdcecd6f2aa5524d3a7727623c30bb2e8e08f1f15934d7a716dd77ff0d63712e
-
Filesize
226KB
MD575dec6a19fc99e81e50533142a2b2b98
SHA172ea80036ba7e342511ba68e5f6c00d671407fbc
SHA256d927f3a0958b26b2b08d434bbf8f1c60b9a05efd40822d019a3b3c84fcc76568
SHA51299481e39ab8c681f03ef130f38491713cfb50810eba947df5e325093a10b1c2c0d0878678501a5202e0ef8926e67a7c58759b8e5347642b941b628449f654355
-
Filesize
4KB
MD5087edfb43d589ad5a61466695c286cf2
SHA1b44ddcc8dab03eb9a999ef119a42e16f78025ccd
SHA2564e0f62dbb239250c5abe94791e09e3b2240faae14a6be5052ba9449ebb35c778
SHA51228665d5627f368498c5e6e615dac0f9e5a8525fc52cda632d22e37033ceffb98a5f89a01af5fe9d425a9c876a9787c562a9057f6108fd54aafe36277ffb4edda
-
Filesize
11KB
MD538d9f86b9910f2315b9bad9063a12077
SHA1d20411d946610f0e14745985090be2e3eb166fae
SHA256de48539c5d2455ef9ef3b357ecd79dbff87fa034e3aab2f4e44e5818ef9804c2
SHA5129ee0216fd8a0e68d99199ebb8aa80c0fd769ad25acde6e64a439e3d4d73d91296de9ac4874d8b973207dc788fb33dd227caadd09aa2c2b64fee7eb6413e8844c
-
Filesize
144B
MD54e714e2aa7f0c6a762c4d9a5162e3173
SHA1ed3b8509ff3f9e849f2c2450d14f09a33ea1785e
SHA256593d002c58bbcab7a6fee250b15b360552e360a08995e9057646493184f47b76
SHA512d666e12c232626c6d7726529ee82f0413aa0e8f100f1d2b37a89f1e6f749fed505c82e66ff9b54ba4fc24df64f95c46c1e4714fa86682e173f3c60311d26492f
-
Filesize
2KB
MD5cc18b3717f346100de64388c7a61f293
SHA147fc92f42dd50254e34994bf3b1c0b9fa3c053f1
SHA256c632d9770574291e7f4629a15acebcf688b25c6eba12230af58b0910353e7b83
SHA51232613b333e6c3e743e711511b7cf7a2a26b442e65aaa22463edd71fba916695c6d28140b43c0629861ab79dd033215c33f85431d28ca39485bd2e61f6a9be4a2
-
Filesize
87KB
MD5aa3ed73e60b26f0b9c05fabaa8f9242b
SHA17c4fd969032b75f4cf2a55b6fbd2e406e073aeca
SHA256b3f38d629c55701737904c45bcd363ccdd436b4da309c442431b7fff9bb67b18
SHA5126f0eb8b7a31a4a6d0d0d227a112341152b60b898702609ede35c6254e287e60aae994ae8b091ad52e0263640da227a1df4b8a2f33ae9ab7687e17919f301e3c0
-
Filesize
532B
MD5d43f38b2358ee9a700bac47bf007b973
SHA1fd3e0856a5b0950093e168621dd4fe3332be39d1
SHA256c5ac1a88dcba47d9267174c9897535fb8a6db261459357dcd6f42d757c3d1395
SHA5121c5882179242ea57306ebc7f30f4749db6a289d7f7cde43bc03898154171126c9f382e715501f8968891046dbb8b40ceb40cabf84715c2ad7ea2e6afba0c22be
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2KB
MD5786991f1b761bb5b1d33126b986c12e3
SHA1882ac4e34f0e229307eb2d08383bcfed35f38876
SHA2569afe1f8dc32364f98c142219143054b86e80cf007c5839e6565694abc4cc243e
SHA512624bcb3b1f59f6512ed01f1e6531ff9f067cbeac8d11d66bccd9017a991bd45778542954c2dc99733f41d580f2a52bca495f7161f64e78b9e030c8088390b15b
-
Filesize
1KB
MD5972fc3af73f62a48ab287fbbc067362d
SHA1b80dfcd452fb5daaf9ec27187edccd84847037d7
SHA25648cb9f70a87152b24f7192d3c888bec9bc313c03d1b8742b93c657e5b4a06dd8
SHA51296e63c84a873e939f04039150b861c8fca3fa981520a342d1b6fbe53fd018840283edee81d8a61465232816625cccbf3a7d2aa9bb46a78d89bd5d3f6a92fa248