Analysis
-
max time kernel
208s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 13:20
Static task
static1
General
-
Target
RNSM00429.7z
-
Size
32.1MB
-
MD5
dc347fe718685d9942c53bae8ccd3396
-
SHA1
5acdaf735b7f94bcf180ae4d442738015f28a211
-
SHA256
7f2b34572c0056ff9730a707bb27e228694dc15d9a099362a9e16a0ba7fee024
-
SHA512
cceb077dbfe473b86fc4ac3bba475f7f9f5f26ee8c05f046c6149349162c8f860c0de1f8dbb95df9239289360f704d3a5256d834fb6c502ba63e10009039530b
-
SSDEEP
786432:b9LihPYEqVEaw4qJZMt5JPIrV1nqj9SVi/BbqSvrV5jxfunqz:uY5EaGJO/JP0qj9SAZ+2bjx+8
Malware Config
Extracted
darkcomet
Angel
detan155.3utilities.com:1537
DC_MUTEX-8CBS1T7
-
InstallPath
skype\Skype.exe
-
gencode
6M1G4dNEGvX2
-
install
true
-
offline_keylogger
true
-
password
viewsonic
-
persistence
true
-
reg_key
Skype
Extracted
orcus
xz
mehack1234567.ddns.net:8832
1aea3370b5824c3db9d5ee90510716f9
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\svchost\Yandex.exe
-
reconnect_delay
10000
-
registry_keyname
Yandex
-
taskscheduler_taskname
svchoster
-
watchdog_path
Temp\svchoster
Extracted
C:\Users\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/104617a28c7b21518d506b079ca9d5221551f89d5d54025a1ec71dd33aacd896/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/4c43fb6f271eda10ac65ec0dc918f7ec851455acb98c1fe29f3b2feffe53c286
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Extracted
metasploit
windows/single_exec
Extracted
orcus
wwwwwwwwwwwwwwwwwww.webhop.me:8353
5d87ffe5b7e9467491b5534273d3040f
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%systemroot%\dllhost.exe
-
reconnect_delay
10000
-
registry_keyname
Microsoft Corporation
-
taskscheduler_taskname
Microsoft Corporation
-
watchdog_path
AppData\1
Extracted
C:\Program Files\Common Files\DESIGNER\!!FAQ for Decryption!!.txt
http://cuba4mp6ximo2zlo.onion/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
Darkcomet family
-
Glupteba family
-
Glupteba payload 1 IoCs
resource yara_rule behavioral1/memory/2172-524-0x0000000000400000-0x0000000002FC4000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Orcus family
-
Orcus main payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023d08-229.dat family_orcus behavioral1/files/0x000a000000023d01-241.dat family_orcus -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2640-139-0x00000000051C0000-0x0000000005256000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2640-139-0x00000000051C0000-0x0000000005256000-memory.dmp WebBrowserPassView -
Orcurs Rat Executable 4 IoCs
resource yara_rule behavioral1/files/0x000a000000023d08-229.dat orcus behavioral1/files/0x000a000000023d01-241.dat orcus behavioral1/memory/1736-267-0x0000000000160000-0x000000000024E000-memory.dmp orcus behavioral1/memory/3244-260-0x0000000000D30000-0x0000000000E1A000-memory.dmp orcus -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 6712 netsh.exe 820 netsh.exe -
Executes dropped EXE 5 IoCs
pid Process 2640 HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe 548 HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe 1992 HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe 3064 HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe 2172 HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe -
resource yara_rule behavioral1/files/0x0007000000023cae-120.dat vmprotect behavioral1/memory/2640-125-0x00000000005E0000-0x000000000089A000-memory.dmp vmprotect -
resource yara_rule behavioral1/memory/2908-203-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2908-219-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2908-206-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2908-205-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1636-220-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1636-223-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1636-224-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1636-222-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1636-751-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/6996-749-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/6996-752-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/6996-788-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/6520-781-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/6520-786-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/6520-780-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2908-264-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/6520-1959-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 228 sc.exe 2632 sc.exe 5336 sc.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 3896 5104 WerFault.exe 123 1704 2912 WerFault.exe 128 4732 2640 WerFault.exe 109 4996 2720 WerFault.exe 137 5104 4184 WerFault.exe 145 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Interacts with shadow copies 3 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7924 vssadmin.exe 6968 vssadmin.exe 7600 vssadmin.exe 3976 vssadmin.exe -
Modifies registry key 1 TTPs 5 IoCs
pid Process 6492 reg.exe 2800 reg.exe 8008 reg.exe 1480 reg.exe 5644 REG.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2248 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 4284 7zFM.exe Token: 35 4284 7zFM.exe Token: SeSecurityPrivilege 4284 7zFM.exe Token: SeDebugPrivilege 4768 taskmgr.exe Token: SeSystemProfilePrivilege 4768 taskmgr.exe Token: SeCreateGlobalPrivilege 4768 taskmgr.exe Token: SeDebugPrivilege 2248 taskmgr.exe Token: SeSystemProfilePrivilege 2248 taskmgr.exe Token: SeCreateGlobalPrivilege 2248 taskmgr.exe Token: 33 4768 taskmgr.exe Token: SeIncBasePriorityPrivilege 4768 taskmgr.exe Token: SeDebugPrivilege 396 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4284 7zFM.exe 4284 7zFM.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 4768 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe 2248 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 548 HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2248 4768 taskmgr.exe 100 PID 4768 wrote to memory of 2248 4768 taskmgr.exe 100 PID 396 wrote to memory of 4248 396 powershell.exe 108 PID 396 wrote to memory of 4248 396 powershell.exe 108 PID 4248 wrote to memory of 2640 4248 cmd.exe 109 PID 4248 wrote to memory of 2640 4248 cmd.exe 109 PID 4248 wrote to memory of 2640 4248 cmd.exe 109 PID 4248 wrote to memory of 548 4248 cmd.exe 110 PID 4248 wrote to memory of 548 4248 cmd.exe 110 PID 4248 wrote to memory of 548 4248 cmd.exe 110 PID 4248 wrote to memory of 1992 4248 cmd.exe 111 PID 4248 wrote to memory of 1992 4248 cmd.exe 111 PID 4248 wrote to memory of 1992 4248 cmd.exe 111 PID 4248 wrote to memory of 3064 4248 cmd.exe 112 PID 4248 wrote to memory of 3064 4248 cmd.exe 112 PID 4248 wrote to memory of 3064 4248 cmd.exe 112 PID 4248 wrote to memory of 2172 4248 cmd.exe 113 PID 4248 wrote to memory of 2172 4248 cmd.exe 113 PID 4248 wrote to memory of 2172 4248 cmd.exe 113
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00429.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4284
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 18604⤵
- Program crash
PID:4732
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:548
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exeHEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete4⤵PID:364
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete5⤵PID:3128
-
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exeHEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exe3⤵PID:968
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exeHEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe3⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 4444⤵
- Program crash
PID:3896
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exeHEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe3⤵PID:2352
-
C:\windows\system32\sc.exe"C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe" start= auto4⤵
- Launches sc.exe
PID:228
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c c:\windows\logg.bat4⤵PID:5020
-
-
\??\c:\Windows\system32\vssadmin.exe"c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:3976
-
-
\??\c:\windows\system32\sc.exe"c:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe" start= auto4⤵
- Launches sc.exe
PID:2632
-
-
\??\c:\windows\system32\sc.exe"c:\windows\system32\sc.exe" start defragsrv4⤵
- Launches sc.exe
PID:5336
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exeHEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exe3⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"4⤵PID:3244
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exeHEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exe3⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe"C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe"4⤵PID:1736
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install5⤵PID:6312
-
-
-
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exeHEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe3⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2324⤵
- Program crash
PID:1704
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exeTrojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe3⤵PID:2720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 3724⤵
- Program crash
PID:4996
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exeTrojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe3⤵PID:2216
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe4⤵PID:2152
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exeTrojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe3⤵PID:3624
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵PID:4316
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:7924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵PID:6632
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:6968
-
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exeTrojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exe3⤵PID:1152
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵PID:304
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies registry key
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f4⤵PID:1492
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f5⤵
- Modifies registry key
PID:6492
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh firewall set opmode disable4⤵PID:2944
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable5⤵
- Modifies Windows Firewall
PID:6712
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop security center4⤵PID:2300
-
C:\Windows\SysWOW64\net.exenet stop security center5⤵PID:7132
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop security center6⤵PID:7484
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop WinDefend4⤵PID:2432
-
C:\Windows\SysWOW64\net.exenet stop WinDefend5⤵PID:6720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend6⤵PID:4368
-
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"4⤵PID:2908
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"5⤵PID:1636
-
C:\Users\Admin\AppData\Roaming\skype\Skype.exe"C:\Users\Admin\AppData\Roaming\skype\Skype.exe"6⤵PID:3496
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f7⤵PID:6304
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f8⤵
- Modifies registry key
PID:8008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f7⤵PID:6952
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f8⤵
- Modifies registry key
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh firewall set opmode disable7⤵PID:220
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
PID:820
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop security center7⤵PID:6888
-
C:\Windows\SysWOW64\net.exenet stop security center8⤵PID:7768
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop security center9⤵PID:7748
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop WinDefend7⤵PID:6464
-
C:\Windows\SysWOW64\net.exenet stop WinDefend8⤵PID:3688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend9⤵PID:7740
-
-
-
-
C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"7⤵PID:6996
-
C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"8⤵PID:6520
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exeTrojan-Ransom.Win32.Blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exe3⤵PID:4584
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\plantilla\7.vbs"4⤵PID:4840
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\7.vbs"5⤵PID:7012
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c keygenerator.dll4⤵PID:2912
-
C:\Users\Admin\Desktop\00429\keygenerator.dllkeygenerator.dll5⤵PID:7984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "4⤵PID:6096
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exeTrojan-Ransom.Win32.Blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe3⤵PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 2364⤵
- Program crash
PID:5104
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exeTrojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exe3⤵PID:1236
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exeTrojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe3⤵PID:3260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe.bat" "4⤵PID:2784
-
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.edo-008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeTrojan-Ransom.Win32.Cryptor.edo-008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe3⤵PID:5112
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.eea-fc990b79c1f106bfe21a6b2faa0455429e12e1707546e9475d5ea66daf10fd98.exeTrojan-Ransom.Win32.Cryptor.eea-fc990b79c1f106bfe21a6b2faa0455429e12e1707546e9475d5ea66daf10fd98.exe3⤵PID:8048
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.etd-781c3e38141cda20fe0a87847d12a3bde0c298d74857ea93bc45a44c63e4bec0.exeTrojan-Ransom.Win32.Cryptor.etd-781c3e38141cda20fe0a87847d12a3bde0c298d74857ea93bc45a44c63e4bec0.exe3⤵PID:6264
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cuba.k-00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed.exeTrojan-Ransom.Win32.Cuba.k-00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed.exe3⤵PID:7788
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Encoder.lxj-2d6ad546be178ae80462c39e6fde4752272b647f7a2848aa15c84a1c6c23e0ae.exeTrojan-Ransom.Win32.Encoder.lxj-2d6ad546be178ae80462c39e6fde4752272b647f7a2848aa15c84a1c6c23e0ae.exe3⤵PID:7260
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Gen.aaqy-df67c44fc4d8ef2d1cdea52afb5d08387deb8f04d5477ba36fb392f2f3230800.exeTrojan-Ransom.Win32.Gen.aaqy-df67c44fc4d8ef2d1cdea52afb5d08387deb8f04d5477ba36fb392f2f3230800.exe3⤵PID:7200
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Gimemo.cdqu-80a59a838cc14bcd7244c214bfa27ea4bd87a3cbacf217fa43fb295bb70ee765.exeTrojan-Ransom.Win32.Gimemo.cdqu-80a59a838cc14bcd7244c214bfa27ea4bd87a3cbacf217fa43fb295bb70ee765.exe3⤵PID:8000
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Hades.e-e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exeTrojan-Ransom.Win32.Hades.e-e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe3⤵PID:7240
-
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Mbro.bcet-b373dd5a8845a5e6f2e112160a87f37ef2f401f7783db0dfb22710b254356db7.exeTrojan-Ransom.Win32.Mbro.bcet-b373dd5a8845a5e6f2e112160a87f37ef2f401f7783db0dfb22710b254356db7.exe3⤵PID:5156
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ /va /f4⤵
- Modifies registry key
PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:6184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,834389301157742121,13927025126497203477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵PID:7820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,834389301157742121,13927025126497203477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵PID:5908
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:6208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:8152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:85⤵PID:6864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:15⤵PID:7936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:15⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:15⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:15⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:15⤵PID:7116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:15⤵PID:7700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:15⤵PID:7872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:15⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:15⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:15⤵PID:6464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:15⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:15⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:15⤵PID:6164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:15⤵PID:6532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:15⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:15⤵PID:7092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:15⤵PID:6576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:15⤵PID:6320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:15⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:15⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:15⤵PID:7216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵PID:8516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:15⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:15⤵PID:8580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:15⤵PID:8740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:15⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:15⤵PID:8760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:15⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:15⤵PID:9080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:15⤵PID:424
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1476,16301248986751226005,11892626811842680014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:25⤵PID:5912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,16301248986751226005,11892626811842680014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:35⤵PID:1192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:6264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14404626923318498773,11375022507309421041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:25⤵PID:7676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14404626923318498773,11375022507309421041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:35⤵PID:308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:6624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:404
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:8060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:3452
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:7316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xa4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:6760
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:4420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:7164
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:5816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:4416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:4788
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:6552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:5584
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:8260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:4132
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:8752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:9100
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:8592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:7272
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xd8,0x104,0xdc,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:5656
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:8680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:9156
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=4⤵PID:9164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc47185⤵PID:7148
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2912 -ip 29121⤵PID:5012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5104 -ip 51041⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2640 -ip 26401⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2720 -ip 27201⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 41841⤵PID:4608
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵PID:6904
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5096
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt1⤵PID:8168
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x490 0x3281⤵PID:7492
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:7948
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exeC:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe1⤵PID:6248
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c c:\windows\logg.bat2⤵PID:4904
-
-
\??\c:\Windows\system32\vssadmin.exe"c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:7600
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4db0eb747d734b6cbeb35c23d0e6e92c /t 7652 /p 80001⤵PID:6620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7236
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa383a055 /state1:0x41c64e6d1⤵PID:5828
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59031db25ad5c4f9cea2926955eb86ee7
SHA19e3902e9726d54608a7be25eef1e76ba6a16300d
SHA256cb16022ee42d7582afb1e083197bb7d450fdaa21e24f1793e248ac39d316bb59
SHA5128865c08be098a32c624404e74f44e647428b007248bf260d5d285bbe52cbd3a80e0e33fbdddd0c0a9f397ecdc80ebeb341a4dd5c4ea72822db45afbb6e030c07
-
Filesize
649B
MD5866d1ff78d0709ddaf0c978e19acc183
SHA117e635948456f57e7cf4f7178d0e083f2322cc9c
SHA256cf2e3e0d18415f826da1c73db67af0f5b0bce77ed1221a1e4ad8b2b87e7e1a67
SHA5124666f09c6cc6c1a7f551e9ed98638efb59fbb182fd093a5044f5d5039b8096ff07b26830ecabf8f8552b7176825772f98052316cf3eff65267884442917b35f7
-
Filesize
1KB
MD573132282367f7d0dad405cbf8f53558a
SHA1d9f6e7800862995726047af126146441095677d3
SHA256b8845657c64ee066cdf83c749507e9cea1683798eec0b45e57376e3f81de5859
SHA51213bfda3b64dea373ffd0bf096e635b7949ccadf3aa14c2be499843be31a32e11e30994a4fd58b9e245d88387915b4ee38c75cc1ac4fd669a5fa20a874b749561
-
Filesize
1KB
MD5b15e37635ae8db46883087454ae62c5f
SHA116ab7d78d4818caf68c18c55c5757c98679c3b31
SHA2562fe94efdb3736a27efe2e0c9b7f3ba91c7145f07001c4ee09da7620bf460a640
SHA512ca139ec1eb1453989037c5789bcec402fc1c200330f9516b265b735b1f663daad9dffd103d66eca33403d2ae66e616a0c9f81fd5e275411b8538d87550b24651
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
6KB
MD5d33b94a879fdd0a203017b60875ad321
SHA1e102a698d975ae366116805f7dc9291700962365
SHA25688512770f8be6520b0c8b7e30bf744c502f2464f93ab3772734d724754c4588c
SHA512a2a998e54d462787cd5bf3ed4969de9631cb552e064a6a9f07020db6dafc3335c43d7cc945f640f22893f1b76934cb957e183941b5100e2d445d1e51e5d01762
-
Filesize
6KB
MD5972ccb8ba4f3a4601215c08fbcacb1d0
SHA1d8dfa815153856d97a1a4677fc214365a23df3d1
SHA2568b18ebdffe9066a0dad1179069ff8e68f7b096b733ec6c8bdb4a045963ae4aa3
SHA512c31d1e2c7ec44cb38b0777ffbdcffd808207c29ee626413f62b68b6109233f91428ac80140ce79cc7c06e5983108f5cdba4fe5f650498d41e0ddc2d6195d8a29
-
Filesize
8KB
MD5917fbf65383bb293c8de426ef06bc297
SHA174dfc885a77ed3603b46ff1c97b49267a83afcf9
SHA25647afd9d050c66ffdf85ef7c9daab8bb5a34450008ce917df93847a695f484f4f
SHA512b05f0ef9d84f8c52dda6bf52ead39bc187d2e71ddac3d1995217dff4f2396e0c237e6368de466dcfe7f33d14b10c1fc55836c24fab1c44314b4a0e0b89bf8fe1
-
Filesize
10KB
MD5b6bee9cc94a345eeb0fe6663841d10c7
SHA17bdce348bbf1c5ef9a000a3837fc566ace50ebc0
SHA25667ae1d37352cd07de0ef717f4b88a307af6b50e8d66ecadbd78f4a3633c7a91e
SHA5128af59c5f00dd8b50afffa6673b035ba37b76f365ce23121d58132421e05b7c86932db8d7b0619b1daf837dc5b9df38eb5c3f12a83531c972da298dedfbb8d1b7
-
Filesize
10KB
MD51101b74a8b840c691d5f191ac5f3bbc3
SHA1802bae22187185eaf31f65707894ab977d6c1cf7
SHA2569a45ccfdebebb13eb298c43b175d6c12ff8844e20857c728c73b9c69bcdd95bb
SHA512ac2ceb9206709ac52ba60999c27202b163f41f9c8478b8847ea60f1e6d2af383682e6b300f4fc8e4854c134eb84ceb7e55b5cc5c712b3b02b4f2d78c7c2bb37e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
911KB
MD5f8b57a0d3e85bf158f8076d602b8f803
SHA1a2d65df4ade4d6c23c009d21bb6baafb678d5948
SHA256cdde47984c9d109772a9854a731fd94ca7f9c70dc569ce129755951422bf85a3
SHA512d7eae26d816a03a4e3f0c83a2c06f3c2273380791c7b3d68d95da85c727457dfcbd81b83f235a64c4fb87ed73814065f143f7b0329f53ca22593b53c94dd21e5
-
Filesize
20KB
MD5d3f8c0334c19198a109e44d074dac5fd
SHA1167716989a62b25e9fcf8e20d78e390a52e12077
SHA256005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA5129c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51
-
Filesize
60KB
MD56ce814fd1ad7ae07a9e462c26b3a0f69
SHA115f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA25654c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556
-
Filesize
932KB
MD5ca0ee6986f4c9da0443e3d822150d173
SHA1ac77e792a149cf9d9869a8f320776a205cbf6cfe
SHA256b90eaa14657a570044b6f903bc0ccf2b0ab7802b870342cc98f2dc27120c24f7
SHA512ef785a317b4c032d069cfc737c9b17359fe6ae8b3c66207f7d48d508b0ae0acf3870298fba45b3edf5da0dc242ee7057ead067c89c6b0b0beb3790c74bdc4f13
-
Filesize
37KB
MD5f55efb8b3295e88db8da3e8e2f2e8de0
SHA1861bfcfee6ccdffbd4c1c1cdbc35fd9a689b04ee
SHA2569efa2a9210faec62c02fe95b62b783e3816de52ef057b5e5766ad509c6c55f93
SHA512fdb630cfc2e1db484f94ee9a18e99fa9ee12131d6db803e79409aec29849ec40174d20814602290ef9f7a054a9bec6bc17456c02ca9fd7ff8ac4ac42e2a0c257
-
Filesize
91B
MD50c3997540259a8d5ad28f9a5f008d9d8
SHA164db2fbed2187ded01f5a4316298058637d6dcac
SHA256e07f0aaace593d7d3090af1f67c3364d72b2a2f042cc4eadc95345ba0215ab42
SHA512cbf0df0b652f8695f4f467780031ead0c448e621615e77a04b9eba71da75d7ef6071df260a7cfb37eaa16f82f23a0bb0fd4e1735064dae1b1c5e17934c6e2352
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
Filesize5.9MB
MD56e2b958c779311b1bb2f3846e3e6f227
SHA174cca9bd27746fb3543346c7a64ecf62edd67cc9
SHA256fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37
SHA512f859e5a89b974b82741641caac4d9f1f03e2a71110c739afbaa16b970f25fd223cab01340ea761869dd8ca94278b67f6c89cff8ef2dbcdca4fcfb9987073d9d7
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
Filesize2.6MB
MD5d544e7ce4e8d537afae7104d03e5d752
SHA1a93354489dc4a6057123184a86344bee798610a9
SHA256ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605
SHA512bb8a59bad72dd2dc6fefdd6c7b01b63932826af5eb1b7975f7f15f8328f45871fba26e6ca52942243626ca25121ce9d66d150135d1f90a4f336216f7ff6fb966
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
Filesize3.4MB
MD53682137829a24b7e66ac9f2882d2ee8e
SHA1ec9bdb15c55c4dd17558af14e44d39cef41f89ab
SHA256c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a
SHA5120ebc112a6b270c14f4f78b262ec3c0c01d8713bcd806ec051700ce0527bd376777ab97ec6f90ef8ad260790807627f88d4b14464a2622c01b9d0be5dae2703a5
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
Filesize194KB
MD5ec2bb08101a9d8f63787958dd72a9e22
SHA1077dd29fbd776656a05aebc50dd59b1eb810258c
SHA256909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5
SHA512a6a7a8f71132c901877a73b08b2ef91744c4dea29d42efdd316a04ba4172119ecc472b6cc258cdb2578d18bace8c4bdbe99961c4d5b77d10326312a2c3b0ada7
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe
Filesize4.3MB
MD553f7352d2f0627183efd62dd20b2bbe8
SHA12cd84c6ff143d9aaa260d075e2ac7ab6d0d1bdb8
SHA256eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056
SHA512c93f36a7b708a912938d93f83b13a09859e189bd1e82908cf8563708fac0062cb02412145b80b6983ea9f584be8b302d7c7587cbd00e0e3b72c15b290b67d65f
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exe
Filesize604KB
MD57eaf2c8cd97990e515ed8c4515e9856b
SHA1a293d64e031ed0f39c140eb257879dc62dd4be33
SHA256e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16
SHA51295586c20dc2644213861d41a356e9029934f73cea42a897d0db484bf355ab59f6d61f57a5036e40507adeeea1099a73aa42d4f7d19365b0b07431c8d049ec330
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe
Filesize1.7MB
MD5f52339897bab303fdb9acd0201940dfe
SHA1bfbf39c9bf6343663d59c7fb58f3ba275157764e
SHA2560984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908
SHA512d3bd77968b90e13249d3bc35fe30f7cc22b5a8ea07a34bbf41ff3139f66a03680bc64ae7019f14207128bd7ac5cd9c44f6b427ae76fa6c70134134d332911d74
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe
Filesize947KB
MD5289d4167df85edaecb94a98028335bf4
SHA1716448d4a1bd77597af2ca826279483a4e60687a
SHA256668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7
SHA51278b355efa87a4a565fb71fea278fa0ffe9f3b3e5db977d5328986f293d28b65a69fa8393557e1e886c302c7272b958764de45e2aef3228e09b99672766097e1f
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exe
Filesize601KB
MD51369cff4b4b4f3a2568307aa04b9f2e9
SHA17b919a96c9741b32c2345697cbfbcfd257f68c1d
SHA2569f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc
SHA51286cd688a46421ea79643040b948390880370e99653d19f80b15fb6eab73999d32f34e2669cf35a3d66c6161c385b6c5c5e49adf2f416e28b6bf18368a93aa85e
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exe
Filesize713KB
MD5a07f518dbe20e16ed76388c4eafde562
SHA12c2d26b0230278e3aecbabc54405cb5f7802e1f2
SHA256ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8
SHA5123a3dbc19eb8048026b0be0a1b7caae57ffb14e16070c4cb12b0afc34933eb4b508bceec3abe78bfbe15f0259efe98a73aeef240d6733618391bbe66716d25467
-
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe
Filesize1.0MB
MD50ed06bd5c518f7a95d83858027538143
SHA19946fe2af6aa38a0852f6374f42490977c8afbaa
SHA256e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151
SHA512ef0391cc87f570a69decda78a528121791d003032eb33982744ee1e7d2a8286012473aee5f28eb6d0dad9c933266cf030f5d66e9cd8d6f0e99698d8fa835162d
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe
Filesize70KB
MD5cdef2e8636422621b2e5350c889be2a5
SHA1730417848eaf82434e56e14b4bf9a89b510052d8
SHA256cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799
SHA512ade3899b70b0ee26ba0ff7d897c269def9e74720eba8087a82ce911f19896ee304d8823aafc89a73439549dad936b7e901499c4b33f2a1ddc4be6fdb010d0fab
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe
Filesize283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
Filesize79KB
MD5f6282c938e0662cf851feee0146d79a4
SHA19d0c6528565303e5b10a964a2783c77f25b9695b
SHA2562138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf
SHA512b99be65ddc6154128992b510aa1b053b56dbad7f91f9102e42a06ada2f3c58f5ac6423483728648c20adce862c6f0e136913c6d0441a47391cedc76194c2936f
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exe
Filesize4.8MB
MD5c5d939542d88ff7ff76edd94d74e1d48
SHA1cc6cca15dec4362e66ccc42f0f3e4eab7caae1e2
SHA25623000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7
SHA512e82dedafb5d6417e920d08db66b3e61a248dc10917f55184082bdb1466b61d22720059882c8fad79d5a91df18e23c18537dcfb0968feea9a20d291773f8fe35d
-
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe
Filesize123KB
MD587175668b1c2aab93f454b179430d39e
SHA19b95aaae4a205751c3e1b4d24f68e26b6d7865f5
SHA2568bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f
SHA5125fc44b0e65ffebee40f7b110561b563c01f02e94f29bc7862540465502d6ccd2a197bc8b3c60558389bfbec8d994385fb4b38a80c47b8f3b9b5105a933093812
-
Filesize
4KB
MD5655a099a144e6164ba891274ac9aa406
SHA166c4292b9f1b516ec0869adcd64efeb5c4bd1917
SHA256cfad30c98f7fdd4c40a88994cb4d2f8499d67525ac92031d1f77595164b27b71
SHA5123fc847a23a2fbc3a03607195451a22caf3cd867d4085796d8ddb4e6b490cd303524c22c75d9b9f204b17d62f089692fd8f11d9275a10e15da62ae3bcf2fedecf
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
86KB
MD59159e18dc5d2a5dd2cfe37e88bcf7ef2
SHA1ac2d76cac0ffc96e2edb0b212c52fe4f6ac303d1
SHA256c2a98e740a050bc197d996faaf7004a78f922beab179bcd739f4168789b3429d
SHA512d70effd36acbf6e8ca98cfa4f27886ff1a62189a82b8bbf88bac3fcf51225f0f651173c57e8c4c615d786f370033c42d46bcaa22a51412a959ec3cf7cc2930d3
-
Filesize
82KB
MD5c5f0ba2bf0271ae42cd7b786973ee1ce
SHA19ac8eb6db96b637474aece6eef16bafb0c703d0f
SHA256d79e476d52e2035e200b95cf8e2be69244fedf8078144d628f954cd54da50034
SHA512f8156ca39dd263fdab99b70632967ae4760389ec2127a2a3bbce6afb47137e28b70c77437a5b82289f79fdbd8963898b8a381bbeaaf01c0731969ca12777d0ac
-
Filesize
168KB
MD53752168fc9dc7b80ea0ae2cdb16ff363
SHA18d7a008200a0e9829d502753b001a2288d10d5ee
SHA256a4f8bdb554280774c4a9a192b0d0202179d8bd52b745ffc0ce6edd20db1519c8
SHA51294a9a73806df800c1aed6eb6798960cffa2ee159e3e2c41a742cf31fdb746484caece3b90ead1e85aa595570754e6394804a0c4c872f9fd0ef130de240f1b089
-
Filesize
195KB
MD5566fa29003c571fd6cf86fd9320adc82
SHA10b727cb2f005b9ba324ff3a81fbbf2215db34c7e
SHA256f194e89a8bed950cab30769b9f94fe004b0ca0d82a1d87c9f9cea2dfc56e4458
SHA512ce0792df5a13980e353c4fbdaea61d4994d122c945d9ac67b9e4ed128a9e565e004f46ece0c4aa1cf553a2a1120c806af04664b4ebb2c599f0034b6ebc92f7f7
-
Filesize
171KB
MD54d821e361aaca30d747e24003349f52d
SHA198aeca2311ca6ddbd094ee0e26cb3c13a65bdfd3
SHA256135e642ed57b6153d96318b45efe6b1b21490c20aaf0b45c14b76923e300d32a
SHA512a4f8fe3f0431f7ce2bced52755e17cca8fb72304da07f02b4c7392fb74fe80f5ed8d22ac7bc75db98e092aff34b662bc0d5433725c9eb7f9bdd15403bedd7e1a
-
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exe
Filesize391KB
MD5e5409d8ba3a4ba334731409a79923b08
SHA18a07b54a6be849a86a2dcfdbeab8ebaedb95b296
SHA25686c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b
SHA512294d31cdef2d91732f6473c40a4a49d652352dac5952d3982688f57330eb69211aade72947bd0c403742cfb33c9e937c37f64cb74229d8bc46ef9d39d6f0b905
-
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exe
Filesize488KB
MD5ade549d17160f78f9e3be455a42d946b
SHA102e5fa12a8513f349627a794f86c649774e06882
SHA25631b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b
SHA5127f5ec54e13765292310f9c2276fee1635c519a6517f27220dd4ea28918bcff620319372620125d3656c559b78e23e448405ea5b5e2b406d481a1c5684fae0a7c
-
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe
Filesize184KB
MD54bbe82c1c108157bcbc814168d280130
SHA1787a08486ff5ef69ad764a793bae5db037c270a9
SHA256841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987
SHA5128ce2354667f3a73232f21bd471e5c808f4776332e76d04c6792b57e30a869d9f7795a7f87727df522e869de2c400ef0dc6c245a9f1f69a90baa55ece21b5422e