Resubmissions
27-10-2024 17:44
241027-wbmsna1dlj 1Analysis
-
max time kernel
85s -
max time network
242s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 13:58
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00428.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00428.7z
-
Size
100.2MB
-
MD5
6c2b29d11f244eeeb6236ae5e8d5bf8e
-
SHA1
0bbd142818b414240627c312be06018fd01ddd90
-
SHA256
7580b9b56219ca324572123befd4663f265782508ef8b2159b86e56f747f987e
-
SHA512
9bbb791eb8b3a0c1b89fbf9487bbe20992c7882124f6eba6c496eef624db28e677208bb2e4de34751fee8c617dbbfb3bc2de711f0a36793f3ecfde5ac672c3cb
-
SSDEEP
3145728:LX1PIf6FbDsWpgzVsD2tcTHNyqqO0gMvHsbG4:b9If6xQZsD2erIqd0gMvE
Malware Config
Extracted
crimsonrat
151.106.14.125
211.210.122.154
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Extracted
C:\Program Files\Crashpad\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?ADA6851A3DD484F0EFB7B30FDEA6B266
http://lockbitks2tvnmwk.onion/?ADA6851A3DD484F0EFB7B30FDEA6B266
Extracted
C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT
Extracted
azorult
http://ezman123123.000webhostapp.com/index.php
Extracted
sodinokibi
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
7178
kamahouse.net
bridgeloanslenders.com
abitur-undwieweiter.de
live-your-life.jp
xn--rumung-bua.online
anteniti.com
marcuswhitten.site
ostheimer.at
joseconstela.com
deepsouthclothingcompany.com
dr-seleznev.com
ecpmedia.vn
aunexis.ch
anthonystreetrimming.com
pocket-opera.de
mooreslawngarden.com
osterberg.fi
extraordinaryoutdoors.com
kamienny-dywan24.pl
fitovitaforum.com
carlosja.com
klusbeter.nl
zflas.com
lenreactiv-shop.ru
notmissingout.com
fiscalsort.com
hugoversichert.de
operaslovakia.sk
stopilhan.com
spacecitysisters.org
drfoyle.com
jenniferandersonwriter.com
thomas-hospital.de
wmiadmin.com
worldhealthbasicinfo.com
321play.com.hk
meusharklinithome.wordpress.com
hushavefritid.dk
spargel-kochen.de
wien-mitte.co.at
notsilentmd.org
pickanose.com
sw1m.ru
verytycs.com
fibrofolliculoma.info
balticdermatology.lt
zimmerei-deboer.de
licor43.de
cnoia.org
mylolis.com
parking.netgateway.eu
mirjamholleman.nl
kadesignandbuild.co.uk
ledmes.ru
mrsplans.net
sanaia.com
koko-nora.dk
1team.es
associationanalytics.com
unetica.fr
onlyresultsmarketing.com
easytrans.com.au
iphoneszervizbudapest.hu
gaiam.nl
paradicepacks.com
travelffeine.com
phantastyk.com
werkkring.nl
glennroberts.co.nz
burkert-ideenreich.de
transliminaltribe.wordpress.com
ruralarcoiris.com
copystar.co.uk
kuntokeskusrok.fi
purposeadvisorsolutions.com
nataschawessels.com
vox-surveys.com
4youbeautysalon.com
partnertaxi.sk
bauertree.com
tomaso.gr
dutchbrewingcoffee.com
modestmanagement.com
hashkasolutindo.com
lynsayshepherd.co.uk
thewellnessmimi.com
peterstrobos.com
run4study.com
odiclinic.org
almosthomedogrescue.dog
praxis-foerderdiagnostik.de
ussmontanacommittee.us
smejump.co.th
cafemattmeera.com
lubetkinmediacompanies.com
bodyfulls.com
boompinoy.com
nosuchthingasgovernment.com
ki-lowroermond.nl
aakritpatel.com
iqbalscientific.com
nandistribution.nl
thenewrejuveme.com
allfortheloveofyou.com
fatfreezingmachines.com
autodemontagenijmegen.nl
higadograsoweb.com
layrshift.eu
jandaonline.com
grelot-home.com
lapinvihreat.fi
geekwork.pl
conasmanagement.de
selfoutlet.com
hebkft.hu
skanah.com
pixelarttees.com
katketytaanet.fi
stefanpasch.me
biortaggivaldelsa.com
ausair.com.au
tanciu.com
micahkoleoso.de
oceanastudios.com
asgestion.com
prochain-voyage.net
ilive.lt
trapiantofue.it
manijaipur.com
crediacces.com
tstaffing.nl
urmasiimariiuniri.ro
presseclub-magdeburg.de
bordercollie-nim.nl
tarotdeseidel.com
bargningavesta.se
forskolorna.org
tomoiyuma.com
mank.de
zzyjtsgls.com
kedak.de
csgospeltips.se
nestor-swiss.ch
insigniapmg.com
thomasvicino.com
lloydconstruction.com
shsthepapercut.com
hotelsolbh.com.br
ouryoungminds.wordpress.com
jorgobe.at
verbisonline.com
kenhnoithatgo.com
bildungsunderlebnis.haus
stampagrafica.es
lachofikschiet.nl
gastsicht.de
senson.fi
karacaoglu.nl
tophumanservicescourses.com
chaotrang.com
coursio.com
answerstest.ru
happyeasterimages.org
walkingdeadnj.com
tsklogistik.eu
hannah-fink.de
fotoideaymedia.es
irinaverwer.com
the-virtualizer.com
ecoledansemulhouse.fr
homesdollar.com
petnest.ir
portoesdofarrobo.com
qualitus.com
hypozentrum.com
craigmccabe.fun
mariposapropaneaz.com
rimborsobancario.net
kosterra.com
tigsltd.com
zweerscreatives.nl
pasivect.co.uk
visiativ-industry.fr
groupe-cets.com
whyinterestingly.ru
directwindowco.com
eaglemeetstiger.de
rhinosfootballacademy.com
lichencafe.com
arteservicefabbro.com
connectedace.com
summitmarketingstrategies.com
rushhourappliances.com
mrsfieldskc.com
hhcourier.com
quickyfunds.com
i-arslan.de
antenanavi.com
gw2guilds.org
kath-kirche-gera.de
wsoil.com.sg
fannmedias.com
baustb.de
kmbshipping.co.uk
iwr.nl
andersongilmour.co.uk
filmvideoweb.com
eco-southafrica.com
collaborativeclassroom.org
vannesteconstruct.be
haremnick.com
moveonnews.com
solinegraphic.com
helenekowalsky.com
schoolofpassivewealth.com
jasonbaileystudio.com
live-con-arte.de
sairaku.net
milanonotai.it
shhealthlaw.com
woodworkersolution.com
humanityplus.org
candyhouseusa.com
piajeppesen.dk
baptisttabernacle.com
x-ray.ca
polzine.net
healthyyworkout.com
pivoineetc.fr
drinkseed.com
sobreholanda.com
ceid.info.tr
marketingsulweb.com
stupbratt.no
makeurvoiceheard.com
schraven.de
firstpaymentservices.com
maratonaclubedeportugal.com
mikeramirezcpa.com
body-armour.online
corendonhotels.com
tulsawaterheaterinstallation.com
quemargrasa.net
opatrovanie-ako.sk
blog.solutionsarchitect.guru
wari.com.pe
leoben.at
zonamovie21.net
rksbusiness.com
miraclediet.fun
coding-machine.com
turkcaparbariatrics.com
monark.com
victoriousfestival.co.uk
nativeformulas.com
berlin-bamboo-bikes.org
farhaani.com
craftleathermnl.com
jeanlouissibomana.com
mezhdu-delom.ru
alvinschwartz.wordpress.com
sporthamper.com
securityfmm.com
body-guards.it
poultrypartners.nl
div-vertriebsforschung.de
ctrler.cn
fensterbau-ziegler.de
serce.info.pl
fransespiegels.nl
ausbeverage.com.au
asteriag.com
binder-buerotechnik.at
aarvorg.com
slupetzky.at
punchbaby.com
pmcimpact.com
lykkeliv.net
suncrestcabinets.ca
faizanullah.com
mapawood.com
saarland-thermen-resort.com
sterlingessay.com
tanzprojekt.com
shadebarandgrillorlando.com
gemeentehetkompas.nl
id-et-d.fr
gporf.fr
highlinesouthasc.com
vietlawconsultancy.com
blumenhof-wegleitner.at
waywithwords.net
buymedical.biz
wychowanieprzedszkolne.pl
kalkulator-oszczednosci.pl
ivivo.es
uimaan.fi
charlottepoudroux-photographie.fr
i-trust.dk
heliomotion.com
smalltownideamill.wordpress.com
hotelzentral.at
alysonhoward.com
sarbatkhalsafoundation.org
huehnerauge-entfernen.de
outcomeisincome.com
waveneyrivercentre.co.uk
sevenadvertising.com
apolomarcas.com
juneauopioidworkgroup.org
waermetauscher-berechnen.de
executiveairllc.com
pubweb.carnet.hr
madinblack.com
ogdenvision.com
toreria.es
365questions.org
nancy-informatique.fr
zso-mannheim.de
naturalrapids.com
latestmodsapks.com
siliconbeach-realestate.com
croftprecision.co.uk
birnam-wood.com
galserwis.pl
fundaciongregal.org
platformier.com
bptdmaluku.com
kaliber.co.jp
shiftinspiration.com
caribbeansunpoker.com
aco-media.nl
satyayoga.de
renergysolution.com
longislandelderlaw.com
narcert.com
strandcampingdoonbeg.com
kafu.ch
rostoncastings.co.uk
foryourhealth.live
spd-ehningen.de
lionware.de
milsing.hr
lebellevue.fr
atozdistribution.co.uk
ncuccr.org
atalent.fi
shonacox.com
alsace-first.com
stallbyggen.se
ralister.co.uk
eraorastudio.com
sojamindbody.com
songunceliptv.com
bouquet-de-roses.com
comparatif-lave-linge.fr
bigbaguettes.eu
esope-formation.fr
smart-light.co.uk
rebeccarisher.com
cortec-neuro.com
financescorecard.com
idemblogs.com
biapi-coaching.fr
izzi360.com
oneplusresource.org
plotlinecreative.com
walter-lemm.de
12starhd.online
olejack.ru
navyfederalautooverseas.com
freie-gewerkschaften.de
levdittliv.se
plantag.de
vibehouse.rw
instatron.net
qlog.de
vdberg-autoimport.nl
blgr.be
durganews.com
deltacleta.cat
35-40konkatsu.net
ceres.org.au
physiofischer.de
parks-nuernberg.de
pmc-services.de
tanzschule-kieber.de
sandd.nl
stemplusacademy.com
boulderwelt-muenchen-west.de
mousepad-direkt.de
bouncingbonanza.com
dekkinngay.com
socialonemedia.com
rocketccw.com
advokathuset.dk
architecturalfiberglass.org
vorotauu.ru
lapmangfpt.info.vn
asiluxury.com
lbcframingelectrical.com
pcp-nc.com
imaginado.de
starsarecircular.org
vickiegrayimages.com
maineemploymentlawyerblog.com
xtptrack.com
all-turtles.com
nsec.se
bristolaeroclub.co.uk
gantungankunciakrilikbandung.com
penco.ie
galleryartfair.com
maxadams.london
web.ion.ag
citymax-cr.com
tinkoff-mobayl.ru
vesinhnha.com.vn
kojinsaisei.info
mepavex.nl
takeflat.com
mrtour.site
accountancywijchen.nl
rota-installations.co.uk
devok.info
first-2-aid-u.com
girlillamarketing.com
lescomtesdemean.be
iwelt.de
otto-bollmann.de
smessier.com
webmaster-peloton.com
mmgdouai.fr
beyondmarcomdotcom.wordpress.com
personalenhancementcenter.com
innote.fi
sla-paris.com
craigvalentineacademy.com
geoffreymeuli.com
maureenbreezedancetheater.org
desert-trails.com
deoudedorpskernnoordwijk.nl
marietteaernoudts.nl
pawsuppetlovers.com
skiltogprint.no
dramagickcom.wordpress.com
ymca-cw.org.uk
wacochamber.com
mooshine.com
jyzdesign.com
zieglerbrothers.de
xn--singlebrsen-vergleich-nec.com
xltyu.com
grupocarvalhoerodrigues.com.br
amerikansktgodis.se
theapifactory.com
fairfriends18.de
noskierrenteria.com
ncs-graphic-studio.com
neuschelectrical.co.za
jusibe.com
insp.bi
whittier5k.com
naswrrg.org
jiloc.com
importardechina.info
seevilla-dr-sturm.at
caffeinternet.it
space.ua
greenko.pl
miriamgrimm.de
adultgamezone.com
hmsdanmark.dk
refluxreducer.com
socstrp.org
evangelische-pfarrgemeinde-tuniberg.de
calabasasdigest.com
mardenherefordshire-pc.gov.uk
baumkuchenexpo.jp
ateliergamila.com
drugdevice.org
naturstein-hotte.de
nuzech.com
trackyourconstruction.com
ihr-news.jp
myteamgenius.com
onlybacklink.com
parkstreetauto.net
retroearthstudio.com
noixdecocom.fr
restaurantesszimmer.de
woodleyacademy.org
nhadatcanho247.com
hardinggroup.com
mrxermon.de
thedresserie.com
ccpbroadband.com
promalaga.es
handi-jack-llc.com
garage-lecompte-rouen.fr
allentownpapershow.com
raschlosser.de
porno-gringo.com
figura.team
love30-chanko.com
xn--logopdie-leverkusen-kwb.de
krlosdavid.com
elpa.se
rafaut.com
denifl-consulting.at
jerling.de
quizzingbee.com
bargningharnosand.se
littlebird.salon
americafirstcommittee.org
maasreusel.nl
twohourswithlena.wordpress.com
lightair.com
wurmpower.at
creamery201.com
ravensnesthomegoods.com
henricekupper.com
kaminscy.com
otsu-bon.com
seagatesthreecharters.com
musictreehouse.net
pinkexcel.com
daklesa.de
falcou.fr
pierrehale.com
vloeren-nu.nl
facettenreich27.de
minipara.com
bayoga.co.uk
koken-voor-baby.nl
zervicethai.co.th
rumahminangberdaya.com
team-montage.dk
stingraybeach.com
cyntox.com
cityorchardhtx.com
calxplus.eu
simulatebrain.com
global-kids.info
polymedia.dk
pv-design.de
aniblinova.wordpress.com
corelifenutrition.com
theadventureedge.com
imadarchid.com
enovos.de
seitzdruck.com
carrybrands.nl
troegs.com
hairnetty.wordpress.com
epwritescom.wordpress.com
completeweddingkansas.com
appsformacpc.com
gymnasedumanagement.com
brevitempore.net
ilcdover.com
withahmed.com
tradiematepro.com.au
macabaneaupaysflechois.com
thaysa.com
work2live.de
imperfectstore.com
edv-live.de
groupe-frayssinet.fr
tenacitytenfold.com
dinslips.se
agence-chocolat-noir.com
brawnmediany.com
1kbk.com.ua
mirkoreisser.de
centrospgolega.com
urist-bogatyr.ru
cheminpsy.fr
y-archive.com
knowledgemuseumbd.com
profectis.de
mymoneyforex.com
myhealth.net.au
psa-sec.de
shiresresidential.com
resortmtn.com
liliesandbeauties.org
airconditioning-waalwijk.nl
norovirus-ratgeber.de
nacktfalter.de
heurigen-bauer.at
oneheartwarriors.at
rosavalamedahr.com
spectrmash.ru
yousay.site
backstreetpub.com
dpo-as-a-service.com
daniel-akermann-architektur-und-planung.ch
lmtprovisions.com
real-estate-experts.com
dnepr-beskid.com.ua
greenpark.ch
courteney-cox.net
aodaichandung.com
edgewoodestates.org
testzandbakmetmening.online
analiticapublica.es
cursosgratuitosnainternet.com
artotelamsterdam.com
people-biz.com
xoabigail.com
ecopro-kanto.com
fitnessingbyjessica.com
echtveilig.nl
dubnew.com
kariokids.com
faronics.com
cursoporcelanatoliquido.online
nurturingwisdom.com
compliancesolutionsstrategies.com
kaotikkustomz.com
beaconhealthsystem.org
pelorus.group
gopackapp.com
diversiapsicologia.es
offroadbeasts.com
villa-marrakesch.de
triggi.de
sauschneider.info
alfa-stroy72.com
systemate.dk
xlarge.at
danielblum.info
sanyue119.com
bradynursery.com
streamerzradio1.site
mountsoul.de
muamuadolls.com
kidbucketlist.com.au
morawe-krueger.de
unim.su
lefumetdesdombes.com
pasvenska.se
qualitaetstag.de
romeguidedvisit.com
vanswigchemdesign.com
commercialboatbuilding.com
ncid.bc.ca
jakekozmor.com
bigasgrup.com
cuspdental.com
newyou.at
eadsmurraypugh.com
abuelos.com
lecantou-coworking.com
syndikat-asphaltfieber.de
manutouchmassage.com
trulynolen.co.uk
deschl.net
igrealestate.com
klimt2012.info
kindersitze-vergleich.de
blossombeyond50.com
employeesurveys.com
bricotienda.com
michaelsmeriglioracing.com
paymybill.guru
tastewilliamsburg.com
bundabergeyeclinic.com.au
tuuliautio.fi
richard-felix.co.uk
lapinlviasennus.fi
simplyblessedbykeepingitreal.com
jameskibbie.com
the-domain-trader.com
edrcreditservices.nl
bafuncs.org
fayrecreations.com
urclan.net
eglectonk.online
servicegsm.net
zewatchers.com
lillegrandpalais.com
ikads.org
verifort-capital.de
campusoutreach.org
igfap.com
carolinepenn.com
smartypractice.com
clos-galant.com
aglend.com.au
broseller.com
southeasternacademyofprosthodontics.org
todocaracoles.com
paulisdogshop.de
comarenterprises.com
forestlakeuca.org.au
abogados-en-alicante.es
bimnapratica.com
finde-deine-marke.de
limassoldriving.com
despedidascostablanca.es
homng.net
sinal.org
globedivers.wordpress.com
blacksirius.de
highimpactoutdoors.net
mytechnoway.com
brigitte-erler.com
devlaur.com
stoneys.ch
lorenacarnero.com
projetlyonturin.fr
yassir.pro
mbfagency.com
myhostcloud.com
sportiomsportfondsen.nl
rerekatu.com
ampisolabergeggi.it
vibethink.net
pogypneu.sk
smogathon.com
roygolden.com
ligiercenter-sachsen.de
kisplanning.com.au
samnewbyjax.com
tips.technology
promesapuertorico.com
crowd-patch.co.uk
balticdentists.com
kirkepartner.dk
bsaship.com
celeclub.org
fizzl.ru
hihaho.com
tonelektro.nl
synlab.lt
harpershologram.wordpress.com
surespark.org.uk
hkr-reise.de
jolly-events.com
winrace.no
spylista.com
agence-referencement-naturel-geneve.net
journeybacktolife.com
fitnessbazaar.com
huissier-creteil.com
wolf-glas-und-kunst.de
ivfminiua.com
baronloan.org
blewback.com
charlesreger.com
xn--vrftet-pua.biz
dlc.berlin
tux-espacios.com
slashdb.com
pferdebiester.de
dw-css.de
plastidip.com.ar
dutchcoder.nl
iviaggisonciliegie.it
pointos.com
ventti.com.ar
hoteledenpadova.it
stoeberstuuv.de
stemenstilte.nl
theshungiteexperience.com.au
micro-automation.de
fotoscondron.com
smithmediastrategies.com
commonground-stories.com
boldcitydowntown.com
chavesdoareeiro.com
jbbjw.com
sachnendoc.com
latribuessentielle.com
artallnightdc.com
stoeferlehalle.de
dushka.ua
basisschooldezonnewijzer.nl
darrenkeslerministries.com
ai-spt.jp
argenblogs.com.ar
ungsvenskarna.se
officehymy.com
liveottelut.com
devstyle.org
reddysbakery.com
tandartspraktijkhartjegroningen.nl
kunze-immobilien.de
tongdaifpthaiphong.net
augenta.com
geisterradler.de
euro-trend.pl
spsshomeworkhelp.com
schutting-info.nl
sahalstore.com
2ekeus.nl
remcakram.com
datacenters-in-europe.com
lusak.at
coffreo.biz
webhostingsrbija.rs
effortlesspromo.com
judithjansen.com
precisionbevel.com
deprobatehelp.com
mbxvii.com
schoellhammer.com
abogadosadomicilio.es
gonzalezfornes.es
bowengroup.com.au
rehabilitationcentersinhouston.net
123vrachi.ru
sabel-bf.com
besttechie.com
dr-pipi.de
midmohandyman.com
caribdoctor.org
destinationclients.fr
wellplast.se
bee4win.com
danubecloud.com
parebrise-tla.fr
nakupunafoundation.org
nachhilfe-unterricht.com
havecamerawilltravel2017.wordpress.com
anybookreader.de
kikedeoliveira.com
rollingrockcolumbia.com
educar.org
darnallwellbeing.org.uk
ulyssemarketing.com
toponlinecasinosuk.co.uk
ftf.or.at
lukeshepley.wordpress.com
vitalyscenter.es
bigler-hrconsulting.ch
sagadc.com
mooglee.com
faroairporttransfers.net
botanicinnovations.com
art2gointerieurprojecten.nl
theduke.de
levihotelspa.fi
nokesvilledentistry.com
webcodingstudio.com
saxtec.com
krcove-zily.eu
steampluscarpetandfloors.com
amylendscrestview.com
schmalhorst.de
mindpackstudios.com
bingonearme.org
philippedebroca.com
ianaswanson.com
funjose.org.gt
sotsioloogia.ee
jvanvlietdichter.nl
nmiec.com
schlafsack-test.net
gasbarre.com
perbudget.com
gadgetedges.com
sportsmassoren.com
logopaedie-blomberg.de
hvccfloorcare.com
frontierweldingllc.com
jobmap.at
4net.guru
cerebralforce.net
blogdecachorros.com
femxarxa.cat
lucidinvestbank.com
leda-ukraine.com.ua
justinvieira.com
oldschoolfun.net
centromarysalud.com
luxurytv.jp
kostenlose-webcams.com
videomarketing.pro
campus2day.de
exenberger.at
joyeriaorindia.com
autofolierung-lu.de
elimchan.com
blood-sports.net
pier40forall.org
yourobgyn.net
markelbroch.com
pay4essays.net
vihannesporssi.fi
tandartspraktijkheesch.nl
babcockchurch.org
abl1.net
slimani.net
brandl-blumen.de
leeuwardenstudentcity.nl
upplandsspar.se
puertamatic.es
kampotpepper.gives
slimidealherbal.com
westdeptfordbuyrite.com
erstatningsadvokaterne.dk
braffinjurylawfirm.com
iyengaryogacharlotte.com
herbstfeststaefa.ch
controldekk.com
bunburyfreightservices.com.au
danskretursystem.dk
waynela.com
jacquin-maquettes.com
edelman.jp
gratispresent.se
heidelbergartstudio.gallery
c2e-poitiers.com
dontpassthepepper.com
you-bysia.com.au
ftlc.es
adoptioperheet.fi
thee.network
tetinfo.in
deko4you.at
theletter.company
actecfoundation.org
radaradvies.nl
entopic.com
jadwalbolanet.info
familypark40.com
yamalevents.com
itelagen.com
artige.com
christinarebuffetcourses.com
aurum-juweliere.de
freie-baugutachterpraxis.de
launchhubl.com
microcirc.net
chandlerpd.com
catholicmusicfest.com
scenepublique.net
huesges-gruppe.de
interactcenter.org
bbsmobler.se
101gowrie.com
irishmachineryauctions.com
modamilyon.com
xn--thucmctc-13a1357egba.com
associacioesportivapolitg.cat
patrickfoundation.net
sweering.fr
crosspointefellowship.church
spinheal.ru
torgbodenbollnas.se
smale-opticiens.nl
kao.at
polychromelabs.com
beautychance.se
creative-waves.co.uk
embracinghiscall.com
camsadviser.com
triactis.com
ditog.fr
myzk.site
no-plans.com
antonmack.de
allure-cosmetics.at
vermoote.de
filmstreamingvfcomplet.be
pomodori-pizzeria.de
ilso.net
igorbarbosa.com
atmos-show.com
loprus.pl
teknoz.net
advizewealth.com
cwsitservices.co.uk
hiddencitysecrets.com.au
helikoptervluchtnewyork.nl
hatech.io
goodgirlrecovery.com
montrium.com
leather-factory.co.jp
better.town
themadbotter.com
ora-it.de
upmrkt.co
crowcanyon.com
autodujos.lt
sofavietxinh.com
jsfg.com
evologic-technologies.com
aselbermachen.com
flexicloud.hk
berliner-versicherungsvergleich.de
n1-headache.com
kissit.ca
marchand-sloboda.com
expandet.dk
merzi.info
corola.es
psc.de
homecomingstudio.com
seproc.hn
jobcenterkenya.com
zenderthelender.com
conexa4papers.trade
gamesboard.info
pt-arnold.de
vitavia.lt
bxdf.info
assurancesalextrespaille.fr
acomprarseguidores.com
8449nohate.org
ladelirante.fr
em-gmbh.ch
siluet-decor.ru
nvwoodwerks.com
houseofplus.com
coding-marking.com
corona-handles.com
international-sound-awards.com
vancouver-print.ca
julis-lsa.de
htchorst.nl
bestbet.com
dezatec.es
xn--fnsterputssollentuna-39b.se
celularity.com
aprepol.com
hellohope.com
foretprivee.ca
hexcreatives.co
zimmerei-fl.de
memaag.com
linnankellari.fi
sexandfessenjoon.wordpress.com
veybachcenter.de
cranleighscoutgroup.org
trystana.com
abogadosaccidentetraficosevilla.es
pcprofessor.com
softsproductkey.com
mylovelybluesky.com
humancondition.com
simpkinsedwards.co.uk
talentwunder.com
sloverse.com
bookspeopleplaces.com
naturavetal.hr
planchaavapor.net
proudground.org
boisehosting.net
centuryrs.com
sportverein-tambach.de
katiekerr.co.uk
pridoxmaterieel.nl
dsl-ip.de
wraithco.com
lascuola.nl
dareckleyministries.com
dubscollective.com
mercantedifiori.com
delchacay.com.ar
delawarecorporatelaw.com
dr-tremel-rednitzhembach.de
newstap.com.ng
smhydro.com.pl
milltimber.aberdeen.sch.uk
mediaplayertest.net
vyhino-zhulebino-24.ru
makeitcount.at
mdk-mediadesign.de
gasolspecialisten.se
mdacares.com
cactusthebrand.com
wasmachtmeinfonds.at
mastertechengineering.com
simpliza.com
argos.wityu.fund
ahouseforlease.com
revezlimage.com
kojima-shihou.com
luckypatcher-apkz.com
testcoreprohealthuk.com
cite4me.org
bodyforwife.com
bhwlawfirm.com
abogadoengijon.es
architekturbuero-wagner.net
hokagestore.com
saka.gr
tennisclubetten.nl
lange.host
malychanieruchomoscipremium.com
castillobalduz.es
evergreen-fishing.com
ohidesign.com
antiaginghealthbenefits.com
maryloutaylor.com
behavioralmedicinespecialists.com
apprendrelaudit.com
teczowadolina.bytom.pl
icpcnj.org
www1.proresult.no
vetapharma.fr
oslomf.no
mediaacademy-iraq.org
mediaclan.info
dirittosanitario.biz
finediningweek.pl
makeflowers.ru
aminaboutique247.com
cleliaekiko.online
stormwall.se
strategicstatements.com
c-a.co.in
roadwarrior.app
solerluethi-allart.ch
norpol-yachting.com
id-vet.com
rozemondcoaching.nl
oemands.dk
harveybp.com
hairstylesnow.site
seminoc.com
kingfamily.construction
transportesycementoshidalgo.es
cuppacap.com
thedad.com
chrissieperry.com
oncarrot.com
labobit.it
bastutunnan.se
baylegacy.com
consultaractadenacimiento.com
johnsonfamilyfarmblog.wordpress.com
parkcf.nl
podsosnami.ru
teresianmedia.org
plv.media
mir-na-iznanku.com
praxis-management-plus.de
boosthybrid.com.au
chatizel-paysage.fr
d1franchise.com
manifestinglab.com
carriagehousesalonvt.com
coastalbridgeadvisors.com
nijaplay.com
modelmaking.nl
nicoleaeschbachorg.wordpress.com
slwgs.org
bierensgebakkramen.nl
friendsandbrgrs.com
readberserk.com
bouldercafe-wuppertal.de
herbayupro.com
stacyloeb.com
ino-professional.ru
colorofhorses.com
iyahayki.nl
new.devon.gov.uk
alhashem.net
tinyagency.com
smokeysstoves.com
dublikator.com
noesis.tech
alten-mebel63.ru
DupontSellsHomes.com
cirugiauretra.es
buroludo.nl
denovofoodsgroup.com
xn--fn-kka.no
cimanchesterescorts.co.uk
milestoneshows.com
ra-staudte.de
uranus.nl
austinlchurch.com
simoneblum.de
bogdanpeptine.ro
degroenetunnel.com
rieed.de
chefdays.de
tampaallen.com
theclubms.com
ontrailsandboulevards.com
truenyc.co
tecnojobsnet.com
allamatberedare.se
gmto.fr
digi-talents.com
ziegler-praezisionsteile.de
solhaug.tk
thefixhut.com
drnice.de
bockamp.com
kevinjodea.com
sipstroysochi.ru
extensionmaison.info
intecwi.com
supportsumba.nl
danholzmann.com
mountaintoptinyhomes.com
classycurtainsltd.co.uk
bloggyboulga.net
liikelataamo.fi
insidegarage.pl
digivod.de
panelsandwichmadrid.es
greenfieldoptimaldentalcare.com
marathonerpaolo.com
admos-gleitlager.de
d2marketing.co.uk
autopfand24.de
hrabritelefon.hr
fax-payday-loans.com
christ-michael.net
haar-spange.com
psnacademy.in
thailandholic.com
symphonyenvironmental.com
-
net
false
-
pid
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
-
prc
avgadmsv
BackupUpdater
ocautoupds
synctime
thebat
excel
isqlplussvc
ccSetMgr
SPBBCSvc
Sage.NA.AT_AU.SysTray
lmibackupvssservice
CarboniteUI
powerpnt
BackupMaint
onenote
klnagent
sql
Rtvscan
xfssvccon
Smc
mspub
encsvc
LogmeInBackupService
kavfsscs
ccSvcHst
BackupExtender
NSCTOP
outlook
dbsnmp
mydesktopservice
tbirdconfig
ShadowProtectSvc
msaccess
wordpad
mydesktopqos
BackupAgent
visio
kavfswp
ocssd
thunderbird
infopath
agntsvc
sqbcoreservice
steam
AmitiAvSrv
dlomaintsvcu
Microsoft.exchange.store.worker.exe
winword
dbeng50
firefox
TSSchBkpService
DLOAdminSvcu
kavfs
ocomm
oracle
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
7178
-
svc
ssistelemetry
adsync
svc$
msseces
mbamservice
ssastelemetry
altaro
sbamsvc
ds_notifier
ntrtscan
ofcservice
code42service
macmnsvc
memtas
auservice
telemetryserver
tmccsf
psqlwge
sppsvc
viprepplsvc
azurea
ds_monitor
swi_filter
protectedstorage
mfemms
mfevtp
kaseyaagentendpoint
ltservice
dssvc
altiback
masvc
huntressagent
mcafee
kaendchips
kavfs
reportserver
savservice
altiftpuploader
sophos
svcgenerichost
altiphoneserv
klnagent
mepocs
ds_agent
threadlocker
sql
vss
tmlisten
backup
tmbmserver
savadminservice
vipreaapsvc
mfewc
altictproxy
ltsvcmon
altivrm
huntressupdater
kaseyaagent
teamviewer
msdtsserver
amsp
storagecraft
veeam
bedbg
Extracted
C:\Users\1ul77jre-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D6AAA79FC5867B50
http://decoder.re/D6AAA79FC5867B50
Extracted
djvu
http://plnv.top/lancer/getm.php
-
extension
.cadq
-
offline_id
2f4OfOSHaJTDMA9o58Df7yU9jUpxyfWKcEPew2t1
-
payload_url
http://plnv.top/files/iner/updatewin1.exe
http://plnv.top/files/iner/updatewin2.exe
http://plnv.top/files/iner/updatewin.exe
http://plnv.top/files/iner/3.exe
http://plnv.top/files/iner/4.exe
http://plnv.top/files/iner/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rQ27BU5m0E Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0282oPsw3
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Clop family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023b6a-141.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Detected Djvu ransomware 1 IoCs
resource yara_rule behavioral1/memory/18380-4578-0x0000000000400000-0x00000000008C3000-memory.dmp family_djvu -
Detecting the common Go functions and variables names used by Snatch ransomware 5 IoCs
resource yara_rule behavioral1/memory/13528-217-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral1/memory/13528-3695-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral1/memory/13528-4045-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral1/memory/13528-4102-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral1/memory/13528-4709-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
-
Snatch family
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe -
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
pid Process 7348 bcdedit.exe 7992 bcdedit.exe 17704 bcdedit.exe 17836 bcdedit.exe 97148 bcdedit.exe 97156 bcdedit.exe -
Renames multiple (3037) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 7284 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4920 netsh.exe 7792 netsh.exe -
resource yara_rule behavioral1/files/0x000a000000023b79-237.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Trojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 6.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation vpn.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsupdate.Lnk HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Executes dropped EXE 21 IoCs
pid Process 3968 HEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exe 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 4588 HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe 1916 HEUR-Trojan-Ransom.MSIL.Foreign.gen-bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8.exe 2012 HEUR-Trojan-Ransom.Win32.Agent.gen-15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649.exe 956 HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe 4288 HEUR-Trojan-Ransom.Win32.Cryptor.vho-9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 5212 HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe 13528 HEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 10436 HEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exe 6200 4.exe 12484 6.exe 11484 vpn.exe 7688 5.exe 13468 HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe 18380 HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe 15404 SmartClock.exe 6860 Trojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exe 5896 Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe 18584 1.sfx.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
Loads dropped DLL 1 IoCs
pid Process 10436 HEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exe -
Modifies file permissions 1 TTPs 8 IoCs
pid Process 13864 icacls.exe 6472 icacls.exe 9328 icacls.exe 8708 icacls.exe 8700 icacls.exe 8680 icacls.exe 3656 icacls.exe 11208 icacls.exe -
resource yara_rule behavioral1/files/0x000a000000023b75-233.dat themida behavioral1/memory/5896-4207-0x0000000000B90000-0x0000000001484000-memory.dmp themida behavioral1/memory/5896-4211-0x0000000000B90000-0x0000000001484000-memory.dmp themida behavioral1/memory/5896-4242-0x0000000000B90000-0x0000000001484000-memory.dmp themida -
resource yara_rule behavioral1/files/0x0008000000023e11-4505.dat vmprotect behavioral1/memory/9544-4588-0x0000000000080000-0x00000000023B8000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransom = "C:\\Users\\Admin\\Desktop\\00428\\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus = "C:\\Windows\\system32\\wscript.exe C:\\Users\\Admin\\AppData\\Roaming\\sem.wsf" HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\Desktop\\00428\\HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe\"" HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 575 api.2ip.ua 576 api.2ip.ua 630 api.2ip.ua -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000023b7a-238.dat autoit_exe behavioral1/files/0x000a000000023b78-236.dat autoit_exe behavioral1/files/0x0004000000000032-6086.dat autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe 5896 Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe -
resource yara_rule behavioral1/files/0x0009000000023ba4-255.dat upx behavioral1/memory/13528-217-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral1/files/0x000a000000023b6f-206.dat upx behavioral1/memory/13528-3695-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral1/memory/13528-4045-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral1/memory/13528-4102-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral1/memory/13528-4709-0x0000000000400000-0x00000000008C6000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\bn.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\Microsoft Office\root\fre\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\Java\jre-1.8\lib\security\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\VideoLAN\VLC\lua\http\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management-agent.jar HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\ct.sym HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt.lockbit HEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\vlc.mo HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt.lockbit.aulmhwpbpzi HEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\lsasetup.log.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\PFRO.log.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\SysmonDrv.sys.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\WindowsShell.Manifest HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\WindowsUpdate.log.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\DtcInstall.log.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\Professional.xml.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\setupact.log.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\system.ini.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe File opened for modification C:\Windows\win.ini.[ID-16ECD120].[[email protected]].crypt HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 452 sc.exe 5272 sc.exe 1040 sc.exe 1868 sc.exe 3196 sc.exe 1136 sc.exe 984 sc.exe 2108 sc.exe 692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 40 IoCs
pid pid_target Process procid_target 15480 18380 WerFault.exe 981 14356 18380 WerFault.exe 981 8640 18380 WerFault.exe 981 15836 9924 WerFault.exe 1008 8524 18380 WerFault.exe 981 9708 18380 WerFault.exe 981 10972 1792 WerFault.exe 1018 16592 18380 WerFault.exe 981 6992 18380 WerFault.exe 981 14028 18380 WerFault.exe 981 9172 18380 WerFault.exe 981 11460 18380 WerFault.exe 981 2900 18380 WerFault.exe 981 18396 18380 WerFault.exe 981 8228 18380 WerFault.exe 981 2272 18380 WerFault.exe 981 18204 18380 WerFault.exe 981 7568 10868 WerFault.exe 1028 13580 4844 WerFault.exe 1123 17188 10868 WerFault.exe 1028 19448 4844 WerFault.exe 1123 15588 4844 WerFault.exe 1123 7956 4844 WerFault.exe 1123 5384 4844 WerFault.exe 1123 17244 4844 WerFault.exe 1123 6492 4844 WerFault.exe 1123 2240 4844 WerFault.exe 1123 7760 4844 WerFault.exe 1123 6824 4844 WerFault.exe 1123 10080 4844 WerFault.exe 1123 17836 4844 WerFault.exe 1123 9116 4844 WerFault.exe 1123 24944 4844 WerFault.exe 1123 25112 4844 WerFault.exe 1123 25052 4844 WerFault.exe 1123 28960 4844 WerFault.exe 1123 38600 4844 WerFault.exe 1123 38296 4844 WerFault.exe 1123 37432 4844 WerFault.exe 1123 43408 4844 WerFault.exe 1123 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SmartClock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptor.vho-9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b76-234.dat nsis_installer_1 behavioral1/files/0x000a000000023b76-234.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 9388 vssadmin.exe 1392 vssadmin.exe 97108 vssadmin.exe -
Kills process with taskkill 50 IoCs
pid Process 2624 taskkill.exe 8568 taskkill.exe 8528 taskkill.exe 8448 taskkill.exe 8312 taskkill.exe 5704 taskkill.exe 8504 taskkill.exe 8424 taskkill.exe 8620 taskkill.exe 8596 taskkill.exe 8464 taskkill.exe 8440 taskkill.exe 8384 taskkill.exe 8216 taskkill.exe 8512 taskkill.exe 8240 taskkill.exe 5908 taskkill.exe 8076 taskkill.exe 8656 taskkill.exe 8648 taskkill.exe 8632 taskkill.exe 8576 taskkill.exe 8488 taskkill.exe 8416 taskkill.exe 8296 taskkill.exe 6120 taskkill.exe 7652 taskkill.exe 25840 taskkill.exe 8612 taskkill.exe 8536 taskkill.exe 8400 taskkill.exe 8360 taskkill.exe 8328 taskkill.exe 5988 taskkill.exe 8336 taskkill.exe 8288 taskkill.exe 8248 taskkill.exe 8232 taskkill.exe 8224 taskkill.exe 8208 taskkill.exe 8200 taskkill.exe 8264 taskkill.exe 8604 taskkill.exe 8588 taskkill.exe 8552 taskkill.exe 8480 taskkill.exe 8376 taskkill.exe 8352 taskkill.exe 8272 taskkill.exe 15356 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3712 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 12512 notepad.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 11556 schtasks.exe 94748 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3016 WINWORD.EXE 3016 WINWORD.EXE 15404 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 3908 powershell.exe 3908 powershell.exe 3908 powershell.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3688 7zFM.exe 2080 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3688 7zFM.exe Token: 35 3688 7zFM.exe Token: SeSecurityPrivilege 3688 7zFM.exe Token: SeDebugPrivilege 4196 taskmgr.exe Token: SeSystemProfilePrivilege 4196 taskmgr.exe Token: SeCreateGlobalPrivilege 4196 taskmgr.exe Token: SeDebugPrivilege 2080 taskmgr.exe Token: SeSystemProfilePrivilege 2080 taskmgr.exe Token: SeCreateGlobalPrivilege 2080 taskmgr.exe Token: 33 4196 taskmgr.exe Token: SeIncBasePriorityPrivilege 4196 taskmgr.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeDebugPrivilege 8312 taskkill.exe Token: SeDebugPrivilege 8288 taskkill.exe Token: SeDebugPrivilege 8264 taskkill.exe Token: SeDebugPrivilege 8424 taskkill.exe Token: SeDebugPrivilege 8272 taskkill.exe Token: SeDebugPrivilege 8384 taskkill.exe Token: SeDebugPrivilege 5988 taskkill.exe Token: SeDebugPrivilege 8528 taskkill.exe Token: SeDebugPrivilege 8576 taskkill.exe Token: SeDebugPrivilege 8376 taskkill.exe Token: SeDebugPrivilege 8464 taskkill.exe Token: SeDebugPrivilege 8488 taskkill.exe Token: SeDebugPrivilege 8480 taskkill.exe Token: SeDebugPrivilege 8360 taskkill.exe Token: SeDebugPrivilege 8216 taskkill.exe Token: SeDebugPrivilege 8440 taskkill.exe Token: SeDebugPrivilege 5704 taskkill.exe Token: SeDebugPrivilege 8296 taskkill.exe Token: SeDebugPrivilege 8620 taskkill.exe Token: SeDebugPrivilege 8656 taskkill.exe Token: SeDebugPrivilege 8612 taskkill.exe Token: SeDebugPrivilege 8448 taskkill.exe Token: SeDebugPrivilege 8552 taskkill.exe Token: SeDebugPrivilege 8512 taskkill.exe Token: SeDebugPrivilege 8648 taskkill.exe Token: SeDebugPrivilege 8596 taskkill.exe Token: SeDebugPrivilege 8416 taskkill.exe Token: SeDebugPrivilege 6120 taskkill.exe Token: SeDebugPrivilege 8664 powershell.exe Token: SeDebugPrivilege 8240 taskkill.exe Token: SeDebugPrivilege 8400 taskkill.exe Token: SeDebugPrivilege 8232 taskkill.exe Token: SeDebugPrivilege 7652 taskkill.exe Token: SeDebugPrivilege 8568 taskkill.exe Token: SeDebugPrivilege 8076 taskkill.exe Token: SeDebugPrivilege 5908 taskkill.exe Token: SeDebugPrivilege 8504 taskkill.exe Token: SeDebugPrivilege 8588 taskkill.exe Token: SeDebugPrivilege 8248 taskkill.exe Token: SeTakeOwnershipPrivilege 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe Token: SeDebugPrivilege 19336 HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe Token: SeDebugPrivilege 8208 taskkill.exe Token: SeDebugPrivilege 8200 taskkill.exe Token: SeDebugPrivilege 8632 taskkill.exe Token: SeDebugPrivilege 8604 taskkill.exe Token: SeDebugPrivilege 8328 taskkill.exe Token: SeDebugPrivilege 8536 taskkill.exe Token: SeDebugPrivilege 8224 taskkill.exe Token: SeDebugPrivilege 8336 taskkill.exe Token: SeDebugPrivilege 3968 HEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3688 7zFM.exe 3688 7zFM.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 4196 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe 2080 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 3016 WINWORD.EXE 5212 HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe 5212 HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4196 wrote to memory of 2080 4196 taskmgr.exe 99 PID 4196 wrote to memory of 2080 4196 taskmgr.exe 99 PID 3908 wrote to memory of 1444 3908 powershell.exe 107 PID 3908 wrote to memory of 1444 3908 powershell.exe 107 PID 1444 wrote to memory of 3968 1444 cmd.exe 108 PID 1444 wrote to memory of 3968 1444 cmd.exe 108 PID 1444 wrote to memory of 4456 1444 cmd.exe 109 PID 1444 wrote to memory of 4456 1444 cmd.exe 109 PID 1444 wrote to memory of 4588 1444 cmd.exe 110 PID 1444 wrote to memory of 4588 1444 cmd.exe 110 PID 1444 wrote to memory of 1916 1444 cmd.exe 111 PID 1444 wrote to memory of 1916 1444 cmd.exe 111 PID 1444 wrote to memory of 2012 1444 cmd.exe 112 PID 1444 wrote to memory of 2012 1444 cmd.exe 112 PID 1444 wrote to memory of 2012 1444 cmd.exe 112 PID 1444 wrote to memory of 956 1444 cmd.exe 113 PID 1444 wrote to memory of 956 1444 cmd.exe 113 PID 1444 wrote to memory of 956 1444 cmd.exe 113 PID 956 wrote to memory of 3016 956 HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe 114 PID 956 wrote to memory of 3016 956 HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe 114 PID 1444 wrote to memory of 4288 1444 cmd.exe 115 PID 1444 wrote to memory of 4288 1444 cmd.exe 115 PID 1444 wrote to memory of 4288 1444 cmd.exe 115 PID 4456 wrote to memory of 2624 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 116 PID 4456 wrote to memory of 2624 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 116 PID 4456 wrote to memory of 4300 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 117 PID 4456 wrote to memory of 4300 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 117 PID 4456 wrote to memory of 3712 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 119 PID 4456 wrote to memory of 3712 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 119 PID 4456 wrote to memory of 4840 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 120 PID 4456 wrote to memory of 4840 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 120 PID 4456 wrote to memory of 3596 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 123 PID 4456 wrote to memory of 3596 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 123 PID 4456 wrote to memory of 2932 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 124 PID 4456 wrote to memory of 2932 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 124 PID 4456 wrote to memory of 4920 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 125 PID 4456 wrote to memory of 4920 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 125 PID 4456 wrote to memory of 452 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 126 PID 4456 wrote to memory of 452 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 126 PID 4456 wrote to memory of 3196 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 127 PID 4456 wrote to memory of 3196 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 127 PID 4456 wrote to memory of 1136 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 128 PID 4456 wrote to memory of 1136 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 128 PID 4456 wrote to memory of 692 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 129 PID 4456 wrote to memory of 692 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 129 PID 4456 wrote to memory of 1868 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 130 PID 4456 wrote to memory of 1868 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 130 PID 4456 wrote to memory of 1040 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 131 PID 4456 wrote to memory of 1040 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 131 PID 4456 wrote to memory of 2108 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 800 PID 4456 wrote to memory of 2108 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 800 PID 4456 wrote to memory of 984 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 133 PID 4456 wrote to memory of 984 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 133 PID 4456 wrote to memory of 1384 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 134 PID 4456 wrote to memory of 1384 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 134 PID 4456 wrote to memory of 1788 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 135 PID 4456 wrote to memory of 1788 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 135 PID 4456 wrote to memory of 4720 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 136 PID 4456 wrote to memory of 4720 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 136 PID 4456 wrote to memory of 1536 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 137 PID 4456 wrote to memory of 1536 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 137 PID 4456 wrote to memory of 3288 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 138 PID 4456 wrote to memory of 3288 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 138 PID 4456 wrote to memory of 1560 4456 HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe 139 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00428.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3688
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:12344
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:41924
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"4⤵PID:6328
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe3⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F4⤵PID:4300
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F4⤵
- Modifies registry key
PID:3712
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F4⤵PID:4840
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵PID:3596
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵PID:2932
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4920
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
PID:452
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
PID:3196
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
PID:1136
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
PID:692
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:1868
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:1040
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:2108
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:984
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start Dnscache /y4⤵PID:1384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start Dnscache /y5⤵PID:13752
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start FDResPub /y4⤵PID:1788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FDResPub /y5⤵PID:11588
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start SSDPSRV /y4⤵PID:4720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start SSDPSRV /y5⤵PID:14580
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" start upnphost /y4⤵PID:1536
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start upnphost /y5⤵PID:13520
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y4⤵PID:3288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵PID:13824
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵PID:1560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵PID:13832
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y4⤵PID:4832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵PID:13840
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y4⤵PID:4692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵PID:13584
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵PID:2380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y5⤵PID:14588
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y4⤵PID:2984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y5⤵PID:13888
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y4⤵PID:3160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y5⤵PID:13536
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y4⤵PID:2240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y5⤵PID:14644
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y4⤵PID:4732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y5⤵PID:14460
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y4⤵PID:4020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y5⤵PID:16740
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y4⤵PID:2364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y5⤵PID:14596
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y4⤵PID:528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y5⤵PID:9180
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y4⤵PID:2428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y5⤵PID:15480
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y4⤵PID:4532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y5⤵PID:13552
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y4⤵PID:1440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y5⤵PID:13568
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y4⤵PID:3592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y5⤵PID:14660
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y4⤵PID:216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y5⤵PID:14692
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y4⤵PID:3800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y5⤵PID:14652
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y4⤵PID:4556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y5⤵PID:14676
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y4⤵PID:2248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵PID:14668
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y4⤵PID:2388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y5⤵PID:14684
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y4⤵PID:672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵PID:13776
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y4⤵PID:4024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y5⤵PID:13784
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y4⤵PID:2964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵PID:13560
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y4⤵PID:3432
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵PID:14332
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y4⤵PID:3096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵PID:13988
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y4⤵PID:4472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵PID:14700
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y4⤵PID:492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y5⤵PID:13792
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y4⤵PID:1808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵PID:15708
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y4⤵PID:3992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵PID:14716
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y4⤵PID:3228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵PID:13512
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y4⤵PID:1580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵PID:13800
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y4⤵PID:4100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵PID:14708
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y4⤵PID:2948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y5⤵PID:14724
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y4⤵PID:5032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y5⤵PID:14748
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y4⤵PID:4196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y5⤵PID:14788
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Acronis VSS Provider” /y4⤵PID:3960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Acronis VSS Provider” /y5⤵PID:14732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer /y4⤵PID:2064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer /y5⤵PID:14740
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop IISAdmin /y4⤵PID:348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IISAdmin /y5⤵PID:13848
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeES /y4⤵PID:2556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeES /y5⤵PID:14780
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Agent” /y4⤵PID:1108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Agent” /y5⤵PID:14772
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EraserSvc11710 /y4⤵PID:4240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EraserSvc11710 /y5⤵PID:14764
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Enterprise Client Service” /y4⤵PID:532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y5⤵PID:14756
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQL Backups /y4⤵PID:3564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQL Backups /y5⤵PID:13760
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer100 /y4⤵PID:1552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer100 /y5⤵PID:13596
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetMsmqActivator /y4⤵PID:2584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetMsmqActivator /y5⤵PID:14804
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeIS /y4⤵PID:3920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeIS /y5⤵PID:13880
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos AutoUpdate Service” /y4⤵PID:5124
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y5⤵PID:14796
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SamSs /y4⤵PID:5132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SamSs /y5⤵PID:4912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer /y4⤵PID:5140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer /y5⤵PID:13856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Backup Service” /y4⤵PID:5148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Backup Service” /y5⤵PID:2008
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MsDtsServer110 /y4⤵PID:5156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MsDtsServer110 /y5⤵PID:14628
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop POP3Svc /y4⤵PID:5164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop POP3Svc /y5⤵PID:9172
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMGMT /y4⤵PID:5172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMGMT /y5⤵PID:13864
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Clean Service” /y4⤵PID:5180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Clean Service” /y5⤵PID:14924
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SMTPSvc /y4⤵PID:5188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SMTPSvc /y5⤵PID:13896
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y4⤵PID:5196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵PID:14620
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “SQLsafe Filter Service” /y4⤵PID:5204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “SQLsafe Filter Service” /y5⤵PID:13872
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msftesql$PROD /y4⤵PID:5228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msftesql$PROD /y5⤵PID:14612
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SstpSvc /y4⤵PID:5236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SstpSvc /y5⤵PID:13816
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeMTA /y4⤵PID:5244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeMTA /y5⤵PID:11052
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Device Control Service” /y4⤵PID:5252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Device Control Service” /y5⤵PID:14604
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SYSTEM_BGC /y4⤵PID:5260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y5⤵PID:9732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Symantec System Recovery” /y4⤵PID:5268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Symantec System Recovery” /y5⤵PID:11528
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SQL_2008 /y4⤵PID:5276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y5⤵PID:13768
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop UI0Detect /y4⤵PID:5284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UI0Detect /y5⤵PID:15208
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSA /y4⤵PID:5292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSA /y5⤵PID:14636
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos File Scanner Service” /y4⤵PID:5396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos File Scanner Service” /y5⤵PID:13904
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPS /y4⤵PID:5404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPS /y5⤵PID:13808
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Veeam Backup Catalog Data Service” /y4⤵PID:6132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y5⤵PID:15384
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSExchangeSRS /y4⤵PID:6140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSExchangeSRS /y5⤵PID:5040
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Health Service” /y4⤵PID:4820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Health Service” /y5⤵PID:16148
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$TPSAMA /y4⤵PID:3436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$TPSAMA /y5⤵PID:16268
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Zoolz 2 Service” /y4⤵PID:5392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Zoolz 2 Service” /y5⤵PID:16904
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPS /y4⤵PID:5320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPS /y5⤵PID:16708
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “aphidmonitorservice” /y4⤵PID:5632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “aphidmonitorservice” /y5⤵PID:2108
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeadtopology /y4⤵PID:5360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeadtopology /y5⤵PID:64
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Agent” /y4⤵PID:5712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Agent” /y5⤵PID:16912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y4⤵PID:6152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y5⤵PID:16156
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$TPSAMA /y4⤵PID:6160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$TPSAMA /y5⤵PID:15368
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “intel(r) proset monitoring service” /y4⤵PID:6172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y5⤵PID:15376
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop msexchangeimap4 /y4⤵PID:6180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop msexchangeimap4 /y5⤵PID:16856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos MCS Client” /y4⤵PID:6192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos MCS Client” /y5⤵PID:16864
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ARSM /y4⤵PID:6204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ARSM /y5⤵PID:17952
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$BKUPEXEC /y4⤵PID:6212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y5⤵PID:16764
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop unistoresvc_1af40a /y4⤵PID:6220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop unistoresvc_1af40a /y5⤵PID:16132
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Message Router” /y4⤵PID:6228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Message Router” /y5⤵PID:15668
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y4⤵PID:6236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y5⤵PID:13548
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$ECWDB2 /y4⤵PID:6244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ECWDB2 /y5⤵PID:15660
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop audioendpointbuilder /y4⤵PID:6252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop audioendpointbuilder /y5⤵PID:12528
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Safestore Service” /y4⤵PID:6260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Safestore Service” /y5⤵PID:17432
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y4⤵PID:6268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y5⤵PID:16140
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTICEMGT /y4⤵PID:6280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y5⤵PID:13580
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos System Protection Service” /y4⤵PID:6292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos System Protection Service” /y5⤵PID:15688
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDeviceMediaService /y4⤵PID:6300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDeviceMediaService /y5⤵PID:16432
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PRACTTICEBGC /y4⤵PID:6312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y5⤵PID:16252
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop “Sophos Web Control Service” /y4⤵PID:6320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop “Sophos Web Control Service” /y5⤵PID:13604
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y4⤵PID:6332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y5⤵PID:13612
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROD /y4⤵PID:6340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROD /y5⤵PID:17436
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y4⤵PID:6348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y5⤵PID:16804
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y4⤵PID:6356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y5⤵PID:17896
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$PROFXENGAGEMENT /y4⤵PID:6368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y5⤵PID:17424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Antivirus /y4⤵PID:6376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Antivirus /y5⤵PID:16848
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y4⤵PID:6384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y5⤵PID:16936
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /4⤵PID:6396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /5⤵PID:15680
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SBSMONITORING /y4⤵PID:6408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y5⤵PID:15620
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AVP /y4⤵PID:6416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AVP /y5⤵PID:15628
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y4⤵PID:6428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y5⤵PID:15400
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SHAREPOINT /y4⤵PID:6440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y5⤵PID:17472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DCAgent /y4⤵PID:6448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DCAgent /y5⤵PID:17360
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop bedbg /y4⤵PID:6460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵PID:16724
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQL_2008 /y4⤵PID:6476
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵PID:16216
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EhttpSrv /y4⤵PID:6492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵PID:16928
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MMS /y4⤵PID:6500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MMS /y5⤵PID:15448
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y4⤵PID:6512
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y5⤵PID:14000
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ekrn /y4⤵PID:6520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ekrn /y5⤵PID:15456
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mozyprobackup /y4⤵PID:6532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y5⤵PID:15472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y4⤵PID:6540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y5⤵PID:16408
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPSecurityService /y4⤵PID:6556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y5⤵PID:17400
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:6568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:6088
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPS /y4⤵PID:6576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y5⤵PID:16788
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EPUpdateService /y4⤵PID:6588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y5⤵PID:17500
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ntrtscan /y4⤵PID:6596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ntrtscan /y5⤵PID:16512
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$TPSAMA /y4⤵PID:6608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y5⤵PID:16796
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop EsgShKernel /y4⤵PID:6616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y5⤵PID:16244
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y4⤵PID:6628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y5⤵PID:17416
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y4⤵PID:6640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y5⤵PID:16780
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ESHASRV /y4⤵PID:6648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESHASRV /y5⤵PID:17376
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SDRSVC /y4⤵PID:6660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SDRSVC /y5⤵PID:16260
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y4⤵PID:6668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y5⤵PID:10712
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop FA_Scheduler /y4⤵PID:6680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y5⤵PID:14916
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:6688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:16448
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y4⤵PID:6700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y5⤵PID:7848
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFS /y4⤵PID:6712
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFS /y5⤵PID:16700
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLWriter /y4⤵PID:6720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter /y5⤵PID:15392
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y4⤵PID:6732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y5⤵PID:15636
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop KAVFSGT /y4⤵PID:6744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y5⤵PID:16716
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBackupSvc /y4⤵PID:6752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y5⤵PID:17384
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y4⤵PID:6764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y5⤵PID:8684
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop kavfsslp /y4⤵PID:6772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop kavfsslp /y5⤵PID:17352
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamBrokerSvc /y4⤵PID:6784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y5⤵PID:16520
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y4⤵PID:6792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y5⤵PID:17448
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop klnagent /y4⤵PID:6804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop klnagent /y5⤵PID:17976
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCatalogSvc /y4⤵PID:6820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y5⤵PID:17968
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y4⤵PID:6832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y5⤵PID:17800
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop macmnsvc /y4⤵PID:6844
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop macmnsvc /y5⤵PID:17792
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamCloudSvc /y4⤵PID:6852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y5⤵PID:16872
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y4⤵PID:6864
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y5⤵PID:17824
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop masvc /y4⤵PID:6872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop masvc /y5⤵PID:17856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y4⤵PID:6880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y5⤵PID:17864
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y4⤵PID:6892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y5⤵PID:17848
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBAMService /y4⤵PID:6904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBAMService /y5⤵PID:16472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploySvc /y4⤵PID:6912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y5⤵PID:17840
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLSERVER /y4⤵PID:6920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y5⤵PID:17808
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MBEndpointAgent /y4⤵PID:6932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MBEndpointAgent /y5⤵PID:17816
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamEnterpriseManagerSvc /y4⤵PID:6940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y5⤵PID:16416
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper /y4⤵PID:6948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y5⤵PID:17832
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeEngineService /y4⤵PID:6956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y5⤵PID:16840
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamHvIntegrationSvc /y4⤵PID:6968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y5⤵PID:16480
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerADHelper100 /y4⤵PID:6980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper100 /y5⤵PID:16488
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFramework /y4⤵PID:6992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFramework /y5⤵PID:16424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamMountSvc /y4⤵PID:7004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamMountSvc /y5⤵PID:15644
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQLServerOLAPService /y4⤵PID:7020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerOLAPService /y5⤵PID:10748
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeFrameworkMcAfeeFramework /y4⤵PID:7036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y5⤵PID:17164
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y4⤵PID:7048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y5⤵PID:16504
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL57 /y4⤵PID:7056
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL57 /y5⤵PID:16236
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McShield /y4⤵PID:7072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McShield /y5⤵PID:16828
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamRESTSvc /y4⤵PID:7080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamRESTSvc /y5⤵PID:16732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MySQL80 /y4⤵PID:7088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MySQL80 /y5⤵PID:16496
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McTaskManager /y4⤵PID:7100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McTaskManager /y5⤵PID:16164
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y4⤵PID:7112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y5⤵PID:16200
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop OracleClientCache80 /y4⤵PID:7120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop OracleClientCache80 /y5⤵PID:17344
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfefire /y4⤵PID:7128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfefire /y5⤵PID:15416
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y4⤵PID:7140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:17920
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ReportServer$SQL_2008 /y4⤵PID:7152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$SQL_2008 /y5⤵PID:17928
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfemms /y4⤵PID:7160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfemms /y5⤵PID:17888
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop wbengine /y4⤵PID:5756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wbengine /y5⤵PID:15424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RESvc /y4⤵PID:5568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RESvc /y5⤵PID:15408
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfevtp /y4⤵PID:5608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfevtp /y5⤵PID:17328
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sms_site_sql_backup /y4⤵PID:7172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sms_site_sql_backup /y5⤵PID:17336
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$BKUPEXEC /y4⤵PID:7184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y5⤵PID:15440
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSSQL$SOPHOS /y4⤵PID:7196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SOPHOS /y5⤵PID:17320
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CITRIX_METAFRAME /y4⤵PID:7204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y5⤵PID:17944
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sacsvr /y4⤵PID:7216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sacsvr /y5⤵PID:11472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$CXDB /y4⤵PID:7224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$CXDB /y5⤵PID:16920
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVAdminService /y4⤵PID:7236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVAdminService /y5⤵PID:15432
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$ECWDB2 /y4⤵PID:7244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y5⤵PID:17284
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SAVService /y4⤵PID:7256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SAVService /y5⤵PID:17936
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEBGC /y4⤵PID:7268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y5⤵PID:17912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SepMasterService /y4⤵PID:7276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SepMasterService /y5⤵PID:16456
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PRACTTICEMGT /y4⤵PID:7284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y5⤵PID:17156
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ShMonitor /y4⤵PID:7292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ShMonitor /y5⤵PID:1596
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROD /y4⤵PID:7304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROD /y5⤵PID:17292
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Smcinst /y4⤵PID:7312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Smcinst /y5⤵PID:17276
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$PROFXENGAGEMENT /y4⤵PID:7324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y5⤵PID:17268
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SmcService /y4⤵PID:7332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SmcService /y5⤵PID:15464
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SBSMONITORING /y4⤵PID:7344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y5⤵PID:17960
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SntpService /y4⤵PID:7352
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SntpService /y5⤵PID:18808
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SHAREPOINT /y4⤵PID:7364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y5⤵PID:13156
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophossps /y4⤵PID:7372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophossps /y5⤵PID:9836
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQL_2008 /y4⤵PID:7384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y5⤵PID:16440
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SOPHOS /y4⤵PID:7392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SOPHOS /y5⤵PID:5324
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SQLEXPRESS /y4⤵PID:7404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y5⤵PID:16224
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop svcGenericHost /y4⤵PID:7412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop svcGenericHost /y5⤵PID:5088
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$SYSTEM_BGC /y4⤵PID:7428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y5⤵PID:16208
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_filter /y4⤵PID:7436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_filter /y5⤵PID:16820
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPS /y4⤵PID:7448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPS /y5⤵PID:15724
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_service /y4⤵PID:7460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_service /y5⤵PID:16896
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$TPSAMA /y4⤵PID:7468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$TPSAMA /y5⤵PID:16772
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update /y4⤵PID:7480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update /y5⤵PID:16888
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y4⤵PID:7488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y5⤵PID:17904
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop swi_update_64 /y4⤵PID:7500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop swi_update_64 /y5⤵PID:5436
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLAgent$VEEAMSQL2012 /y4⤵PID:7512
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y5⤵PID:15732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TmCCSF /y4⤵PID:7520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TmCCSF /y5⤵PID:16880
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLBrowser /y4⤵PID:7532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser /y5⤵PID:16464
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop tmlisten /y4⤵PID:7540
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop tmlisten /y5⤵PID:15716
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSafeOLRService /y4⤵PID:7552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSafeOLRService /y5⤵PID:17084
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKey /y4⤵PID:7560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKey /y5⤵PID:17456
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLSERVERAGENT /y4⤵PID:7572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT /y5⤵PID:17368
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyScheduler /y4⤵PID:7580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyScheduler /y5⤵PID:12064
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY /y4⤵PID:7592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY /y5⤵PID:8680
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop TrueKeyServiceHelper /y4⤵PID:7600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrueKeyServiceHelper /y5⤵PID:796
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SQLTELEMETRY$ECWDB2 /y4⤵PID:7612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y5⤵PID:17392
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop WRSVC /y4⤵PID:7620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WRSVC /y5⤵PID:16124
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mssql$vim_sqlexp /y4⤵PID:7628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mssql$vim_sqlexp /y5⤵PID:12336
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop vapiendpoint /y4⤵PID:7636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vapiendpoint /y5⤵PID:16676
-
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:7792
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop MSOLAP$SYSTEM_BGC /y4⤵PID:7804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y5⤵PID:16812
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop W3Svc /y4⤵PID:7668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop W3Svc /y5⤵PID:17992
-
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5988
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7652
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8076
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8200
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8208
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8216
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8224
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8232
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8240
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8248
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8264
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8272
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8288
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8296
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8312
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8328
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8336
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F4⤵
- Kills process with taskkill
PID:8352
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8360
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8376
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8384
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8400
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8416
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8424
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8440
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8448
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8464
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8480
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8488
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8504
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8512
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8528
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8536
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8552
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8568
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8588
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8596
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8604
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8612
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8620
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8632
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8648
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8664
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:8680
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:8700
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:8708
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt4⤵
- Opens file in notepad (likely ransom note)
PID:12512
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exeHEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System policy modification
PID:4588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k taskkill /f /im explorer.exe4⤵PID:5552
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
PID:15356
-
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Foreign.gen-bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8.exe3⤵
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Agent.gen-15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649.exeHEUR-Trojan-Ransom.Win32.Agent.gen-15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\selfbook.doc" /o ""4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Admin\AppData\Roaming\sem.wsf4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:7420 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe" //B "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\sem.wsf"5⤵
- System Location Discovery: System Language Discovery
PID:13896 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5204
-
-
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Cryptor.vho-9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exeHEUR-Trojan-Ransom.Win32.Cryptor.vho-9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Users\Admin\Desktop\00428\kdEDTyGSZrep.exe"C:\Users\Admin\Desktop\00428\kdEDTyGSZrep.exe" 9 REP4⤵PID:8032
-
-
C:\Users\Admin\Desktop\00428\DTPmxGSIulan.exe"C:\Users\Admin\Desktop\00428\DTPmxGSIulan.exe" 8 LAN4⤵PID:19320
-
-
C:\Users\Admin\Desktop\00428\XljNHgksMlan.exe"C:\Users\Admin\Desktop\00428\XljNHgksMlan.exe" 8 LAN4⤵PID:6456
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:9328
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:6472
-
-
C:\Windows\SysWOW64\icacls.exeicacls "F:\*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:13864
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y4⤵PID:25576
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y5⤵PID:25048
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "wbengine" /y4⤵PID:24968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y5⤵PID:25064
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y4⤵PID:25376
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y5⤵PID:24984
-
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5212
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exeHEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:13528 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00428\fmkpchnqcp.bat4⤵PID:14952
-
C:\Windows\system32\sc.exeSC QUERY5⤵
- Launches sc.exe
PID:5272
-
-
C:\Windows\system32\findstr.exeFINDSTR SERVICE_NAME5⤵PID:13828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00428\bueisgmabgbijkqirx.bat4⤵PID:7368
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exeHEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:19336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:5576
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:9388
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:6784
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:7348
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:7992
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:7284
-
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exeHEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:10436 -
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6200 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:15404
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\6.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\6.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:12484 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"5⤵PID:13156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CmD < Cambio.accdr5⤵
- System Location Discovery: System Language Discovery
PID:17440 -
C:\Windows\SysWOW64\cmd.exeCmD6⤵
- System Location Discovery: System Language Discovery
PID:7008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11484 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"5⤵PID:13356
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CmD < Mantenga.eps5⤵
- System Location Discovery: System Language Discovery
PID:13652 -
C:\Windows\SysWOW64\cmd.exeCmD6⤵
- System Location Discovery: System Language Discovery
PID:7644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\5.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\5.exe"4⤵
- Executes dropped EXE
PID:7688
-
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exeHEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:13468
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exeHEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:18380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 8604⤵
- Program crash
PID:15480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 8684⤵
- Program crash
PID:14356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 9124⤵
- Program crash
PID:8640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 9204⤵
- Program crash
PID:8524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 9364⤵
- Program crash
PID:9708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 11124⤵
- Program crash
PID:16592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 15484⤵
- Program crash
PID:6992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 16164⤵
- Program crash
PID:14028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 18404⤵
- Program crash
PID:9172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 16324⤵
- Program crash
PID:11460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 15524⤵
- Program crash
PID:2900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 18444⤵
- Program crash
PID:18396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 16404⤵
- Program crash
PID:8228
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c62e6e8e-c29b-4c80-b662-af254de7ae75" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:3656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 18364⤵
- Program crash
PID:2272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18380 -s 20364⤵
- Program crash
PID:18204
-
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe"C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 7925⤵
- Program crash
PID:13580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 8005⤵
- Program crash
PID:19448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 8285⤵
- Program crash
PID:15588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 8405⤵
- Program crash
PID:7956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 8085⤵
- Program crash
PID:5384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 10605⤵
- Program crash
PID:17244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 13605⤵
- Program crash
PID:6492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 15885⤵
- Program crash
PID:2240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18085⤵
- Program crash
PID:7760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 16005⤵
- Program crash
PID:6824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18045⤵
- Program crash
PID:10080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 17765⤵
- Program crash
PID:17836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18045⤵
- Program crash
PID:9116
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\23667849-b37c-433b-957d-a3b413a5e384" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
PID:11208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18485⤵
- Program crash
PID:24944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18565⤵
- Program crash
PID:25112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18925⤵
- Program crash
PID:25052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 16285⤵
- Program crash
PID:28960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 16285⤵
- Program crash
PID:38600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18645⤵
- Program crash
PID:38296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 18725⤵
- Program crash
PID:37432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 19245⤵
- Program crash
PID:43408
-
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exeTrojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6860 -
C:\Users\Admin\AppData\Local\Temp\1.sfx.exe"C:\Users\Admin\AppData\Local\Temp\1.sfx.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:18584 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"5⤵PID:18820
-
C:\Users\Admin\AppData\Local\Temp\vmp.sfx.exe"C:\Users\Admin\AppData\Local\Temp\vmp.sfx.exe"6⤵PID:19452
-
C:\Users\Admin\AppData\Local\Temp\vmp.exe"C:\Users\Admin\AppData\Local\Temp\vmp.exe"7⤵PID:9544
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"8⤵PID:17740
-
C:\Users\Admin\AppData\Roaming\Panel.exe"C:\Users\Admin\AppData\Roaming\Panel.exe"9⤵PID:18816
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"10⤵PID:14900
-
C:\Users\Admin\AppData\Roaming\Panel.exe"C:\Users\Admin\AppData\Roaming\Panel.exe"11⤵PID:23724
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"12⤵PID:37664
-
C:\Users\Admin\AppData\Roaming\Panel.exe"C:\Users\Admin\AppData\Roaming\Panel.exe"13⤵PID:42572
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"14⤵PID:87936
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exeTrojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5896
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.NSIS.Xamyh.agk-25d6051f1457f8f7766bcdde1d5a64c3ed42814f933b52bb34254b1f837f40af.exeTrojan-Ransom.NSIS.Xamyh.agk-25d6051f1457f8f7766bcdde1d5a64c3ed42814f933b52bb34254b1f837f40af.exe3⤵PID:4604
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Agent.aztb-0a82def0b48d82992482b86e771e4d516060d346443fdb3ac004e553a90af823.exeTrojan-Ransom.Win32.Agent.aztb-0a82def0b48d82992482b86e771e4d516060d346443fdb3ac004e553a90af823.exe3⤵PID:9924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9924 -s 4404⤵
- Program crash
PID:15836
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Agentb.ae-3c9c6393902df1f8028da432f9d8c0cbbbcff0a7793772f859ff037a3f7e966c.exeTrojan-Ransom.Win32.Agentb.ae-3c9c6393902df1f8028da432f9d8c0cbbbcff0a7793772f859ff037a3f7e966c.exe3⤵PID:9280
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Aura.afy-39a17646afa8339b903005807aa8de403dae9516c8eb9ffd161e04d0f70ef0b2.exeTrojan-Ransom.Win32.Aura.afy-39a17646afa8339b903005807aa8de403dae9516c8eb9ffd161e04d0f70ef0b2.exe3⤵PID:1792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 5404⤵
- Program crash
PID:10972
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Autoit.znb-791cdbf284d25f695a63a4d6930b8bd6de78fc72ebc4d85cec5253f5289ef878.exeTrojan-Ransom.Win32.Autoit.znb-791cdbf284d25f695a63a4d6930b8bd6de78fc72ebc4d85cec5253f5289ef878.exe3⤵PID:9412
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.iegk-857156a7c30b3abded926b41d193079b75d1cc48dba2f1e579ce5afdd093b87d.exeTrojan-Ransom.Win32.Blocker.iegk-857156a7c30b3abded926b41d193079b75d1cc48dba2f1e579ce5afdd093b87d.exe3⤵PID:10868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10868 -s 7524⤵
- Program crash
PID:7568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10868 -s 8284⤵
- Program crash
PID:17188
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.ikvn-09c8183e7d6a46caa943985504a678348b9ebbc8ab345dace441818db62bb603.exeTrojan-Ransom.Win32.Blocker.ikvn-09c8183e7d6a46caa943985504a678348b9ebbc8ab345dace441818db62bb603.exe3⤵PID:11584
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.lckf-e349e8909cca8c0ac340a1db2471abe48acb4665dca1ebb58be9d258d94671da.exeTrojan-Ransom.Win32.Blocker.lckf-e349e8909cca8c0ac340a1db2471abe48acb4665dca1ebb58be9d258d94671da.exe3⤵PID:6096
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.mvww-2bc28f8062b67bcac48912d345e779e8e6a8e773fa5c7d5a2170eb3dba22a91b.exeTrojan-Ransom.Win32.Blocker.mvww-2bc28f8062b67bcac48912d345e779e8e6a8e773fa5c7d5a2170eb3dba22a91b.exe3⤵PID:8060
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.mvya-29802c1b75170fc09472b0729fb5dbe5a62a603bb4e5f85b821414a536ea1b1a.exeTrojan-Ransom.Win32.Blocker.mvya-29802c1b75170fc09472b0729fb5dbe5a62a603bb4e5f85b821414a536ea1b1a.exe3⤵PID:5724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\1.bat" "4⤵PID:8468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:8464
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v 01 /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Shell.dll.lnk" /f5⤵PID:11240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.mvya-29802c1b75170fc09472b0729fb5dbe5a62a603bb4e5f85b821414a536ea1b1a.exe"4⤵PID:12664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:8552
-
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Crypmod.zfd-7c0952224346817ea85a414204ede9a8e84bea40f775ef72afaf4c54a16a7a51.exeTrojan-Ransom.Win32.Crypmod.zfd-7c0952224346817ea85a414204ede9a8e84bea40f775ef72afaf4c54a16a7a51.exe3⤵PID:780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "4⤵PID:14088
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWire.sfx.exeCryptoWire.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp5⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CryptoWire.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\CryptoWire.exe"6⤵PID:15040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3313924944 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE7⤵PID:11452
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn 3313924944 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE8⤵
- Scheduled Task/Job: Scheduled Task
PID:11556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 5000933|vssadmin.exe Delete Shadows /All /Quiet7⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 5000933"8⤵PID:17380
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet8⤵
- Interacts with shadow copies
PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 3749662|bcdedit /set {default} recoveryenabled No7⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 3749662"8⤵PID:13924
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No8⤵
- Modifies boot configuration data using bcdedit
PID:17704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 3104630|bcdedit /set {default} bootstatuspolicy ignoreallfailures7⤵PID:3692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 3104630"8⤵PID:10596
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures8⤵
- Modifies boot configuration data using bcdedit
PID:17836
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXE7⤵PID:6660
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXE8⤵PID:93432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3313924944 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE9⤵PID:94060
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn 3313924944 /rl highest /tr C:\PROGRA~2\COMMON~1\CRYPTO~1.EXE10⤵
- Scheduled Task/Job: Scheduled Task
PID:94748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 3604989|vssadmin.exe Delete Shadows /All /Quiet9⤵PID:96844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 3604989"10⤵PID:97084
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet10⤵
- Interacts with shadow copies
PID:97108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 6362815|bcdedit /set {default} recoveryenabled No9⤵PID:96852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 6362815"10⤵PID:97076
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No10⤵
- Modifies boot configuration data using bcdedit
PID:97156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 8605077|bcdedit /set {default} bootstatuspolicy ignoreallfailures9⤵PID:96860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 8605077"10⤵PID:97100
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures10⤵
- Modifies boot configuration data using bcdedit
PID:97148
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\RarSFX1\CRYPTO~1.EXE9⤵PID:97756
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lqn-13edf1c9c3ca671916716f4c48d1acbe1c6b9e43f2226fe4420fd52071fcfc03.exeTrojan-Ransom.Win32.Encoder.lqn-13edf1c9c3ca671916716f4c48d1acbe1c6b9e43f2226fe4420fd52071fcfc03.exe3⤵PID:4760
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lsq-73b48665ae327fe5ced2479885fee139cd468d1cc26e289409a6ec733fd0b7a4.exeTrojan-Ransom.Win32.Encoder.lsq-73b48665ae327fe5ced2479885fee139cd468d1cc26e289409a6ec733fd0b7a4.exe3⤵PID:10532
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71A.tmp\71B.bat C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lsq-73b48665ae327fe5ced2479885fee139cd468d1cc26e289409a6ec733fd0b7a4.exe"4⤵PID:12260
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lti-e269d0da65065e071c02ddef97716d6649ba0100e88a370416cac110a822d238.exeTrojan-Ransom.Win32.Encoder.lti-e269d0da65065e071c02ddef97716d6649ba0100e88a370416cac110a822d238.exe3⤵PID:19372
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Foreign.olqe-a7210173ece5695f5cafc5eaf7fd67ae13fa4130247284478913314200befa9a.exeTrojan-Ransom.Win32.Foreign.olqe-a7210173ece5695f5cafc5eaf7fd67ae13fa4130247284478913314200befa9a.exe3⤵PID:19132
-
C:\Users\Admin\Desktop\00428\NordVPN .exe"C:\Users\Admin\Desktop\00428\NordVPN .exe"4⤵PID:15872
-
C:\Users\Admin\AppData\Local\Temp\is-IEICN.tmp\NordVPN .tmp"C:\Users\Admin\AppData\Local\Temp\is-IEICN.tmp\NordVPN .tmp" /SL5="$30124,20399066,893440,C:\Users\Admin\Desktop\00428\NordVPN .exe"5⤵PID:11448
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im NordVPN.exe6⤵
- Kills process with taskkill
PID:25840
-
-
C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTunSetup.exe"C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTunSetup.exe" /qn /norestart6⤵PID:25900
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Windows\Temp\NordVPN\NordVPN network TUN1.0.1\install\21839AC\NordVPNTunSetup.x64.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTunSetup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /qn /norestart "7⤵PID:27052
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTapSetup.exe"C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTapSetup.exe" /qn /norestart6⤵PID:29232
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{97DEC5D6-2BE9-45BB-BFC5-274B851B486B}\NordVPNTapSetup.msi /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\NordVPNTapSetup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-4IOOT.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /qn /norestart " REBOOT="ReallySuppress"7⤵PID:34484
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\test.exe4⤵PID:14320
-
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe5⤵PID:16140
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" C:\Windows\SysWOW64\cmd.exe /C reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v rundll /d "C:\Users\Admin\AppData\Local\Microsoft\Updater\rundll.exe" /f6⤵PID:1412
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v rundll /d "C:\Users\Admin\AppData\Local\Microsoft\Updater\rundll.exe" /f7⤵PID:7760
-
-
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Microsoft\Updater\rundll.exe "C:\Users\Admin\AppData\Local\Temp\test.exe"6⤵PID:6736
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Foreign.olqe-a7210173ece5695f5cafc5eaf7fd67ae13fa4130247284478913314200befa9a.exe4⤵PID:17016
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.aaox-e9895d4c931b8c580dd056743f29b2aeca34d3fc517397820f72c51114cc5d08.exeTrojan-Ransom.Win32.Gen.aaox-e9895d4c931b8c580dd056743f29b2aeca34d3fc517397820f72c51114cc5d08.exe3⤵PID:4372
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ver4⤵PID:7764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DIR C:\*.txt /S /B>phy.lst4⤵PID:5272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DIR C:\mirc\script.ini /b>files.$$$4⤵PID:6656
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\WINDOWS\fihs.exe>nul4⤵PID:5696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\WINDOWS\SYSTEM\fihs.exe>nul4⤵PID:6824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\WINDOWS\COMMAND\fihs.exe>nul4⤵PID:11220
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\fihs.exe>nul4⤵PID:14196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:17912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\WINDOWS\StartM~1\Progra~1\Startup\fihs.exe>nul4⤵PID:5284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c COPY fihs.exe C:\WINDOWS\Progra~1\fihs.exe>nul4⤵PID:19448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DIR C:\*.htm* /B /S>tempfile.$$$4⤵PID:11944
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DIR C:\*.bat /B /S>batch.$$$4⤵PID:12236
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.aapu-ec70d5505e45ef95a655700356311443d381535c61ddaa24c7196475fbaba2fc.exeTrojan-Ransom.Win32.Gen.aapu-ec70d5505e45ef95a655700356311443d381535c61ddaa24c7196475fbaba2fc.exe3⤵PID:12544
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~1449.bat Trojan-Ransom.Win32.Gen.aapu-ec70d5505e45ef95a655700356311443d381535c61ddaa24c7196475fbaba2fc.exe4⤵PID:5208
-
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.abvy-4788b24ea7c16f144cdff61055d4a5bd82deb9c6708d4f2c8808131d885579e1.exeTrojan-Ransom.Win32.Gen.abvy-4788b24ea7c16f144cdff61055d4a5bd82deb9c6708d4f2c8808131d885579e1.exe3⤵PID:5988
-
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gimemo.cdqu-a7984e8401520ca930327073d22c53ea2e5badfe527462ae4e0ebba6d52343f0.exeTrojan-Ransom.Win32.Gimemo.cdqu-a7984e8401520ca930327073d22c53ea2e5badfe527462ae4e0ebba6d52343f0.exe3⤵PID:15148
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:17644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:18000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub1⤵PID:3176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:15668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 18380 -ip 183802⤵PID:15048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 18380 -ip 183802⤵PID:7888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 18380 -ip 183802⤵PID:7436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 9924 -ip 99242⤵PID:16652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 18380 -ip 183802⤵PID:12276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 18380 -ip 183802⤵PID:15948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1792 -ip 17922⤵PID:12988
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d735016d87944bcba3a465ccb4ebe242 /t 3084 /p 45882⤵PID:6956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 18380 -ip 183802⤵PID:11572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 18380 -ip 183802⤵PID:13052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 18380 -ip 183802⤵PID:6060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 18380 -ip 183802⤵PID:12676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 18380 -ip 183802⤵PID:5184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 18380 -ip 183802⤵PID:4756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 18380 -ip 183802⤵PID:14568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 18380 -ip 183802⤵PID:12736
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\2657ca3b4aee41c08e876059076b5235 /t 10412 /p 151482⤵PID:6796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 18380 -ip 183802⤵PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 18380 -ip 183802⤵PID:7068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 10868 -ip 108682⤵PID:13992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4844 -ip 48442⤵PID:18120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 10868 -ip 108682⤵PID:17692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4844 -ip 48442⤵PID:10872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4844 -ip 48442⤵PID:17864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4844 -ip 48442⤵PID:12816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4844 -ip 48442⤵PID:12840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4844 -ip 48442⤵PID:17176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4844 -ip 48442⤵PID:7164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4844 -ip 48442⤵PID:17416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4844 -ip 48442⤵PID:6808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4844 -ip 48442⤵PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4844 -ip 48442⤵PID:17844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4844 -ip 48442⤵PID:14964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4844 -ip 48442⤵PID:15908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4844 -ip 48442⤵PID:25568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4844 -ip 48442⤵PID:25080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4844 -ip 48442⤵PID:24956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4844 -ip 48442⤵PID:29540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4844 -ip 48442⤵PID:34608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4844 -ip 48442⤵PID:37592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4844 -ip 48442⤵PID:38476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4844 -ip 48442⤵PID:42080
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:16520
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:15464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k swprv1⤵PID:6236
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:9900
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:12996
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:9292
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4524
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:13720
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:8092
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:13400
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:9220
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:26104
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 951E44AFFE2CA68784846F7995C2DAD3 C2⤵PID:25280
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6C4CC35412BC9C86E2A4BCA708E01C3D2⤵PID:28112
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0F608C52261CE40FFAC91B9C13696C7C2⤵PID:29608
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 4CD1D67A53B8773DE2E6C01969A89C41 E Global\MSI00002⤵PID:36704
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 08FEEAA4EE14DFDD0B505C6D8EBE10C0 C2⤵PID:27052
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1345896CAE1415DD09FBA729C5E8B61B2⤵PID:26184
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5D95.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240803218 50 TapInstaller!TapInstaller.CustomActions.InstallTapAdapter3⤵PID:36784
-
C:\Program Files (x86)\NordVPN network TAP\bin\amd64\tapinstall.exe"C:\Program Files (x86)\NordVPN network TAP\bin\amd64\tapinstall.exe" hwids tapnordvpn4⤵PID:36412
-
-
C:\Program Files (x86)\NordVPN network TAP\bin\amd64\tapinstall.exe"C:\Program Files (x86)\NordVPN network TAP\bin\amd64\tapinstall.exe" install OemVista.inf tapnordvpn4⤵PID:41220
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵PID:37876
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\b541b22fc140b16f64aebb9d359a3daa47cdb5b5091a4b4e61dacadcf92bb082\nlwt.inf" "9" "473d652b3" "0000000000000148" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\Temp\b541b22fc140b16f64aebb9d359a3daa47cdb5b5091a4b4e61dacadcf92bb082"2⤵PID:37860
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{564eb4dd-cadc-084f-8ea4-3372f0505a11}\oemvista.inf" "9" "4166dbbc3" "0000000000000160" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\nordvpn network tap\win10\amd64"2⤵PID:42300
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tapnordvpn.ndi:9.0.0.23:tapnordvpn," "4166dbbc3" "0000000000000134"2⤵PID:42908
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:41268
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Indicator Removal
4File Deletion
4Modify Registry
6Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
985B
MD57d14bdd379e0b64365de833a1f6ceab3
SHA19d9c778969fd69cff7ea44bc299a5e5bc79fcec6
SHA25658adf1f894fb849c14c1b933594b5fef900e4a22a3e14f54fc48b74861738b20
SHA512119b5284a8f92c250c5d8ded1180290e1196d4b115f203141e6ca1bd8da9793ce5d0380baf8540c6ce5af27943d89258f11cb23a58d55c87ee7cf9ad1f2f2749
-
Filesize
11KB
MD573636de830f0ce47c022c2ee0cf9d6ed
SHA1ef531b9bda7cbf1274cbafa4b77d31636f58d081
SHA2568d09662e4137cf2ceedee6a4aa8a31f982a5c591f8d19260fbcfee634b0021ae
SHA512337cabd3eda1d3d750b5e3eb3032152eb0b2f4503b53749169e1cbc2ad1d4bcb371223e7c39a0d15d7c3a7c5fbd0af24d89b6a60e65c324e7b16b12c5e4fe58d
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt
Filesize32KB
MD5f58d09ddd69d5da2769b331e98179805
SHA19d55ce9f55e590eeef38ea1129416d7c81b44790
SHA2569d1e48091ef07e676d6f6d5c862334e2b6c9ea5d714cc0aeea9921d4c57a1478
SHA512bac2b47f2e137207a3c19e1676f25cdbee56c0f803fbf7fecea98c9455f34fbf6d4d0cb196bf3319deb8351f91b836210c48e8e0d0d08927ab2c19cd1eee0f4c
-
Filesize
1KB
MD55745960192c19efb4f06b3386b60c750
SHA11c01b5735bfb63a717d35518298fd4faa1f605a0
SHA2561eac3b34633395cb4455f0597f59269e96f728d8ba49ab88ec311fbd63f6347e
SHA5123845e89d2c46a12adf704dd4058265c709bd7305b068c8968cc184d804d5baea71f6f35f93b90a49ae9d84f799d7bacda2212006f5340cc0ac7f51b8a63e1573
-
Filesize
805B
MD5c7f9a54add9879e9e82cbf944958f813
SHA19677fd20a2ed3684a369ea1ccd9c09ec60b76ee1
SHA2564ee8d3438c6fe904e9b31aa267fc09cd9e3e2078ff3e59ebdd0cc876d28dbb57
SHA512c943a1e46d64d865b2d97442b7ce6c19eb59eab02f796ea06665cc2b85d4ad6ebea28863b07a6c3a1a4444315025e9346ce291907c9fe415a5ba079f0ac8d72a
-
Filesize
814B
MD5f2aaef7da29e5356f2ea40289ec994a6
SHA1e98243d3fc091cf5191ba3570e2eb42bffb67ab4
SHA256c8803adbf088a81b724990ae49697cdaa6a1e7e0cebd9c8bc90c9219c99da22b
SHA51235a683a6315ef712c0285ef99e64b2c24b186b777eb0966d7608ddf26b14129d758ea3f8201f237a86420d9fb69a36cb3ae9612ed7bddf71c921f832f5454b33
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF.RYK
Filesize802B
MD5daa3a6a829337b42373d6b4a098b3813
SHA11d87adc181e2f01d584a7ecee4f2797e6855aed1
SHA256139ad8333608b008af0d9a2c7c579487b48fe7628ce67b6bf2c617b41c8c5b4f
SHA5121409faa3207b5899401c8216daf1685459d2953b688a8d878807a0f3fdeba34b5274356885ec3da7c2a9a5a278ecda1636e04bd981859a1a5808aa3b9319afd0
-
Filesize
1KB
MD5dffa145af0dff921152009a676d52b4b
SHA155e0efdcfcf7cf852da67931c86f8f9a1e963872
SHA256b7a7c97af6da144646d0a4adb60e4bb38f4135e507f21ba1e4bf6973109a7669
SHA51210943de60af270a084bcb7397bae1e9f21d201c43bfce4f12db365120feb904d11e74c3620fef98c438e3895211b2eee9d127f400c63c1e9da182a6f237144f9
-
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.[ID-16ECD120].[[email protected]].crypt
Filesize1.2MB
MD54cf5ab55ec804d9c003a49db0d392500
SHA18c458a282f4ff355ccdda2878630d053a1be14b6
SHA25662e68dd3726765224288ec96fadc12e032a5fe16a79f2bb8e9f218958450f597
SHA5129e083279f1ec916877ba67e8dc10120f728d709ee7e7239fad556455082adc392b2ef25b92ccab6d16261968bebc7dd8f7495bcd265074fdb62444b16e63f0b0
-
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.[ID-16ECD120].[[email protected]].crypt
Filesize728KB
MD53015e857508a489aa55959e5c4d8fab3
SHA13717d01126e37bdb314190d1d4b5175a4178f355
SHA256fc1e13e8b8dabd4b26600f45bc9c6add4ade9cf0d173558f1a6804160f9471ae
SHA51239b299068dec8f9f1674d7b00fac39ea447f86955519a3a2249671b314de1c08035e4a453d21e4c0509f544c9ea5661f0edb54a055b883d00ac1144c392b848f
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.[ID-16ECD120].[[email protected]].crypt
Filesize180KB
MD5c840788e63f0cf350f894094eff9ded8
SHA1be02713781cdbdea79edf3c2f3cc482ed81d59d2
SHA256dea653f1fb986f6882da81073fb532f4843bc55cedefbdb2b2264c0e914ca0ef
SHA512699ef67af6abdce12a545c3de36b6ca1f97a7c93c300a69ac52b1fce20fd83fabfe5bcbb27e169e205795cc93724bc0355291895dad4b7fcc28dedb916b80f5b
-
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\RESTORE_FILES_INFO.txt
Filesize1KB
MD5780cd4e60d283fbf9d4b0e47d3c795a9
SHA1572014a7df06ad9c8b82fea7f61bf6cddc66c454
SHA2564de8bc8df13b81805eb89accc46954a0b716d17792f1f2a17dd497f8c9af3e18
SHA51280d18945eb744eab88264b384c2fbea81b44e27453cef258595f87e82e5db7215a02cac057e3a42a3343d7293bdffa99a35eec246ef4fc2b30ce15f30fed95b6
-
Filesize
7KB
MD500e7efe03101d86b3101279c7fe8e0f7
SHA1c641e9a36855788a57e6a82286ad9210905c309f
SHA256d98c30bbbaeff23f5bfa1b7e05a830ba572aff566c696dab3f90d0bf269cf0ca
SHA5125fd2f3de970bb044a055ec242e619ea921198a34eefacbc68aac24213c56e1d68c9df1b15d4bc2cdf4628c4d53e474f9795a15dcd72fd4645ed9941864ea556a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B.RYK
Filesize1KB
MD5d835463627bd7f9708594c3c12ecc126
SHA1a2ddee5f17dc9ed5c156e6dc2619c56f66a2fbc8
SHA256c14588d9ab4ed3a7ac5505fce743d810bcb55b59a1698361720d97739c07a530
SHA512d756406fd6a8a5797823a2ced07904dd1aecf8674bc4e69290877ffa44ed443bde6a9d97356fe3215fe841b62d4bb40b9af09e4f42fd25b04d261681c762d7b8
-
Filesize
4KB
MD594bf0bf032ce32469dd74f4f1f5320e6
SHA186bff704a2f82816f346a6a374250f35743de3b0
SHA25654f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b
SHA512ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD.RYK
Filesize4KB
MD58b4f54f5426d5af02b4c4b7ec521ae33
SHA1615b2e89a94be7d7dfe8e4bbf505575d44e5b1fe
SHA256945d9a6dc12b241c22e8ada109a08eb95b0cf8bf98fa5e7d835ee0b0289e0c45
SHA512a9cdbacea5ad1acc20288f7b707dfdcd904d07130bf3b5268ff17da897d5b09af74e1b50e1e58205e90966ea46d808cdc82b4c54ba9347fb836bc171b431f293
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12.RYK
Filesize1KB
MD573a51ce9df5f7f5e168b9290f44e759a
SHA11ffe54f25b4b48d83044a5334eaca56b816590bd
SHA2565ab8805b0f31a086e10bbf76926437ca7c8c463ebe56a8622b891971b27d9d3b
SHA512faf10e8e2d700101db009edeae3f24b05724c05fdf115755cdeb242b94048fc63007d083858b6980d00fdde46548eca436a31843ba2aa1242e02a27494e11041
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037.RYK
Filesize1KB
MD5ba6dc9b635b765326795ba10f05933c9
SHA1ee1f34258d9238acfeb054dc0c0c8da9fcb8c4fc
SHA256d0515c354dd27b4ffcddc2d2fbc1bc55458c55ec1cc94548a85948229bc87994
SHA51254c959e14a5060e8c0ef7e201eda3ccba66869308cf025d9f4650434edb72b555527d4f8cef7bc0869cb49fd5df35ffec1f98b8bd0acd06596f6a6e298af57ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8.RYK
Filesize722B
MD5995d6cca82f4cb3b2e5fa1e4eec732c3
SHA10ef483ba050298ea8dce8451f0f6c6bf6c4d253e
SHA256784cacac41426e6f41e4188bece518f6d541350d5ce833b41b5d467d6b75271e
SHA5122bee9e9725ff806b864bd5195704b29f243baef8be3e575968e0e38b5a8bd14bec95967b8c2bdbebf6598e3001840d9b5afd75787ac48ae0134745bcac01b1be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_F9985C75AEFCA67215471BFB58801100
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.RYK
Filesize578B
MD5b320058a27e367ad198849bccef6fea8
SHA192026230f52e2c312aa513a19dbaebec19db9bf8
SHA2566b7b23d65b6812bef2209246141336be1698173b2d3c58f0a2d8f2cd614d07bb
SHA51213a19b0e447282062699acc3baa31aec8d871c0438ad86e4399d6797c4b57d60906847a79337c747bfe1979232b65ca4ff999324ef1fe0659c60fc4ca2dbcff5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD.RYK
Filesize498B
MD53d8f1f659a6f49e9a91ce34bb92018cd
SHA18afa1a6f0581f3291d35e4b71911609e174f6340
SHA256ab63d6987a25dd1c993b86b6de3acb0756db73e2820db65e90d4dcf986a843ea
SHA5123f0f9eef660aec18246fabb6efa800f4f10e8a9804f6721374de38ad840ddeca510de13834463e87937b825e81de3201e61ef735045c526211c20f4a639784d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.RYK
Filesize578B
MD5bdda6c6fe872532ff4eeb2786c8cbc67
SHA104ace557e37512fff1cee53c2f6a13c53129197f
SHA256dadfdf1ed8f624d418b7149652bcafe12ce1e0c058e364420541fbca748f148c
SHA5122dce1e834c0a53a7761169d5a97be65b982783c4e7af50619fc3c61fbf7e4d70481b683826e1310e31eb9932e502c041957fd00d179ebf3f0ac2585c66210a00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12.RYK
Filesize450B
MD5ffa8c170df0c59538c995608545c9aa2
SHA1a37909bbe321065e68cb795bcbafa031794ed11a
SHA25648019aface5182a15ce33856684e02a11449d8d66f40fa28b1bee5daf6a7fc8c
SHA512d5c8c0028ee51c7e0889003c42ae6145302ce16f4c01355279f15f8ee9f62a8762ceec5f6bd3fcf371ff404db8413e52623753cbf3ffa129edf3af9cc9aafa32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037.RYK
Filesize786B
MD5460bf039b6448fdc633299e8224be527
SHA1ab1c8335f2e50e1b0b628b4d1d3a8f56fb5e5f54
SHA2566e7c741ed8f8a6e7e0da5f91220ddc8bea9f04fc60d8f3404741dbd63d0e62bb
SHA5127fcdc9f13bc64db42028daabd0434d31682003d182ec5b7c8792175dfb8bcd99e7f9f3abae8cd06ed5b8eb8bc9d9d7a04f22e445b0c7876b5d6e3e115a804705
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8.RYK
Filesize450B
MD532cb462d91be4ea1a3d0b78c0a893df3
SHA17a8235316c207f40601b4cb392d8f67b05be6f98
SHA2566be9a237b4e6879b44d9f434358d910ef3eab9cedaabefc64f3e0006d852ca0d
SHA5125733d520b79c0101b0a45be8191adf68823fece45c7cd09d8bbaa20b7691324aa5d8baffe7beb919eca68e5b7766d4793f99a673e4b7e2951517d3645fde88f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_F9985C75AEFCA67215471BFB58801100.RYK
Filesize722B
MD5946f4213685d470e59f09fdf9a70036c
SHA14f0976e3635af584f8f1b7225dec47274533acab
SHA25640dc0d18a84b19f4f36abc010fb308bc3748a4f66bbe7afc95f571fe267f7226
SHA512311d99a3cbf32735799b38c41c6a5700a1d4b6ff22afc1fe0597a5ca4e618d678e2466ed7f6c758e599a89c501757461b9da731f0c6e9bdc5525487c49c2ffd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.RYK
Filesize578B
MD56fdd3b015c6517bffa07fbf039dc86b1
SHA115bcfda29bc2525b3189a94b7f1edc8a60d661b4
SHA256116be7981d0ccef3798f6a290e11d2439c4d3fdc95622257c358b29014936e9e
SHA512397dfb300545a4b8c8f9963c8cef90219ffaecc059c222bcb3b7a3490f489840dcb194202c3b90f1b5f49c7dc99d163c6d3b34c5ba849a52e6db27654366d04a
-
Filesize
32B
MD5cbe2bf38302ecc921b016cf8640ec67b
SHA14a03a7ec5586af475cb468d0d643b3a955604ebc
SHA256fc1d10e3264baa96c27e5c03b835324ab586784cd207a1965504ed838dd36895
SHA512babbc138c38f06f198662fb86f1b762facf0fcfb64214aa031b69c6cc1ffee9c51f468b2d70c40b6ec39b05feef781f67edc1c9ddf9205a1d641c788b0a97f49
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD59407135d394fd05d7886c9ccdb008775
SHA1ed1cbb92b2509cd97e73afb5d46c5e5c714eab11
SHA25641b1ebde64ba95ce29f3bd8dada241dbe1cb994e02b7a9755b888b92dcbb2fcc
SHA512f1078a91660b170c12ed18a531ee8936aabda219732bbbb6b4b7fbff25a40f7fc26c64acf195a7edf010db67667c30086a7e4882a5939870d1aa6ec998df3b6a
-
Filesize
19.6MB
MD5d793d3029f92b779ca182648bd47f899
SHA146769b6996aecea90a6bab046d18d51458fc12b6
SHA2562261fc78cd34acff1b98408b36bb3dd4c6027850fe602b4fd8f5b43a9afe4288
SHA512b9f8990b640d1da7872d3cbee433557dff2f8ebc51d3fac98557da5f8a3b99bfb89b2063e5bf57ab6133d3c050a9494d9bedf05dc63acc0a92ec3b55a1293d3b
-
Filesize
216KB
MD58809ef63af3a5d7ac2b7bed00643f124
SHA1c08373501437c795816408786d752314f8ccff20
SHA2566f62f0874db7dddd71d5a7da98d03b87486f309114dd634239b6e75701118183
SHA51219dfba3a7f615df131426d8f0c5f10010a43a548f51ad2a1260bfcd6549a060d22cb1a6d1e28734fe09f35461eda5281d1ab06b5ada586b7ad9626df4a5faee1
-
Filesize
1KB
MD5bab7a2ed24c440edcb1d2dc1870bdca1
SHA15b0cde7a80deb0820f4a3fad8dbc92e0124cb197
SHA2565d7e0516183f0e2a44289faea66753f924bc05d4fd1c547887f3b9f50319da36
SHA512c9761a21df9598afa692ddcf2d0878fc84e3e39b1e2bab8eba7f7b333d86984cab7358129b5651ce4e295e4d191ae8d7929a71d4c003039cec2876e9a24c1053
-
Filesize
654KB
MD5823a2a9cb6727da5a00637e9af21316c
SHA18cd23ee8a7121dbc43d7adcefc95fb1ca03e39de
SHA25668aeed32f42e259fb842f5fb0f754996b62a4cbc3cb6fe8d4f9fe44ead428988
SHA512c16a4da4ed38acd8fde1920271bf8e33092a299fe2d0d60b0dbb52427942e3efcaefbce7d1aa38664f51e8c40899e49b446173b28d1ff32fbb63b0dacfcc3a54
-
Filesize
880KB
MD5eed2a08a8f9d50f605be56ef4e9324e9
SHA10171e33ed30e36cc909bde0f3360b8b249fe8af7
SHA25653fbfb93852e8641180c2e365ee4e26494e65b22fa99e0cfc2ac191ec5a6d503
SHA512fe5581be1a7c870b9c46af7bc83284493028364a5edd59d4e8b8a972bf31a9568fd0aaffc6555ed85620e6a6bd57c46c7c0633d94f45f759b3d4ecc5aa292c1d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
37KB
MD5f92406b8bb69feff70c17479d2719af0
SHA1a8679b568c0c003527cf639b4b67fd72e89d9661
SHA2568c0857f32bc6f3e8d28fbd63cfa5972347d84ddb98b6cf28052c2564c59a859c
SHA5128a4ca66108171253e90a11b798048d7a69cdc5d36b9b3b060f01dc28375e6ffa35687cc436cf160b49a4c419835749aa64a7d050aeaba39efb87224b1d61858b
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
4.8MB
MD577d6c08c6448071b47f02b41fa18ed37
SHA1e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd
-
Filesize
35.2MB
MD50c481ff5ef0a870d191090bdf0b81c51
SHA1f8481b0afc2afa4c896326173a389ec44271649e
SHA2562c1e4ea09f21f61e5214ff7abd39a06fd60db54b582eb140f73acd01512c49df
SHA51293e92792b2a6182bef5cefcb06be96ef51971eb6a4854f66a6135fa5251275b86625c1b1f238e658e2085a4b7c12dd0a9c5a0049c925626bdd1611db9b7de0b5
-
Filesize
1.5MB
MD55453a7693ddbbab9451babd6c57687ed
SHA187c0ecef8b4a6d77443a9f63a9e7627618368d8a
SHA2561fb750ef3fe86298c722b5689de1dae56d1020a1fdcc032a4a5e3b1e94c183df
SHA512f99b40da6d474ff64243dfe0c5ab97ab2ef87e0efa6a927652d69228eb9eed757424ad42175cf0f1dbe7d3c495fe96d9bcdecf6964098411fdf4c8f419de38b1
-
Filesize
116KB
MD54fbef53fb67af0681202cec1045a1da8
SHA12705f3fdb5654558dc6fb7e36b2da2aa8e22f569
SHA256fb94afea64d597b738518309ffaed7fe1be468e414479ba77a226a1936d05811
SHA512b262a053bc891c81d444f34ebb349be21fed446c0a2b7d91037d1fa7f599e1c7968a98b682df29e7407b9e8eb95a7d372f8c9679f9901f5f13ec26f085fda920
-
Filesize
292B
MD5245d6cd416e9fc3b87da9a5afe8f965d
SHA151780a6b5a5b1a2fb7730848eddd5ea5b759f63a
SHA2566c28759ae40ef659fad0205e1e11799967881d77ef0d5ef274a2e7066618101e
SHA5126077b180552d48af131059b021281857f4417f4dc6db615bab9396418f2763a23d57e8176be07220c2fb0145a0a58ed3515014e879001b8bfec4a2c9b04ea88c
-
Filesize
988B
MD52f67383db35c9a747e8f51107b6f24f0
SHA116b1b32606e9d0f758b342f4d33c46452e7a5bdd
SHA256b889da97d4d55836a02ddd1853c075bffacf4aec446aa37fc93b368b05fadf52
SHA512ccbb29ca37472f8c2fc4d721b9d1009d7f12bca1cd3367af9f243e6bd9cb60b331f69fe7fbe7b095aaa3b1a3ef4729e45a6faaaaa1c18aa41ac4e581179fcdad
-
Filesize
747B
MD542077a6d97be03e2587385eb684a7e20
SHA11b1d997b2d57e7eba0ac004c3ce0e2760ea7be88
SHA256d9ea55c5651ca41144add1ad2bec88390265c3f326c086ba70c3063e95f7b619
SHA51212a19fca0037151164db13c6985d9350877e0c53204e5944cf3df631d939d035fd0cdbc40740ad1a8c277f3221cb498e736bbdb0ca05bf74aae4c11caab79c3c
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
14KB
MD512fe967021d3a1c523014b5b929f8e68
SHA16b46f405650d826eea0d905905eda2e1a5b70174
SHA256918382c668abe059092e8e1b222aba5b76b74809177246b6455ba8ae7d4b5b00
SHA512db59db3af39b1ae4bfd8410cdb68aa64314633bcfeac8a494f0558a407bc2703e0e3d2c8a6d525c6fa652b2798f12e07c2a3adc9c6537621c870234c4e8fc22d
-
Filesize
10KB
MD5d1325bb5e29b76a53384909cebab96f9
SHA168b023d13d7de26e3081e39f3076aab71850cab9
SHA256df80258ff3e607209470f061dcb8b7bb41fc4fcb4250d993d5b5c3a4370d33f2
SHA5122b3d0ece379e896eb1ac25472a89377770a2a7a93467c4fc96afd3544e17be8841825141aef49c813463f03b5bacd9c1c48bc6eb9560e805b548a6f02a5dedb1
-
Filesize
10KB
MD52eca62b2c72067b81403190621a99de6
SHA13936dcdfbce969fd77d773a4ef2dda5814fe786a
SHA256f9c9054aebaa787af6fdb228a297652ad3432aa850fbf132cefa803190e071c9
SHA512c547ce039b5d2da75211261c51d0d272217d00e6b5329636d02429b510d4af5e4ebefdf7dba36593a8c13d735fd261d42dd537ad90a123b91edaeaf504bd8918
-
Filesize
123KB
MD54fc40c8d3099dff2d34d4948f30a2e2d
SHA15e0b5108010a031ede92c503d5b3c8e4afe0d882
SHA256e3a6e635437e1e65f394cbb830d3dc3608c94a12167cf4da76a4c9ed44c406a8
SHA51241eafa4b1263dda57db233689426ac97093bd2b18dee9c67962fb3699672e7fcff37e433046fc4d6ab3b9f5c0cf7c0fcef89345986184cc5441638de4e1fe6ae
-
Filesize
124KB
MD5d34d563691efa73117ba8b0eeff458bb
SHA10efea6cea4b45676d43f1fc3160f0b2fcabc40c2
SHA256a4a54cb2f2f1fb520eddbfaa42beb4710ed4eee2baff9b62814eb64832fa98b3
SHA512a947dfbc376c2f13c0e9df19b041b08997c5f02eac8a8e25d12e42c43667f22cd9e52f5185264e660f40048e0648a2990675de1dfabbe5d6b6398b75ff11a5b8
-
Filesize
27KB
MD579499dc35bca6aa3b3446fec9d1ab4eb
SHA1beb39b2e908613d5ba35999f1aab82d6831ae4ca
SHA256ef2ed5823ac8239fc1644153ed6a9043d950817a9f56c7c93eaba53b2405085a
SHA512a352ba1fc0f274a316a87535ea3274dc19bf809b56c2d68a7b04b1f8b4956139b764510705f9b60488063745206a8d47428d6f254811addd965abfd29c7c9521
-
Filesize
70KB
MD51558ae7a6e075526ae44af955c8ad738
SHA1e447938938d983bd41dae584882bd38050560b57
SHA256144e5fcf351e0b6420dc8ce00b268690537a69fae66783916c3a45f19453826d
SHA51250990855eb59263d30f8ab8e564007e5f92a1698872bcc6c222f0c70411b2cd231f53d573b6c9c86f84312c437354d53ec012ee00bb42945e22d23433da09755
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Blocker.gen-beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585.exe
Filesize17.7MB
MD56131f69f1d5441e4a2f3ca22d15ee8a6
SHA199d1891ddc0461621057f7038db16e27678c34cd
SHA256beca7f4570f23e87dd69d7b88eac737fae40234b0f613bedcbacc9fbc0f86585
SHA5124dce61f8939b53133205833e3c0ab7d7d7a5ed37ed5a99e9308a6e687f9f55d5f1e6d4aafc8ff096ab400f71ded6d349674e04162ea02704078894f837250af0
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe
Filesize92KB
MD5a79c26d730e0aea9aba7bd9e64b14e76
SHA1edec8d75a6b8eb986a8179813907c4503198c7fc
SHA25667c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3
SHA5127fe14eed0a66f78b0b97e389c0ab2015722f9fdb53e3674602bd51fc15f5ed3717f5d7e35fcffbe8abd274b1fbe2e59d25ff4a43971a386d8edf51a4c09f4d7d
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Crypren.gen-67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3.exe
Filesize92KB
MD5e219b62ecb1a0420337d49f823983ad2
SHA13cb421812bc55e15a0ccf209282fcdb3cf439610
SHA256017b23808471bcf7f38188ef3adbec4585febfd447226c0a2d9c41325bb00f29
SHA5125b456bf664f167ff1c670c2c258c3e332376e31e12709dc6e2b91a14e0e801bef8671ad4b6164a52a5dc3ceb1a65011f6ff600b9ca8c16cbcaea66692cc0c306
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a.exe
Filesize320KB
MD56a73fc80a30848ce8f648842bb8fd7a3
SHA11c7809f30d5f6d9d93ec85049554032c8b25dba2
SHA256d6a448ab8b311889f027e26d626359536d7b54dbd792a4222830e4505bcc4e8a
SHA5122c9840d2b3ef0c3f7cc392e05b2e804a071e7a96c30137cb41a5a3bfe76f0b0b3947520918b2ecc2be1758dba4d200768cea098e6bc22c867fd49d5362613bef
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.MSIL.Foreign.gen-bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8.exe
Filesize9.2MB
MD5938770e6e69e6feadb1b9f63af9969f4
SHA14a4f4aac7bd4212762bb26b1bda882d44c7956a8
SHA256bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8
SHA512383d8381409fdcfaf9632473c3a40f20d887326f452823ca754780c8bbd1879c42dd0d3574dc833a2f98f6e5adfe5c31786654a7252e4ad39770d164feb957dc
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Agent.gen-15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649.exe
Filesize226KB
MD5abdf498691f2b028bae0fa4276edc04b
SHA1fb81951ebcd5cb111633bf4b6f78a18c522f37b9
SHA25615f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649
SHA512f686453e61145f5cc21ead7dce23ad92dfa48cd8c3212828db13a52eaabdbd09beec5c7e481f8541498096a84cb79cf98ce9f0c18a246a10e60094de687c8af7
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Blocker.gen-671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18.exe
Filesize991KB
MD5e008fca202952548664fc15652ea94dc
SHA15817f2f88727a1f692358293d07a0f9df14c111e
SHA256671cb10a4af31b8f02f8c7abddf03ba184d58222a8a8c202e6486f4ef2e46c18
SHA5120cdfff6f5f93c77a6c4bc4cd99d3a94935b45ada0b65874d4c158c78f3efb351d198b08b50378b57bf0a13fcf1ba385d5c1c83845391630c78cb54e942e1dead
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Cryptor.vho-9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Filesize119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Encoder.gen-2193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f.exe
Filesize1.7MB
MD5e2833eeca6772beaefdcad8b910bdef9
SHA1fe24eab346f4b6c928c9e0ce94f680fb273029d3
SHA2562193787c98e21859182aab3b8a25d270de67016073e508d5fd3c3f0900bcea0f
SHA512286870c159e76d6cd2e3d4fee37949013042bbb5c5ee7da781843951bec13afbd37ec0c2ad37df78c1138b6c4e7aec2ba861bdbe533e6faef488218f52d8ee38
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Gen.vho-d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.exe
Filesize2.5MB
MD51a2978ce842c0d4c2fc309801cbbcabb
SHA145adb2e2ee26e9221b76e71180dc955b7c9eff70
SHA256d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a
SHA5125cefd6c89153259835cdd0e4be1c68bf61ccf25c63c8a2bcf78e0bcbde354ca588e39e06699820ca4da488f3e69a14e04f89d25cd1be6c01c80fb210f9da23ac
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Lockbit.vho-21aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f.exe
Filesize146KB
MD51024a8b9aed885c0117476c87cc5bc08
SHA1cdfd9932a3bccf535663e8e3eefd5970cae6196a
SHA25621aab3925870f8e11cf4c94b9b84d252118278a50206e622b8148001e205213f
SHA512e94d7b9d4e0303270aee4ac9a56fb8986dbb05de04aa0c92b76bf352ffe467412e62ae94dfe92c5abc95be9e8d2baf294b3d16a2e421a58ff4c2796c530b8e48
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Makop.gen-1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f.exe
Filesize2.3MB
MD5a2e4d1e6f943c9b0c6d6f21c43121592
SHA1a5895766a4cafe68ec6774282b949350dcd88798
SHA2561594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
SHA512c7cee10d1147c936191746ad2aa05ef594515b414960c3aae5f2d20cfaeff50cfeb44be99e6da88abd7793aa11716e0182bdb26a280f24a65b5f3e31a2a51aea
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Sodin.vho-12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39.exe
Filesize120KB
MD52075566e7855679d66705741dabe82b4
SHA1136443e2746558b403ae6fc9d9b40bfa92b23420
SHA25612d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
SHA512312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
-
C:\Users\Admin\Desktop\00428\HEUR-Trojan-Ransom.Win32.Stop.gen-6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1.exe
Filesize804KB
MD532f3be8697cbd7c40c05ee83318ae14c
SHA19e58be40a590755bfb204d2d2f40d2de26bf4542
SHA2566c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1
SHA5129b2a9afdc989e77e0a6cdd283b41958b2bb2162c1ff4a711c5f54c935d0c7628516f85ff64fe5d6e5dfed5175ceb4e3b0a01d18ee606a1d2ff293b09da0ecabb
-
Filesize
20.3MB
MD5c2ca508ff38e49d7d0c0240a57bf7269
SHA16bc2f158eef8066be78beb96f565d259c3da13af
SHA2564e40ef0f69a93ee664a3b4fab15fb6e52b604870f8ebc3b83564da3a9fab51ef
SHA512d6e5bbe2a5a9ec29b8da04d769783f87f6ee73ac9772d98338a536a1b0c01ed424548cce786f3b5935b154d70e9cf2caccbf80ffbca1b900dc3766ed0bd79931
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.MSIL.Blocker.cs-6313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5.exe
Filesize21.9MB
MD5b29db41a6736a67686d4318bad9a6ca1
SHA17da5d7f7409b91503d09147ac26720d5389ae431
SHA2566313a1d687fb155139f2246cdba1d0d06ecad074d4115488361f509484eb19c5
SHA51222ce15edb2e4d921253db12bee4dd66619f5067238ce9257a6256d46aba286154623dcadae0345f2574c86fa7dcb39569740e1a3c341e3bbb061ac14fbebda3b
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.MSIL.Cring.f-4dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c.exe
Filesize3.3MB
MD5a787c82b989c8c7ee9e937bfdfe1fdad
SHA183929d12458d8b24a145c8ce468b4a3cc017d0b5
SHA2564dd6ebfab4f46c2cfc7a841be9c04ae635044ec6621604dc64a22b89b232406c
SHA512360c0c822a996dc9cc63ffb55ec4380a1cb17fda7fbcfabc2037c6a0204a93d958bc181e0ba0aac145d9afb8c06e2700cd23453fd347b142dcd321deb5ad8db9
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.NSIS.Xamyh.agk-25d6051f1457f8f7766bcdde1d5a64c3ed42814f933b52bb34254b1f837f40af.exe
Filesize392KB
MD506a5c3c892ab616c0e5162546b62afe5
SHA1f496fc37e2bb5c2a9703212f3c40c3dc4c7c387e
SHA25625d6051f1457f8f7766bcdde1d5a64c3ed42814f933b52bb34254b1f837f40af
SHA512075617bbe6d59a8d8bb6a1f0835a660b169ce8d609e04de19fd653f646b35f58dfa65f1843f976093f7d67490d5b0ec929e15d3e3ba1819376a740278e5c6c36
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Agent.aztb-0a82def0b48d82992482b86e771e4d516060d346443fdb3ac004e553a90af823.exe
Filesize80KB
MD51e6b6dba12893fc258f37feaf090adfa
SHA1c25de0a4b15290bc21a75492a56e146bda9a155b
SHA2560a82def0b48d82992482b86e771e4d516060d346443fdb3ac004e553a90af823
SHA5122d45a95c23722503513ce84747934cb773a3e34ef5602a75f7b0f11cdc6dc87f3f7f867493a0cd4c153ab19c53f6fac94a6b2e3badb8656ef142b6bbd9abc3ba
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Agentb.ae-3c9c6393902df1f8028da432f9d8c0cbbbcff0a7793772f859ff037a3f7e966c.exe
Filesize889KB
MD5327b9d48b11882daef12627a4a9e557c
SHA1a3c90451620f3b892fcb9cc410f5b9304c7997cf
SHA2563c9c6393902df1f8028da432f9d8c0cbbbcff0a7793772f859ff037a3f7e966c
SHA51291c6f8ff9f2ab275b6366efc9bc1bb2a50dbdb4d77255ddae900c7aec0fa31e24aeb4afd1e91f7c6ff8b8dc2c0c5b358a447e914f8b9fa8d1c6aa17c352901c1
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Aura.afy-39a17646afa8339b903005807aa8de403dae9516c8eb9ffd161e04d0f70ef0b2.exe
Filesize946KB
MD5167043136024b92e37a8a10f71332f8b
SHA1e9485a90820a8cb2bcbe067f2d8056f2d47ece3e
SHA25639a17646afa8339b903005807aa8de403dae9516c8eb9ffd161e04d0f70ef0b2
SHA51280fa41bc115b6a9e1dec3eb78e3d0bda065e44d4e254ec5d1bba22041611459974ab7b35701834620e3dcb743e8ce438f78f7930b4852813b5352425cd85fb71
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Autoit.znb-791cdbf284d25f695a63a4d6930b8bd6de78fc72ebc4d85cec5253f5289ef878.exe
Filesize889KB
MD5ef2009e7aee62628bb3c813b9acd314b
SHA17a3238a407a5f668b8aede8f260d34bf54f04667
SHA256791cdbf284d25f695a63a4d6930b8bd6de78fc72ebc4d85cec5253f5289ef878
SHA512d5be221d04ebe9a0fecab2f8cad43eacbfa5939bda805cdb89779c6217e31f4708a8c11b23d36a1b889d77578380b5e9724518308b6042119c5276c83639a4b7
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.iegk-857156a7c30b3abded926b41d193079b75d1cc48dba2f1e579ce5afdd093b87d.exe
Filesize5.9MB
MD5b67ede5ab6055fe241a418807d278adf
SHA196176774cdfd701a5c14e78426220b29f04fb86c
SHA256857156a7c30b3abded926b41d193079b75d1cc48dba2f1e579ce5afdd093b87d
SHA512e91619838f68cad41b26d7f4dd2791334925476a2d911c8a915b5afae9c6f100bdffd2ae140d5373ea48de8ab32b2fa06dba411f5a3cee9503e836690667ea6b
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.ikvn-09c8183e7d6a46caa943985504a678348b9ebbc8ab345dace441818db62bb603.exe
Filesize340KB
MD59bd7923ca2946e30b18766c44466f97d
SHA130b114d80c31a01732749626123cd5c79a64f392
SHA25609c8183e7d6a46caa943985504a678348b9ebbc8ab345dace441818db62bb603
SHA512471624c382372aa80a9922fa2cf4d07091ba7c48388ae25f6d53b280c33baec4860a4738aacf11bc812549a98e051045464c5b719cf3a7377f1fadb7521dfd52
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.lckf-e349e8909cca8c0ac340a1db2471abe48acb4665dca1ebb58be9d258d94671da.exe
Filesize112KB
MD5935b8c0af5b88a98a93d2037a758a915
SHA19d4a1c9dd682960f3f16e00d448fedb7861fad33
SHA256e349e8909cca8c0ac340a1db2471abe48acb4665dca1ebb58be9d258d94671da
SHA512a4e3d465e3ca63767f141ccf4773981c3ca8497a2a2dcc1ba0899557b2cd6aec4edacceb83cb865fdaf861f382a12f845248a387baf7550c295fe20c95adb3b2
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.mvww-2bc28f8062b67bcac48912d345e779e8e6a8e773fa5c7d5a2170eb3dba22a91b.exe
Filesize2.5MB
MD547a7d4c1e6726c7d51143f270daa4a07
SHA1cee6211d64d388b040d194c1d2e554461b10a3a2
SHA2562bc28f8062b67bcac48912d345e779e8e6a8e773fa5c7d5a2170eb3dba22a91b
SHA5124e433561d23817d562a6899d18aa88e48b8318a9d5df23d6056606582788af93d0b8b3ab6e040fcfdb59fe5b1a3346c04917b91a72f32c0ec9d9d8e8a0113eef
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Blocker.mvya-29802c1b75170fc09472b0729fb5dbe5a62a603bb4e5f85b821414a536ea1b1a.exe
Filesize640KB
MD54b4aeb222eac9b308e14cd9e2ee39ffb
SHA11ffaf48d4ef41900c02a46e956f5982cb851917b
SHA25629802c1b75170fc09472b0729fb5dbe5a62a603bb4e5f85b821414a536ea1b1a
SHA5128b36b2c231b8c52e91e6c9d90739f0c976df2b0e014f7c2dbdde120f48ad643f0d1ae4a4f779fabf6facd636133a7f51d0f3b6beb3c74e7cbc2db4af0a0ae439
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Crypmod.zfd-7c0952224346817ea85a414204ede9a8e84bea40f775ef72afaf4c54a16a7a51.exe
Filesize784KB
MD541db74ac4172270a4170a444fc3318b3
SHA1f83e1e1dd76574989b26c636476337dbe05db518
SHA2567c0952224346817ea85a414204ede9a8e84bea40f775ef72afaf4c54a16a7a51
SHA51207efbdb19f617b8a0963ed35ab0db7482ab93257db9d92933788027ef55e76b3f9266145b1ed35c1351be92d2495417b1ae01e72e05bd5fc81bf7757842b46f7
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lqn-13edf1c9c3ca671916716f4c48d1acbe1c6b9e43f2226fe4420fd52071fcfc03.exe
Filesize2.6MB
MD596957db0a8bfc0b0e44733b14b436191
SHA1a0983b80a98d23d4cb0741be077ab60a6882e2d0
SHA25613edf1c9c3ca671916716f4c48d1acbe1c6b9e43f2226fe4420fd52071fcfc03
SHA51240278dd866097c6135950c6bd59722470bb15be537b2049a33338634506237f58be33f18875f4a42b3e021dab2317d691153750b80a9bd28e0bb8645cd76aac4
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lsq-73b48665ae327fe5ced2479885fee139cd468d1cc26e289409a6ec733fd0b7a4.exe
Filesize6.9MB
MD5f1ad61a34478c89308a8050b41b48b67
SHA1dc4f509c4a2e9524a677e5eb2fc1ec242b24703b
SHA25673b48665ae327fe5ced2479885fee139cd468d1cc26e289409a6ec733fd0b7a4
SHA5127d6a87e8d73e00e74c1da54bb8efe75bcbee7b1434a28b80f1ad6c8fb7fc74bc55f428d34dcc7309feb49dca97dbd3b85a936a4f0b09ba0a29e8359db63685da
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Encoder.lti-e269d0da65065e071c02ddef97716d6649ba0100e88a370416cac110a822d238.exe
Filesize2.6MB
MD522ddaa902cfa51d4dbd23cd845f93e99
SHA1c39af77ca1ed1ec4d4de354132d953b4478aa4dd
SHA256e269d0da65065e071c02ddef97716d6649ba0100e88a370416cac110a822d238
SHA512ada35dc5bcfcb631938104db43fc415c73d3c4d1769f7fc53bfbc4701d546659efdbdb61c7eab77a618f47e9096f837e37616ef231bbcd9a714fce8f5ead43ae
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Foreign.olqe-a7210173ece5695f5cafc5eaf7fd67ae13fa4130247284478913314200befa9a.exe
Filesize22.5MB
MD50fbaef98636b6ecd263fc4bb44becee9
SHA1a711ea0950caf9292f4f06d6ec8a218e0d1ceddb
SHA256a7210173ece5695f5cafc5eaf7fd67ae13fa4130247284478913314200befa9a
SHA512ccf7ed95f5ece3db000bed973814bac620085897a271f48c1a89ddd08df9269f4ed1b71c78976481531cfcce0bb968405808123b939ce93c7f146abc468a7e48
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.aaox-e9895d4c931b8c580dd056743f29b2aeca34d3fc517397820f72c51114cc5d08.exe
Filesize1.7MB
MD5391dfa6afb2594145098ba9b71b30aaf
SHA1eccb7a9e9f25759b829d0c8ac907bd9c8b5c0af3
SHA256e9895d4c931b8c580dd056743f29b2aeca34d3fc517397820f72c51114cc5d08
SHA51202d0658f7551ba469bd2b20cf39c4d77a6832153d7032273d739b0d737031c43c8ab37bfa9e617b022a8b9c5f73e139fab75a9da000cf7e367f7860dbafcfb25
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.aapu-ec70d5505e45ef95a655700356311443d381535c61ddaa24c7196475fbaba2fc.exe
Filesize3.3MB
MD53c5794c41edf5e62a540c2659b8ee86c
SHA197d35266c698eb2e1c2730ac89dceca8a8ec6749
SHA256ec70d5505e45ef95a655700356311443d381535c61ddaa24c7196475fbaba2fc
SHA51241c8135ea5b71c5ad79127c3783f9e3b158532969391a6966492939439b4da5191df2f40e34574b87f82e437b9c82cd1784c3c6ddbd7c7ad6a8b0829e531795d
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gen.abvy-4788b24ea7c16f144cdff61055d4a5bd82deb9c6708d4f2c8808131d885579e1.exe
Filesize72KB
MD5fded6a53545563e44fb93e47e5c1ea7a
SHA107db4dc56d204ff668bc7ce8616ead21f61a8592
SHA2564788b24ea7c16f144cdff61055d4a5bd82deb9c6708d4f2c8808131d885579e1
SHA51218391fae5e5472da43ad54f6280d40fb70c733cf9f9068cf9f8f0af874fb111e53239873bebc709a70eaea4a73eae91b300bd5fe97aeff4edd7b8025035d0ab2
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Gimemo.cdqu-a7984e8401520ca930327073d22c53ea2e5badfe527462ae4e0ebba6d52343f0.exe
Filesize436KB
MD525161987dc5e71ab36dee51224f692f9
SHA11e9375aa47d93725d0576b47a8a1cf2427cee497
SHA256a7984e8401520ca930327073d22c53ea2e5badfe527462ae4e0ebba6d52343f0
SHA5121a1e5817bee7bc53a47b398148203217e1e0d18e6d73893ebab2e89c8b51ac7d07e8da7e5cef23b8e4063d2ae075a94a3b0f541d2102c414edf0fafa0df0b997
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Phpw.aeu-b888e0bdc3aa696d5e04168c5cd3b116339dcb43c0529c0bbecdcd437abd09f2.exe
Filesize15.3MB
MD5bc568aa7eef7f43ea8f70508c53eb772
SHA19239115e90620c56e3876078e6ec4ef8a1e5421b
SHA256b888e0bdc3aa696d5e04168c5cd3b116339dcb43c0529c0bbecdcd437abd09f2
SHA5124d2ba43f75520dad8640bf1e2d9d93864e5ac3a70e7fdd8e63206b1769e1e147bdec78a44e2ad777bad18a0edd70ef3e2730d221d5c5c48a5278118d04725dd0
-
C:\Users\Admin\Desktop\00428\Trojan-Ransom.Win32.Purgen.el-e24e4d6eeab142d672e4a0698369ea1514eef04751853ac09da11c65fb658692.exe
Filesize295KB
MD51b3a1aa6fc1054e81bef57b1443863be
SHA1772b90af1f39b90d61aedbe2b9c2a8682a30e36e
SHA256e24e4d6eeab142d672e4a0698369ea1514eef04751853ac09da11c65fb658692
SHA5129ed62312e72e1042124de6447a4cb305a7ec2698f084660d1de17fe0fb3e898fce6ec7d3f40a57e5ed300b164087e74f67765b5205e7c4fc7d23fc7fd97185ba
-
C:\Users\Admin\Desktop\00428\UDS-Trojan-Ransom.Win32.Cryptor.gen-0f86e0ce6c6335b9a2a52985183c3c71eb026e072ca8933472c2b9108de51742.exe
Filesize328KB
MD52b2e5783ce0d6a8ff3ee91ba921271dc
SHA1759b4a85586aca9deb34b39d10119cf3eefebcfe
SHA2560f86e0ce6c6335b9a2a52985183c3c71eb026e072ca8933472c2b9108de51742
SHA512d75d49cd3ab91623111a9b6db8d564dac3dfe3b337ba3451c7659e0e3ccdcd2406f7fbc70e3df97ce1e994e6b92a5a8962b31e1913d0433b3ef90d3a227a4c4e
-
C:\Users\Admin\Desktop\00428\UDS-Trojan-Ransom.Win32.Generic-1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Filesize79KB
MD5d24e9b0c3a81e884e14596d6047e31be
SHA10557ae0a95e11e10fe9a33742f8b258b35c0aae6
SHA2561deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402
SHA5125f9cfaf495d186c599ffe8fd63b7bf1c775313e38f0397f4f422d0944cfabf1c497b8cf81514d2a5d1ed2631d00f9356d8013fd90efea1bb29d17d7bae2a2ccd
-
C:\Users\Admin\Desktop\00428\VHO-Trojan-Ransom.Win32.Crypmodadv.gen-7cf0d51025c5688e69c4768c3359b0eb11da1e0eaa83635d0e70de412a0be374.exe
Filesize2.2MB
MD54fcb67ec71d9ee746bd74027e297a80f
SHA1ea69573169cf1873ada6ed4a45eb6f5012b84033
SHA2567cf0d51025c5688e69c4768c3359b0eb11da1e0eaa83635d0e70de412a0be374
SHA512b756b80e17477f95499f1133bd2998c7e8f3104908c2e4f675dc56c4a26e0d83ab0a00f0da6489b51390f5ef28985edd0db841c5d058c1140884b2a9d9e317d1
-
C:\Users\Admin\Desktop\00428\VHO-Trojan-Ransom.Win32.GandCrypt.gen-98613c9715227cceb95413aa6a0acd0b74ee9f8d9cdaccabffbef5a6e6af3850.exe
Filesize399KB
MD5e721de5d9dcf9f9035bb75f060dd8a83
SHA1a561003302380f8baf388fd145760cd379453b6f
SHA25698613c9715227cceb95413aa6a0acd0b74ee9f8d9cdaccabffbef5a6e6af3850
SHA512fb711deced91af606f05df15ee19fa05bc529f5b1b39a9b7ccccad61c9ba9456aca6d84401646e32f86bdd3b1b23451df2054ccbc2eb963a1f92c44d8890a396
-
Filesize
1KB
MD5fd442d1dff6d7a79f1789d327dc0291c
SHA1fdce7a3f5dd4ac033679231733883d33ece946e8
SHA256b50c6173d616feeb1aa1dcdce2a6d91dbe227e317ea16796e46fdf0dc5b2aa21
SHA512eb74b4f8dc069e6588fc502eae0400043dfe65fcdf1d3070a3debf4e8466a9319d08f1cefb07b14ee87e3c1f0a97923caabda82339bcbf71017d3fc445beb26f
-
Filesize
43B
MD555310bb774fff38cca265dbc70ad6705
SHA1cb8d76e9fd38a0b253056e5f204dab5441fe932b
SHA2561fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
SHA51240e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4
-
C:\Users\Admin\Desktop\1ul77jre-readme.txt.[ID-16ECD120].[[email protected]].crypt
Filesize7KB
MD5cd7e0650985327a67baf7784d0874d4e
SHA1642ef730feee5121c833ce2c0d6ce0780e54645e
SHA2560f2552367f8559a5dc4a98784daa7f4d841f9fcd969f9e836279fb6738762810
SHA5122edcaa640e3247ffe6695edaf2426e42eff63bd82e3b1dde7de5ed4c4e6d297a468f648e6210b772b065dbe08f85f019f8b9746b9468cfa30feac28fc55f268f
-
Filesize
1KB
MD59c0caf83de511361cc2ef02909c85c73
SHA137c12b73b9460638e5277abe344c1d6f2d5b2299
SHA256cd1c722bb9c69f474fdeaaf24c1dc3fc1c9b4770ec92f2241dd492b1ee12b82f
SHA5122dc9bd751dfb3e638b400a2dd4b9d5303312549a28aa98513e1db524093f4090d045675fa737485694555c70e0777bb1034475a23dbd8d2316b413422d3a3575
-
Filesize
534KB
MD5b9b9ab30f16786cf9fe282c514fe9a6a
SHA1522654c0c808a912371972f50aa279f85efe3f65
SHA256d3ac011c141b100a1f5be20cd59b9283c17f348afa1087d906a11e16bb1d8078
SHA5128a3171ddc4a0cf6d8e117ab68434110a02ad8de6ae890798aa089fce5552f9bcb94c338147a37f217d24c47937982e9f83359c64d17f0e3f1e838153f98f4b4a
-
Filesize
7KB
MD50d719e9779f64ab6499ccf7452f99c9b
SHA18e170acbbb222588a05d4b22105ce056c342859a
SHA256fa56f77404e9fa7723d95a493f206f1bfd2644d83af984b92a45c94a2ea4f7e5
SHA5126904c34f93a3fc4276f113faffd14084a50e136a7bb5e31129c3bf030fe2b6d1b5c2f919eafa2e322f01db57a5376a2c2fca37f402a8e51f7161c5d016565050
-
Filesize
372KB
MD5a3b4d222a755f43b34a0963f13f77500
SHA1e3bd216f35434287197082745b9f789b9a4f93c6
SHA2569692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
SHA5127baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50
-
Filesize
10KB
MD5cce98d3d27ca7d031c5f8ee3cb8d7355
SHA1efa97d30b2a5585a3a71e7926b15a490aa3f9fbc
SHA256db442ce57891868596bcb02310f9aefe70886154e8246bb618cee26c431bdb0c
SHA5129aec3cee8ea04592c1219e43da6439e1d5bd5bf8916b7de93f94f42d86b19030f047dd1ee7555d4eaa86f39eed34d7891ed50fe1e006ae0b5c1479a0e0ca949b
-
Filesize
43KB
MD575946b7d9f6c356ae733c24427950453
SHA1e3c6df399c9b6c0587b1f84ef9927f1e4d7f58b8
SHA256768f135ac9f7f730e368aa1c1d1fc6be6986dbd983dde0b4172a118c2adb8b53
SHA5124c5089869b431b1391a6ee76ef8f999aa5f2d971032145af1cfcf5c7241bca928728a0646a3ea724297b4804d4ee23ee2d6536cd91fb6eef75ead8b293fe385a
-
Filesize
10KB
MD5e806cca05cc9c496ca8f893d2f7ce3b5
SHA14586e3ebd709aa6ecbc2a2014f83cfc1f0b1bba4
SHA256ee438c45bde14c2883b6944226a2bc2eebd0a2fc98dc1c24362fc77a469d3034
SHA512fc70ced8ca465bdff452274a3a6e0d4c66d396ffe54339a14b193503297a0c4de845533c052a67495ba816088e6ffea38cb81319269231a0e540c7283d4eda52
-
Filesize
1.4MB
MD523810b31f964a84a9139205b411c760c
SHA1c7507764b5f8c9c1b229914c05dd6f357e6c604b
SHA2566213dd04dd52408b67a32677a8ba90b746801054c139c38d055447a336d208d6
SHA5124a785febe64ad75f90c27b522555fb555cc6cb9d271398138519c8ab1da100cb24a82b3d8434c2cd20e40ee56533b2a40b8e19844f45a1c0b45d3d2c81fa212b
-
Filesize
1KB
MD5e6e1d8c09d4743b229888f9579e3097e
SHA19731df55c4473b3acbc908e989bc267dd1eab6e6
SHA25657c6088a565ca4ceaddda69363e68dd75bd90793ce00f86aba99ecde3519e025
SHA5127c7b0c08cd0ddf7c8a7333bbced7cd843c65710d67aa65151ef746657e8624ef5917c06b9319181397ec2ad1e07485ca1e330579acafac32d01a151c87d7f44b
-
Filesize
38KB
MD515c077dcb1712089c032c1d76778e6d2
SHA19312b639e6992b4165c4473a4a7c7c7397cce32b
SHA2566b64d3cfe63eed89e039814edc186f245b3dc762acee4eae34533774262071c0
SHA512896821db51ff06bfcda5c388c357ee90a05f17d4e26495c9e1823327fe849821de02bcc7054b45de93b81ec1ff6afddf8fe4d42ccc7daa9c653e75598bbeac0d
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
1.1MB
MD53ca8703058a5ef62817ecf4c2896abfa
SHA15af89a21290c356766dbf6b8b4d960120deb96d7
SHA25688a035681066808e3a9e8e7a38eaedc2755976e2f1c5c5045f3b86f469f44c3c
SHA5120bb965af4d948df1cc7a0de82fa6eabe845fc37178b8e5c60bc6291e4a835c1089d5979b007daab1d91994ad7c2ec146b711ccbf9a8c06bad41a9e952e8bc7b3