azorult | 601558763a1331f16d0194f29c90d6e301df0d143ad915cf9b760c28e767a947

Analysis

max time kernel
215s
max time network
216s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00342.7z
Size

13.6MB
MD5

3a822d6a03521e050a7f4bdc49000d96
SHA1

38034e38558275f8eb940b3cbffcc502397e6055
SHA256

601558763a1331f16d0194f29c90d6e301df0d143ad915cf9b760c28e767a947
SHA512

13f7ef4b35e2e5448768d0ee5582f28a64c4f0b3c1aa060c0e46f7b6a8f9ffa616d43510b9c9b925b0d711bd2c7c1728eb2f2b4007d4ef25da497ee0e14b414c
SSDEEP

196608:qQ3+79K9+vx5QqlZRkOKWPe7KdtH+nVLVedGoRZzrw96QqrGrhONNg6VN8CaUgkk:qZ7KcflvkdL8F+V5N4VefsXg6VBYd

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
mikeaboyland

Extracted

Family

azorult

http://kosovo.duckdns.org/file/index.php

Extracted

Family

azorult

http://admin.svapofit.com/azs/index.php

Extracted

Path

C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail [email protected] send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $300. This price avaliable if you contact us first 72 hours. E-mail address to contact us: [email protected] Reserve e-mail address to contact us: [email protected] Your personal id: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

Emails

[email protected]

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2064-628-0x00000000043D0000-0x0000000004414000-memory.dmp	family_zgrat_v2

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\bedsit.exe"	msiexec.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/876-1308-0x00000000065F0000-0x0000000006680000-memory.dmp	Nirsoft

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3636 bcdedit.exe
3836 bcdedit.exe
3556 bcdedit.exe
4024 bcdedit.exe

pid	process
3636	bcdedit.exe
3836	bcdedit.exe
3556	bcdedit.exe
4024	bcdedit.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/876-1308-0x00000000065F0000-0x0000000006680000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/876-1308-0x00000000065F0000-0x0000000006680000-memory.dmp	WebBrowserPassView

Renames multiple (251) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (9965) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1608-342-0x0000000000400000-0x0000000000B5E000-memory.dmp	mimikatz
behavioral1/memory/1528-655-0x0000000140000000-0x00000001400FB000-memory.dmp	mimikatz
behavioral1/memory/1608-1350-0x0000000000400000-0x0000000000B5E000-memory.dmp	mimikatz

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 3 IoCs

Processes:

Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Executes dropped EXE 64 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exeHEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeTrojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeTrojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exeTrojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exeTrojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeTrojan-Ransom.Win32.Wanna.zbu-04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3.exeTrojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exeTrojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exeTrojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exeTrojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exeTrojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exeTrojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exeTrojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exeTrojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exeTrojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exemmkt.exeTrojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exexk.exeIExplorer.exeWINLOGON.EXEctfmon.exeCSRSS.EXEwinMacromedia.exeTRC38A~1.EXETRC38A~1.EXESERVICES.EXELSASS.EXESMSS.EXEWindows Update.exeTRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXEWindows Update.exeTRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXETRC38A~1.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXE

pid	process
1592	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
1732	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
2044	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
644	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
2040	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
1608	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
1972	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
856	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
348	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
2140	Trojan-Ransom.Win32.Wanna.zbu-04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3.exe
1620	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1520	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
1144	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
1136	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
2000	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
700	Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
2428	Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
2348	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
1528	mmkt.exe
2804	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
2600	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
876	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
1868	xk.exe
1176	IExplorer.exe
888	WINLOGON.EXE
2096	ctfmon.exe
328	CSRSS.EXE
2056	winMacromedia.exe
3324	TRC38A~1.EXE
3836	TRC38A~1.EXE
4324	SERVICES.EXE
4840	LSASS.EXE
5080	SMSS.EXE
4100	Windows Update.exe
4232	TRC38A~1.EXE
4544	TRC38A~1.EXE
4448	TRC38A~1.EXE
4820	TRC38A~1.EXE
4876	TRC38A~1.EXE
4236	TRC38A~1.EXE
856	TRC38A~1.EXE
5248	TRC38A~1.EXE
7000	TRC38A~1.EXE
5600	TRC38A~1.EXE
6020	TRC38A~1.EXE
6328	TRC38A~1.EXE
2952	TRC38A~1.EXE
5744	Windows Update.exe
8140	TRC38A~1.EXE
6128	TRC38A~1.EXE
6336	TRC38A~1.EXE
8300	TRC38A~1.EXE
6268	TRC38A~1.EXE
8416	xk.exe
9112	IExplorer.exe
5188	WINLOGON.EXE
8204	CSRSS.EXE
6052	SERVICES.EXE

Loads dropped DLL 64 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeTrojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exetaskmgr.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeinstallutil.exeTrojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exeTrojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exeWScript.exectfmon.exeWScript.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeWindows Update.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1608	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
1664	taskmgr.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
2600	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
2712	installutil.exe
2712	installutil.exe
1520	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
1520	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
700	Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
1420	WScript.exe
1420	WScript.exe
1420	WScript.exe
1420	WScript.exe
2096	ctfmon.exe
1348	WScript.exe
1348	WScript.exe
1348	WScript.exe
1348	WScript.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
876	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
4100	Windows Update.exe
4100	Windows Update.exe
4100	Windows Update.exe
4852	WScript.exe
4852	WScript.exe
4852	WScript.exe
4852	WScript.exe
4944	WScript.exe
4944	WScript.exe
4944	WScript.exe
4944	WScript.exe
4688	WScript.exe
4688	WScript.exe
4688	WScript.exe
4688	WScript.exe
3924	WScript.exe
3924	WScript.exe
3924	WScript.exe
3924	WScript.exe
3588	WScript.exe
3588	WScript.exe
3588	WScript.exe
3588	WScript.exe
2884	WScript.exe
2884	WScript.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 11 IoCs

collection

Email Collection

T1114

Processes:

vbc.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exeTrojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exeTrojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exectfmon.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeTrojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exewinMacromedia.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PremiumOs3 = "C:\\ProgramData\\Microsoft\\Windows\\PremiumOs3.exe"	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\Desktop\\00342\\Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe\" /hide"	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaudox = "C:\\Users\\Admin\\AppData\\Roaming\\fP7BcvkX7A5q3F8E4ojMGpIGunVq.exe"	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\ProgramData\\ctfmon.exe -a"	ctfmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{42B16986-B6F0-83FD-F620-9DF2B2002767} = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\winMacromedia.exe"	winMacromedia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Inbox Helper = "\"C:\\Users\\Admin\\AppData\\Local\\My Inbox Helper\\My Inbox Helper.exe\" /delay 0"	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 64 IoCs

Processes:

Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeExplorer.EXETrojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VSUVY3HP\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1J27TKW\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INNMDE1C\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U9KKHJMH\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	F:\desktop.ini	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK3MU41S\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN6BGAW3\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\desktop.ini	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8BOMT1Q\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
File opened for modification	F:\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1126 whatismyipaddress.com
1139 whatismyipaddress.com
1145 whatismyipaddress.com
2691 checkip.dyndns.org

flow	ioc
1126	whatismyipaddress.com
1139	whatismyipaddress.com
1145	whatismyipaddress.com
2691	checkip.dyndns.org

Drops file in System32 directory 22 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeOUTLOOK.EXEshell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mig2.scr	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	shell.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

pid process

2064 HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

pid	process
2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

Suspicious use of SetThreadContext 50 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exeTrojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeWScript.exeWindows Update.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXETrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeWindows Update.exeTrojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeMy Inbox Helper.exeshell.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeinstallutil.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

description	pid	process	target process
PID 1144 set thread context of 3028	1144	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe	explorer.exe
PID 1172 set thread context of 2804	1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
PID 2040 set thread context of 876	2040	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
PID 7320 set thread context of 2952	7320	WScript.exe	TRC38A~1.EXE
PID 4100 set thread context of 5744	4100	Windows Update.exe	Windows Update.exe
PID 2952 set thread context of 6140	2952	TRC38A~1.EXE	cmd.exe
PID 6140 set thread context of 7108	6140	cmd.exe	cacls.exe
PID 6140 set thread context of 5440	6140	cmd.exe	WScript.exe
PID 5440 set thread context of 8140	5440	WScript.exe	TRC38A~1.EXE
PID 8140 set thread context of 6436	8140	TRC38A~1.EXE	cmd.exe
PID 6436 set thread context of 5396	6436	cmd.exe	cacls.exe
PID 6436 set thread context of 8476	6436	cmd.exe	WScript.exe
PID 8476 set thread context of 6128	8476	WScript.exe	TRC38A~1.EXE
PID 6128 set thread context of 8472	6128	TRC38A~1.EXE	cmd.exe
PID 8472 set thread context of 8496	8472	cmd.exe	cacls.exe
PID 8472 set thread context of 8768	8472	cmd.exe	WScript.exe
PID 8768 set thread context of 6336	8768	WScript.exe	TRC38A~1.EXE
PID 6336 set thread context of 8924	6336	TRC38A~1.EXE	cmd.exe
PID 8924 set thread context of 8916	8924	cmd.exe	cacls.exe
PID 8924 set thread context of 4348	8924	cmd.exe	WScript.exe
PID 4348 set thread context of 8300	4348	WScript.exe	TRC38A~1.EXE
PID 8300 set thread context of 5188	8300	TRC38A~1.EXE	WINLOGON.EXE
PID 5188 set thread context of 8788	5188	cmd.exe	cacls.exe
PID 5188 set thread context of 7792	5188	cmd.exe	WScript.exe
PID 7792 set thread context of 6268	7792	WScript.exe	TRC38A~1.EXE
PID 6268 set thread context of 8656	6268	TRC38A~1.EXE	cmd.exe
PID 380 set thread context of 8416	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	xk.exe
PID 380 set thread context of 9112	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	IExplorer.exe
PID 380 set thread context of 5188	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	WINLOGON.EXE
PID 380 set thread context of 8204	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	CSRSS.EXE
PID 380 set thread context of 6052	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	SERVICES.EXE
PID 380 set thread context of 9144	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	LSASS.EXE
PID 380 set thread context of 8356	380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	SMSS.EXE
PID 5744 set thread context of 9028	5744	Windows Update.exe	vbc.exe
PID 5744 set thread context of 9028	5744	Windows Update.exe	vbc.exe
PID 2428 set thread context of 7484	2428	Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe	cmd.exe
PID 1904 set thread context of 10156	1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe	My Inbox Helper.exe
PID 10156 set thread context of 5384	10156	My Inbox Helper.exe	shell.exe
PID 5384 set thread context of 10612	5384	shell.exe	WerFault.exe
PID 796 set thread context of 11112	796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
PID 796 set thread context of 11120	796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
PID 11112 set thread context of 10928	11112	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
PID 2712 set thread context of 11192	2712	installutil.exe	installutil.exe
PID 5744 set thread context of 10428	5744	Windows Update.exe	vbc.exe
PID 5744 set thread context of 10428	5744	Windows Update.exe	vbc.exe
PID 1732 set thread context of 10444	1732	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 1732 set thread context of 10444	1732	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 2064 set thread context of 15612	2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe	InstallUtil.exe
PID 2064 set thread context of 15612	2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe	InstallUtil.exe
PID 796 set thread context of 18424	796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/380-94-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2428-99-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/memory/2000-98-0x0000000001090000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/1136-97-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1972-96-0x0000000000E00000-0x0000000000F0D000-memory.dmp	upx
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe	upx
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe	upx
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe	upx
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe	upx
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe	upx
behavioral1/memory/1136-344-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1972-343-0x0000000000E00000-0x0000000000F0D000-memory.dmp	upx
behavioral1/memory/380-341-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2428-348-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/memory/2000-347-0x0000000001090000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/2428-409-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/memory/2000-408-0x0000000001090000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/348-421-0x0000000000400000-0x0000000000613000-memory.dmp	upx
behavioral1/memory/380-919-0x0000000003090000-0x00000000030BF000-memory.dmp	upx
behavioral1/memory/1868-970-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/888-998-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1176-1010-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1136-1166-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1972-1304-0x0000000000E00000-0x0000000000F0D000-memory.dmp	upx
behavioral1/memory/3836-1320-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/328-1337-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/380-1348-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/348-1353-0x0000000000400000-0x0000000000613000-memory.dmp	upx
behavioral1/memory/2428-1352-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/memory/2000-1351-0x0000000001090000-0x0000000001189000-memory.dmp	upx
behavioral1/memory/328-1399-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3324-1441-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4324-1440-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/4840-1439-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/4840-1446-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3324-1451-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4232-1498-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/5080-1467-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3836-1465-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/3836-1511-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4544-1599-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4232-1602-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4448-1688-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4544-1690-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4820-1727-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4448-1729-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4876-1765-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4820-1767-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4876-1806-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/4236-1847-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/856-1845-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/5248-2317-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/856-2524-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/7000-2975-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/5248-2978-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/5600-3654-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/7000-3653-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/6020-4521-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/5600-4539-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/6020-4777-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107746.WMF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9B.GIF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORM.DLL	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\!!!DECRYPTION__KEYPASS__INFO!!!.txt	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Drops file in Windows directory 7 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeOUTLOOK.EXEshell.exe

description	ioc	process
File opened for modification	C:\Windows\xk.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\xk.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\msvbvm60.dll	shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	shell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

10612 5384 WerFault.exe shell.exe

pid	pid_target	process	target process
10612	5384	WerFault.exe	shell.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exeTRC38A~1.EXEcmd.exeWINLOGON.EXETrojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.execacls.execmd.exeWScript.execmd.execmd.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.execmd.exeTrojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.execacls.exeCSRSS.EXETrojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.execmd.execmd.exeWScript.exeTRC38A~1.EXEShell.exeSERVICES.EXEcmd.exeTRC38A~1.EXEcacls.exeInstallUtil.exeTrojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exeWScript.exeTRC38A~1.EXEWindows Update.exeTrojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exeWScript.exeWScript.exeWScript.execacls.exeHEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exeTRC38A~1.EXETRC38A~1.EXETrojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exeWScript.execmd.execmd.execacls.execacls.exeTRC38A~1.EXETRC38A~1.EXEcacls.exeWScript.execacls.execacls.exeshell.execmd.execmd.exexk.exeTrojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exeOUTLOOK.EXETRC38A~1.EXETRC38A~1.EXEMy Inbox Helper.exeSMSS.EXEWScript.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeTrojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRC38A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	My Inbox Helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

3584 vssadmin.exe
4020 vssadmin.exe

pid	process
3584	vssadmin.exe
4020	vssadmin.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

My Inbox Helper.exeiexplore.exeExplorer.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	My Inbox Helper.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	My Inbox Helper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000025ebca568ac947592af4e78c72ec9ce124bcd9b47c8bfeb6c3e6e08450cddc31000000000e80000000020000200000008b10ca23f43207dd75134b603c3c0c5fa03d9afefb5efcbd56a42d0c04c455bd20000000b8469a33c97bbdd2a6aea97c878d65795493522b6a80003f589106c25433efa8400000006bd0351f926cf361a197ae78ed66f615348240b74d947c41ae0517bcad598c0fc17f291546ff5ef895a2ce46af7d7ab9f479fd4c734788bb5b9a290a2cb971c8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000e93328155f3b3157e082df6e13d56b74ae53e32d2c5f41180a0298e01de89e09000000000e80000000020000200000006b0c89a0b4e2a5ac4d0e7a875a9cbb32b15c2077ceb16bc03be6864717486c96900000009e137d53a71c3d08055ccabdbdc510fa9bbbfc2fdfa3806872cfb372d7ca3ae9e1869f71c60470d7240484f2480ab5cbc34eecb5cf8c8367a06b33fe0caa4813b77887fedc13536ec5919c2e1a58fe6274771f1d2a52f98f284ed8a989266708625bd675eae54a5c11d1cd26042be7ed768e0cbbe3ffd3928af9dfdf1ec82aff27a23aff1b5e7df9861b0f545e71391f400000004f079bfb4eaff16f4042c42c0625806df7bbec6aed908aee13f6d197f7422aa60e83b12e09608d521a4abeca4bf6128702ba6abf0913301e093001b0fb48cb83	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	My Inbox Helper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\My Inbox Helper.exe = "9999"	My Inbox Helper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a084c71f9333db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437420328"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49AAA951-9F86-11EF-AD39-C6DA928D33CD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXETrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ = "_RuleActions"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ = "_BusinessCardView"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ = "AccountSelectorEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00062FFF-0000-0000-C000-000000000046}\9.4\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msoutl.olb"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ = "_ToOrFromRuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ctfmon.exeTrojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ctfmon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ctfmon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ctfmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ctfmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe

NTFS ADS 4 IoCs

Processes:

WinMail.exeshell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1AA33736-00000001.eml:OECustomProperty	WinMail.exe
File opened for modification	C:\Program Files\Internet Explorer\IEXPLORE.EXE" http:\results.hdownloadmyinboxhelper.com\s?uid=5e116465-c3e2-451a-847c-6b15ad57e829&uc=20181101&source=d-ccc3-lp0-bb8-sbe&i_id=email_&ap=appfocu	shell.exe
File created	C:\Program Files\Internet Explorer\IEXPLORE.EXE" http:\results.hdownloadmyinboxhelper.com\s?uid=5e116465-c3e2-451a-847c-6b15ad57e829&uc=20181101&source=d-ccc3-lp0-bb8-sbe&i_id=email_&ap=app .exe	shell.exe
File opened for modification	C:\Program Files\Internet Explorer\IEXPLORE.EXE" http:\results.hdownloadmyinboxhelper.com\s?uid=5e116465-c3e2-451a-847c-6b15ad57e829&uc=20181101&source=d-ccc3-lp0-bb8-sbe&i_id=email_&ap=app .exe	shell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

3244 OUTLOOK.EXE

pid	process
3244	OUTLOOK.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 22 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeHEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exeTrojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeTrojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exeTrojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exeTrojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeTrojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exeTrojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exeTrojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exeTrojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exeTrojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exeTrojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exeTrojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exeTrojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exeTrojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe

pid	process
1592	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
1732	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
2044	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
1620	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
644	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
1520	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
2040	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
1144	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
1608	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
1136	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
1972	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
2000	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
700	Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
856	Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
2428	Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
348	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
2348	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exeTrojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe

pid	process
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1972	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
1172	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid process

1664 taskmgr.exe
18108 Explorer.EXE

Suspicious behavior: MapViewOfSection 63 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exewinMacromedia.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXEcmd.exeWScript.exeTRC38A~1.EXETrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeWindows Update.exeTrojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exeMy Inbox Helper.exeshell.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

pid	process
1144	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
2056	winMacromedia.exe
7320	WScript.exe
2056	winMacromedia.exe
2952	TRC38A~1.EXE
6140	cmd.exe
6140	cmd.exe
5440	WScript.exe
8140	TRC38A~1.EXE
6436	cmd.exe
6436	cmd.exe
8476	WScript.exe
6128	TRC38A~1.EXE
8472	cmd.exe
8472	cmd.exe
8768	WScript.exe
6336	TRC38A~1.EXE
8924	cmd.exe
8924	cmd.exe
4348	WScript.exe
8300	TRC38A~1.EXE
5188	cmd.exe
5188	cmd.exe
7792	WScript.exe
6268	TRC38A~1.EXE
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
5744	Windows Update.exe
2428	Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
1904	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
10156	My Inbox Helper.exe
5384	shell.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
11112	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
5744	Windows Update.exe
2056	winMacromedia.exe
1732	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

pid	process
1972	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

pid process

10444 HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

pid	process
10444	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exeTrojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exeexplorer.exemmkt.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exeinstallutil.exevssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	1668	7zFM.exe
Token: 35	1668	7zFM.exe
Token: SeSecurityPrivilege	1668	7zFM.exe
Token: SeDebugPrivilege	1664	taskmgr.exe
Token: SeSecurityPrivilege	2348	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
Token: SeDebugPrivilege	2348	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
Token: SeTcbPrivilege	2348	Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
Token: SeDebugPrivilege	3028	explorer.exe
Token: SeDebugPrivilege	1528	mmkt.exe
Token: SeDebugPrivilege	2064	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
Token: SeDebugPrivilege	2712	installutil.exe
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3644	WMIC.exe
Token: SeSecurityPrivilege	3644	WMIC.exe
Token: SeTakeOwnershipPrivilege	3644	WMIC.exe
Token: SeLoadDriverPrivilege	3644	WMIC.exe
Token: SeSystemProfilePrivilege	3644	WMIC.exe
Token: SeSystemtimePrivilege	3644	WMIC.exe
Token: SeProfSingleProcessPrivilege	3644	WMIC.exe
Token: SeIncBasePriorityPrivilege	3644	WMIC.exe
Token: SeCreatePagefilePrivilege	3644	WMIC.exe
Token: SeBackupPrivilege	3644	WMIC.exe
Token: SeRestorePrivilege	3644	WMIC.exe
Token: SeShutdownPrivilege	3644	WMIC.exe
Token: SeDebugPrivilege	3644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3644	WMIC.exe
Token: SeRemoteShutdownPrivilege	3644	WMIC.exe
Token: SeUndockPrivilege	3644	WMIC.exe
Token: SeManageVolumePrivilege	3644	WMIC.exe
Token: 33	3644	WMIC.exe
Token: 34	3644	WMIC.exe
Token: 35	3644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3644	WMIC.exe
Token: SeSecurityPrivilege	3644	WMIC.exe
Token: SeTakeOwnershipPrivilege	3644	WMIC.exe
Token: SeLoadDriverPrivilege	3644	WMIC.exe
Token: SeSystemProfilePrivilege	3644	WMIC.exe
Token: SeSystemtimePrivilege	3644	WMIC.exe
Token: SeProfSingleProcessPrivilege	3644	WMIC.exe
Token: SeIncBasePriorityPrivilege	3644	WMIC.exe
Token: SeCreatePagefilePrivilege	3644	WMIC.exe
Token: SeBackupPrivilege	3644	WMIC.exe
Token: SeRestorePrivilege	3644	WMIC.exe
Token: SeShutdownPrivilege	3644	WMIC.exe
Token: SeDebugPrivilege	3644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3644	WMIC.exe
Token: SeRemoteShutdownPrivilege	3644	WMIC.exe
Token: SeUndockPrivilege	3644	WMIC.exe
Token: SeManageVolumePrivilege	3644	WMIC.exe
Token: 33	3644	WMIC.exe
Token: 34	3644	WMIC.exe
Token: 35	3644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
1668	7zFM.exe
1668	7zFM.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe
1664	taskmgr.exe

Suspicious use of SetWindowsHookEx 46 IoCs

Processes:

Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exeTrojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeTrojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exexk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXEiexplore.exeLSASS.EXESMSS.EXEWindows Update.exeIEXPLORE.EXEOUTLOOK.EXEWinMail.exeWindows Update.exexk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEMy Inbox Helper.exeshell.exeShell.exeShell.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeTrojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

pid	process
348	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
348	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
2040	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
380	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
772	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
348	Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
2428	Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
2600	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
1868	xk.exe
1176	IExplorer.exe
888	WINLOGON.EXE
328	CSRSS.EXE
4324	SERVICES.EXE
4000	iexplore.exe
4000	iexplore.exe
4840	LSASS.EXE
5080	SMSS.EXE
4100	Windows Update.exe
4632	IEXPLORE.EXE
4632	IEXPLORE.EXE
3244	OUTLOOK.EXE
7092	WinMail.exe
4632	IEXPLORE.EXE
4632	IEXPLORE.EXE
5744	Windows Update.exe
8416	xk.exe
9112	IExplorer.exe
5188	WINLOGON.EXE
8204	CSRSS.EXE
6052	SERVICES.EXE
9144	LSASS.EXE
8356	SMSS.EXE
10156	My Inbox Helper.exe
10156	My Inbox Helper.exe
5384	shell.exe
10652	Shell.exe
9348	Shell.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
796	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
11120	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
11112	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
11112	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
11112	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
10928	Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
10444	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exeWindows Update.exe

pid process

876 Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
5744 Windows Update.exe

pid	process
876	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
5744	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 664 wrote to memory of 1592	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
PID 664 wrote to memory of 1592	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
PID 664 wrote to memory of 1592	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
PID 664 wrote to memory of 1592	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
PID 664 wrote to memory of 1732	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 664 wrote to memory of 1732	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 664 wrote to memory of 1732	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 664 wrote to memory of 1732	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
PID 664 wrote to memory of 2064	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
PID 664 wrote to memory of 2064	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
PID 664 wrote to memory of 2064	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
PID 664 wrote to memory of 2064	664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 1904	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
PID 664 wrote to memory of 2044	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
PID 664 wrote to memory of 2044	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
PID 664 wrote to memory of 2044	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
PID 664 wrote to memory of 2044	664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
PID 664 wrote to memory of 1620	664	cmd.exe	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
PID 664 wrote to memory of 1620	664	cmd.exe	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
PID 664 wrote to memory of 1620	664	cmd.exe	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
PID 664 wrote to memory of 1620	664	cmd.exe	Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
PID 664 wrote to memory of 380	664	cmd.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
PID 664 wrote to memory of 380	664	cmd.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
PID 664 wrote to memory of 380	664	cmd.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
PID 664 wrote to memory of 380	664	cmd.exe	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
PID 664 wrote to memory of 1172	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
PID 664 wrote to memory of 1172	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
PID 664 wrote to memory of 1172	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
PID 664 wrote to memory of 1172	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
PID 664 wrote to memory of 644	664	cmd.exe	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
PID 664 wrote to memory of 644	664	cmd.exe	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
PID 664 wrote to memory of 644	664	cmd.exe	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
PID 664 wrote to memory of 644	664	cmd.exe	Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
PID 664 wrote to memory of 1520	664	cmd.exe	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
PID 664 wrote to memory of 1520	664	cmd.exe	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
PID 664 wrote to memory of 1520	664	cmd.exe	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
PID 664 wrote to memory of 1520	664	cmd.exe	Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
PID 664 wrote to memory of 2040	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
PID 664 wrote to memory of 2040	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
PID 664 wrote to memory of 2040	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
PID 664 wrote to memory of 2040	664	cmd.exe	Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
PID 664 wrote to memory of 1144	664	cmd.exe	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
PID 664 wrote to memory of 1144	664	cmd.exe	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
PID 664 wrote to memory of 1144	664	cmd.exe	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
PID 664 wrote to memory of 1144	664	cmd.exe	Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
PID 664 wrote to memory of 1608	664	cmd.exe	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
PID 664 wrote to memory of 1608	664	cmd.exe	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
PID 664 wrote to memory of 1608	664	cmd.exe	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
PID 664 wrote to memory of 1608	664	cmd.exe	Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
PID 664 wrote to memory of 1136	664	cmd.exe	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
PID 664 wrote to memory of 1136	664	cmd.exe	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
PID 664 wrote to memory of 1136	664	cmd.exe	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
PID 664 wrote to memory of 1136	664	cmd.exe	Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
PID 664 wrote to memory of 1972	664	cmd.exe	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
PID 664 wrote to memory of 1972	664	cmd.exe	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
PID 664 wrote to memory of 1972	664	cmd.exe	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
PID 664 wrote to memory of 1972	664	cmd.exe	Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
PID 664 wrote to memory of 2000	664	cmd.exe	Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

outlook_win_path 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00342.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
  HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"
      4⤵
      PID:11192
- C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
  HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:1732
- - C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe
    "HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:10444
- C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
  HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15612
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" os get Caption /format:list
      4⤵
      PID:13720
- C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:1904
- - C:\Users\Admin\AppData\Local\My Inbox Helper\My Inbox Helper.exe
    "C:\Users\Admin\AppData\Local\My Inbox Helper\My Inbox Helper.exe" /firstrun
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    PID:10156
  - - C:\Windows\SysWOW64\shell.exe
      "C:\Windows\system32\shell.exe" "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hdownloadmyinboxhelper.com/s?uid=5e116465-c3e2-451a-847c-6b15ad57e829&uc=20181101&source=d-ccc3-lp0-bb8-sbe&i_id=email_&ap=appfocus1
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:5384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 484
        5⤵
        Program crash
        
        PID:10612
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10652
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:9348
- C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
  HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2044
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
  Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1620
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
  Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:380
- - C:\Windows\xk.exe
    C:\Windows\xk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1176
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:888
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:328
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4324
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5080
- - C:\Windows\xk.exe
    C:\Windows\xk.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8416
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:9112
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5188
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8204
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9144
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8356
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
  Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Modifies WinLogon for persistence
    PID:996
- - C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
    Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe
    3⤵
    - Executes dropped EXE
    PID:2804
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
  Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:644
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
  Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1520
- - C:\ProgramData\ctfmon.exe
    C:\ProgramData\ctfmon.exe -a
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies system certificate store
    PID:2096
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
  Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2040
- - C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
    rojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of UnmapMainImage
    PID:876
  - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4100
    - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
        
        C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of UnmapMainImage
        
        PID:5744
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        6⤵
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        
        PID:9028
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        6⤵
        
        PID:10428
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
  Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:1144
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
  Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1608
- - C:\Users\All Users\mmkt.exe
    "C:\Users\All Users\mmkt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
  Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0P0JC783.bat" Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
      4⤵
      Loads dropped DLL
      PID:1420
    - - C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        5⤵
        Executes dropped EXE
        
        PID:3324
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUR42U24.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        6⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        7⤵
        Loads dropped DLL
        
        PID:1348
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        8⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWFAVR72.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        10⤵
        Loads dropped DLL
        
        PID:4852
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8P7PHA6K.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        13⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        14⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0EFMM50M.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        15⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        16⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        16⤵
        Loads dropped DLL
        
        PID:4688
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0MJEQVKQ.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        19⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        20⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40E2R842.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        22⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        22⤵
        Loads dropped DLL
        
        PID:3588
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNFTAYQV.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        24⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        25⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        26⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIB5SIB0.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80YFTXX9.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        30⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0PVDY7DN.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8278MYDT.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        36⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        37⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        37⤵
        
        PID:6248
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        38⤵
        Executes dropped EXE
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0H40YDXB.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        39⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:7288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        40⤵
        
        PID:5828
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41T1LAQG.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        43⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8W0JBJQU.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:7864
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        46⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        46⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:7320
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\89EGGBTG.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        48⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6140
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        49⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5440
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        50⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:8140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEMT8S8Q.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6436
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:8476
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0AMGFW3F.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        54⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:8472
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        55⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:8768
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        56⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0E576V8P.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        57⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:8924
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:8916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        58⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4348
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:8300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYIFKM6C.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        60⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5188
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:8788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:7792
        
        C:\Users\Admin\Desktop\00342\TRC38A~1.EXE
        
        "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE"
        62⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFD7SF1W.bat" "C:\Users\Admin\Desktop\00342\TRC38A~1.EXE" "
        63⤵
        
        PID:8656
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
  Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1972
- - C:\Windows\system32\cmd.exe
    /C wmic shadowcopy delete
    3⤵
    PID:3240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3644
- - C:\Windows\system32\cmd.exe
    /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3256
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3584
- - C:\Windows\system32\cmd.exe
    /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3268
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3636
- - C:\Windows\system32\cmd.exe
    /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3276
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3836
- - C:\Windows\system32\cmd.exe
    /C wmic shadowcopy delete
    3⤵
    PID:3172
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4028
- - C:\Windows\system32\cmd.exe
    /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2484
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4020
- - C:\Windows\system32\cmd.exe
    /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3396
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4024
- - C:\Windows\system32\cmd.exe
    /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3408
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3556
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ReadMe-w3c.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4000
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4632
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
  Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2000
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
  Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:772
- - C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
    "C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2600
  - - C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
      "C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe" --Admin
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: RenamesItself
      Suspicious use of SetWindowsHookEx
      PID:796
    - - C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
        
        "C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe" --ForNetRes x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:11112
      - C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
        
        "C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe" --Service 11112 x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10928
    - - C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
        
        "C:\Users\Admin\AppData\Local\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe" --Service 796 x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:11120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:18424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
    3⤵
    PID:2304
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
  Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:700
- - C:\Users\Admin\AppData\Roaming\Macromedia\winMacromedia.exe
    "C:\Users\Admin\AppData\Roaming\Macromedia\winMacromedia.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa485238f.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
  Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:856
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
  Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe" "C:\Users\Admin\AppData\Roaming\osk.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7484
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
  Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:348
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
  Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Wanna.zbu-04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3.exe
  Trojan-Ransom.Win32.Wanna.zbu-04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3.exe
  2⤵
  - Executes dropped EXE
  PID:2140

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:7092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-119220802929929831535698211511898166331162668440242453893982256658-504155174"
1⤵
PID:5792

C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:18108
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!!DECRYPTION__KEYPASS__INFO!!!.txt
  2⤵
  PID:25208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c0
1⤵
PID:18576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Change Default File Association

T1546.001

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Data Admin.exe

Filesize
45KB

MD5
28acf0bfb37cb08a04cb3960886f7448

SHA1
0add17424ef7f5a6bd63d9d314e03e5ed38b18cc

SHA256
92ceb8cb0d819a17ae682b2d646798fcf06aa7c9a2025de8a31af7837c3de5c3

SHA512
bf610ac956047de1791df14c27b1b64d04959c565c714f9c36e783b4c63b9b5a8045070e99e906d3aa7d0204dece5819914e9d06f2116b3dc9d5a61243c9e030

Download Submit
C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Filesize
1KB

MD5
daf2d6b2d0033ff60b7da2b3dabc5a0f

SHA1
b33c6ddaf9782cf29dd69dcc093aeeddf33506b1

SHA256
ea770e96140a6a18280b9cd118bbfd68d72e95d9daacfe0dd1925e277e074077

SHA512
72e154960498fc7cc2b26a98ba0e06920a4f2c8eeb56189448ec28ba26e2667d894b6b2c42228cac4ca37d0e50e0cefd4c197c3e4c7261ca8c0a3a045caaeaab

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

Filesize
582KB

MD5
ae4672326f935e8fda0275ccbf6d0d56

SHA1
59799215328f11eeb332578528082cef34b39dcf

SHA256
84607ab80f956674ed2c43dca857152694be7c620827ab374e321571d319bb6a

SHA512
9eb809a54b91d30563634206a1c2e55f4d35757e45544e552754714d6314a22e37442d9c0e9286e306fc01e853eb00ff8e94421565f8870419f101328b657ee1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
114B

MD5
8d10d878f388b5c7726ff3433fc79204

SHA1
45b25f38831830f7c935e87475c7888f365cdd22

SHA256
e05db82824103b6d5c322c6880e85a5d00b36d9335740dc66b30095f966b10e7

SHA512
1c4ea5c3b7299dd57e204af74ef8e6cb1f5b07860c519c96041577be8622ab1ea66ad5831fb2548f7813af2d7d39a0c942f6e8bf3f0c0111d890cef4cc8d00ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
113B

MD5
36b3d706127f67f7b6a44a5f5ed00b2c

SHA1
059220c9137ec81b2903ef0183730664b6e68e88

SHA256
0404439dd2d4f55740bde30183f35c6d124cdf925199c2a557dc92a9db1316c1

SHA512
ba63b8dee51efbf5efa6d71f60afc25ed4ca41b4e8f675f6424c607832d61877bd1ae59957977767b3003da99625d0be60ad3a40cf3629a255e74d247d0b5583

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
52d7b4c065fc1d588bd6e81a3205ceb5

SHA1
3be9267f2de77f713d89f7082074cb3c7ce80223

SHA256
ae9bbba7dc89d6729c2f4581b6f1f56cd2badaff73a1cd6747712ed9e98d4e0c

SHA512
23cbfa104aa8cba3116e96eff43a6ed58c1f58939a39b2c8d12ff7a7fea8e383a092cd08a0976ffd2e676d934b399c7810e675f21aff3166cdb5da13f668ec0b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
e4e4cf6f3212f0c69a156b73cf6968d0

SHA1
d209cef66f2308ad74ad7a7a7023f09ffcd965ce

SHA256
0a61c6a7ab34d5df358564ecb26457a7c73b6385f63cb345bcb349839c4409ce

SHA512
9c10d96915c9c06a4402db7a721625526802edc354cb6a777af6a8f476a0712271087c1312602b8c15c5ab90238defadcb12ec0445d232f884d3963a3399c47e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
4799a20596957e80f04182ec1716d551

SHA1
e76f10a116a2c4fa4c7ea2c4302d8693c68307ea

SHA256
ce875080c613ec47d13c0c831d7ac1c345ab3da69b80497417dcf78f9b9c696c

SHA512
8436fd059f934c545a2d39e9cdf321d2c563545155f43e5f92ffa467ce23d01489df31e61ed875851a05ec2bd3602f55a89a0d5df27d3b4c3a87b0c365b7c618

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
0195ecbf4454ef0dc683e99adbe5fcee

SHA1
d7bd5f0f8663d18b728f254868f26d4362a91aee

SHA256
5e4461c84d7e3df93f241cb092363446dbfe3369073d30a7ddef94ca93defe2d

SHA512
e4f7e6363e8ec64f20c2fa48a0ae7e79266a602d7ac21ccf9717c1c5768380a7d5bce6f7d5096a39b2ca7c124b72a1d02c42ba40a171e5ce36e440f2962af8fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
b7bc13b8c8367b0a4a8d2bf9266a1f0e

SHA1
6f38ed1b7078598953145405ac697e51ddf94b0f

SHA256
98907029ef08e17c064e9494c4ea7250c898baaf396488e36394fa4bd5e374ab

SHA512
262e691ad84da03bd4c49aa92caa613031e27a413a9ca757c4225288354b51bd65ce79a84cc3acbbff0e4ed655ae676e67edc432abdb6d2215909df68550a1c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
e862debbbdb2e021cacd1725cba30745

SHA1
55258bb5569824b4e60d635d002ef6080c5a363c

SHA256
84a5553a3c0c191052669cb1e067013c9c58079700a374e917f0ecdc16ee1596

SHA512
d756f549fb7559c2ceaa897ed019f4f93c480f3f33ca68b8a53e3689867a5d8e107522c41b28caf79c5e2a8e0c8d599ce5e7a5cf7b4bf81e6476197a973b148d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e4c450fdd1bbb719a7d678c4f989a366

SHA1
bbcf5869c7caee7c261d5689286b10a9c5a71dad

SHA256
5c50742363e7b1ecfe4b93660496a06212a2e54f6e8f994020440acf050afa73

SHA512
c34d7c1362f0668c130a1f2012994b83e31249cb1c2a6beb5dcc4ff4c807010c65a83ef42e77263d1560027f0059ab6549f846129882de100966b7679a124450

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
eaf1dc1d9a7abbf2b62ff40c3376dff5

SHA1
05b0cfdacc2e6833625c24c8f40689e5d9c6780c

SHA256
4db1820915b860088d68f68885caf19fae2dbcd7c5b3f2259c5de477bd41680f

SHA512
f58d5146482c379da4509548e1b0eaa469d8f5216096ef607a38da70afb81fd8eb54d01b1aae4e823d88840c87b7a6bc997a822371f3c73db551f0b85a9897f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
6a306d125a8382e7637713db9e8c999a

SHA1
0a512d07fe1d69e0f8e162ecee27aa815439e6ff

SHA256
7c0a63965b06ab37293ab2a14c432d86bae0a02cd94818b2b566a4593e25d47c

SHA512
ebcffe1ba2b27141a082d7eb229905b1c857a6dc8216a55890dd19ae0b2bd3c83ddad3460265676e0dd89f909a7af46d752815268c4cde09e9458ebb7b089a7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
df21adbb0024c558202038325a451754

SHA1
c1116607adf5b0859869b6569bc3ea9896db9436

SHA256
81ebf02d6eed6cc3d167b5eaf2a95a882a7e50f9ec21b38a5cb7885c5148b58c

SHA512
590b3b57fc68c967c7785b594af4ca50f0e6a81d640a793079520972c07f40eb8aa290a6306436311f3b09083e8c231313b47144ef23b8b5f5dabec2f1a8a2e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
06006943faf42a04ba0f9b14d0c8155d

SHA1
14f344aa5db18bca4a5ad57f4accd90b9c4152b3

SHA256
ac03e08f610b04e5bef6a896cf1c00801d16a4728c9306192c6c533632550daa

SHA512
e8cefbf7f1c8ae1f9b6e41e993ededbfe64bdab9e06f28c5c4e468b54e6974e0a648240ebc7b53eacab0098b5c73d34b7d0383627067318f6effe15b5a84e5b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
dc8112ae8504289472cf9b80a6aef5e2

SHA1
94a0552eb8f3d5fb97d9052c93a6abdfbc16ba1e

SHA256
09bba55e23a8833eaac5a359c707f0fa07959baac0f37f62a2ef35aacadce509

SHA512
a52f8970e16ddc49c156b53c15fe57e7a94e965e81a41c4374eabc3080e497bd1e0e8e14601880854546046366c3161463f48c7d046a273b64b6f3a8d1e72e7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b33281349f5000185d167afc641faf5e

SHA1
7d2cb3c991784828c374dcf1f490ce72d7cf83a0

SHA256
ad393167ba5612082bcaf324b25a8e81c7cea500b51f4c6bc7c5a0676cdd0586

SHA512
a832d3020bcfda99ed27202802d560a20ecb8f6a00efb8cd703bd8b915e9a93dbfeb175fb952be5d5d1d6e364887f029374ab398973e53a9bed11f9412fa6ed4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
14dd36f07b097546cd4525f1c4388151

SHA1
cb2aba5a0f02140639a35b3daf319e4422225e07

SHA256
40290b0ca2c546e7f2c8db5a5f236566ebda1b8dc9349a180cb94a11ea5cdf02

SHA512
2b75d93a359a0ffdc300986467416180b0bd63b89ccb9eec2349a1fcf32a587c755ebd529da80206a9e48d825a9935da777ff513de19d8741f2621b7edf0464d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
cfb02edfdbdd9ed54d1d2560926265c8

SHA1
769994b8b748b230aca3c1c4eecf1af9c67b7381

SHA256
947cfeee232612b3ab3cb5cdabceed02d6fc8452fc7a1ad9c4a888be8b5cb17d

SHA512
9e4ac3f927ec8f20d228471634c226884717273efbb428d481a78bc0dbdbcb5728aa4eaf6b4a013d0ff566f4d2c59580686d16af5da8c10cf64aa97926cabff6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
ef51f420d92d8c8d1e5d362eb54d5f46

SHA1
04917f29d04a2420930be95facda1aac076b4237

SHA256
036108fae5d71f68c6764513febf9baf8e49ebed53b6b7f19196e702da27014b

SHA512
021d977a980de3f8a6c5d6489c6a3dfbc1b6d2f1e739679abb69769d66da0d99f9539825dc3e8f68b4ace48392a63b64daaa02bbd8fe2fb613e2d1f8c00a7357

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
c7330345bfbb102db3004fe5f2a7802f

SHA1
1ab084640ae544619726f1d2c5b6423da602e05e

SHA256
08ec90ce539ef610f8753b3c1fc745d0bb5f4621d80e6f493aab6f18a5118e03

SHA512
07a4879406ba99605abe3d4d926a3a8b39a92480e93c41e5e2c541c8d88dc5a669b50cd462b1c54411e85cd09dea992a38998c542c90c0ec14450be8e9e651fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
d238d0dd974b8e3a7fe09cf14b4f04b0

SHA1
f091edf1f060a5338fe76257eeb825570b5ca3fe

SHA256
ef8179b8bc153bc437d1b84274ecc8448076d646f4cf21829aeddb75a09383ab

SHA512
9a0044417d2a4794e1c429382d5b56a473b696681e03b76af9b642c29ae3c8e9beb7d0f3432045c3f707e6be298d205aac4fb84e208781273a46830820931430

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
369e205a610cab65c15f8965af6094cb

SHA1
bd03e0b7291788a522c72f647c51ae1071ef387f

SHA256
04dbc9dd3f1b92313c210f0410ed1e6fef5b386b0b4762e521d68912bcf4173d

SHA512
94dd7e731def9cf4f2b22e10cfb99703e9252658f7c38d0fe0ac03662786d84123f7c1ab75f0157144e49c5432043d9fff8865e43d278480667aaf748bb0c1cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ea910dd6cd19fffd51de14d2579e055b

SHA1
0049af78751115e9b9e1c821adecae7007f20d2a

SHA256
2ab06730fab323024085d3ca5faad1d44d8633ff9ebccd10f29e2fa6961a9a0a

SHA512
1e414afb2f50b35320c468702afa688af5d93d40cf758dddccd292a4f5e7ee7b49d98c3ce3b7753d62e15c786bba441d0d98d4c409783c367b22461038cef0ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
318B

MD5
2ef9b426f6c7707589d9d0bd73af4e72

SHA1
e6a0ac87ab4a3d0d7b4d95b8230f5013e91a9541

SHA256
07dabe9aa7b3d5282701a4d7287a009de6794fe42a336fe2517765ce1c7ac9f9

SHA512
0544736773cbaaa90163fbc45b039cbe1568f73d6f68b4772cd770293e55f6a3826bd1f555527ab67545725bc0523cf8d9254494335c3d17363640c6d24c0bd3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
0c4b57c70c58642039c4a1e143447fe3

SHA1
a39c0f1bb8de878497aecf6f6e0d2aa1d4e66901

SHA256
5c708e6399f47a1014fbc142c21bd4d1d0691294b7e351e7ef6e0d4efb56fb39

SHA512
f60eb7d0c8077c6ba080244f745c1f9168065abd5fc68a98b784b9aba54a8299d6fae13d3caa02e32adc21cb64036cb5a2ea7beed7041de415f2e2f5ec20a492

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
5283a5a5e6ca14037baaf8a80602049d

SHA1
3249fdd11c7ef50a6c0200a853295929ea0194da

SHA256
20282de87c5ae8ad08812f042392723577dad552e7a10fd08f2696fe45cd92e2

SHA512
93b51140bf3dfa9140bfaa62ddfc18cd903627d36c26c8d9a627260aa62362b3d3b94d3172d53d788ca02978c5c640a9c35a6041c8012eaa93043c455b76b7fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
bbf27325e25f8a4cd8ae36df936cad1f

SHA1
a8c83d43d53914498e468ddf00a3780515e01f41

SHA256
e5faa2382c2e3eef2db9f7e0c7211e8bf1498f201811c0fba567dfed77815d82

SHA512
d1d24c201ed5c514d1ce50002b685fed5f53427ce7abf5c46d8cdbe9a6bde7e1f9bc920511b18361a308e6b0944980643aff2f47bd0abe2eaa02e64681a335ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
7eeb5489a375d5693e8686a8e9c6a262

SHA1
93d6880deace8d4f6db31a73115c8f883181810e

SHA256
60ab84a0553ac76c8c065141672a67eda8472dc92321c8f3bc78abd482338607

SHA512
d8646dcbf9c2e8e7ea9e818ce77fc3a81a53c9ebfb214eb850b3802bcaefb21b1211fef32b1e6bf66ff027b655b6d52171736a875e7ee9c9a36b92dd458f3e8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
6ec140e430a80185837eebd41e5e004c

SHA1
193535ee98571fec6d930028a31a960e6b429dd2

SHA256
cc9a0c083957f6c708835f5ba137abe7c503009e5036602e5c58901ae41f46a7

SHA512
a023b58f40b5f5d51456783f1a40819dbcf1b82c606b5e10c61e9cf9878989fe4231f490a42f1506203a3f30eec0587f93e5b635dd20c3faadf7f755cde8a7ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
b3b324cbeb649ec1503048653cfbed4b

SHA1
5a684f4f3367252f37f2c2da6c4479f459d2e42e

SHA256
9e2cede8e1249f2c40a6ac0bfa204d2d9bf9cfa124fe211c2a6f50b9e6bf90a2

SHA512
14ee1f4043bb7f2606ff761ea77dc759fa2a6e05fac85cb4b3fa9c36387d75ac4d3d4fbb79077263b34908492098dca3ee0f7981b3184e0dc2ae903c984c855e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
e404b5f67829b5a4fbe37b3abd0aaed2

SHA1
c7eea6baa398fe46c3eec61b41aecf1be47dd07b

SHA256
721732509c64d9985ffd1940d8efed2faa1d66814e506ee97f526e498d14cede

SHA512
b9461b485bad98839bf14e1229ccb4d7fb544f7f0b76d154c009b930226d6e3c23d6dc6a44d44c4e1400ffd7b12c3410ee60f7226b75cb04480e63f1241d665f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
b0c8b3128de53638924fe0fd09e4dd66

SHA1
1b3271c5fa9ae261014f494ab482d9a06744f377

SHA256
d7a80d904002106c51f88687284d377da82d6e94559f502bfeb7c187765469c4

SHA512
f0cbaae4aeb74f6bb382943a4976f2d70f40c5c0834f1428eb93e7e072b46a5f42c9403bef351a41a4f7bf8c29d8eb90d436c77c49afc0f5b1280713afdd1c29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
71c2993f804f8e2003e896253089afc6

SHA1
8c0a147fad3f4e861ed4fea84e491be914eea3fd

SHA256
f20adb4f2ad0b2950c72dbc3e30ec2aafde4c9a3ce4d64c2f45447d688b80d14

SHA512
0cbb6954e1c42b57f55574ecb51b396eaa503eec1b046bd273ff4de289edaf93a58f97419e7231ccd95555853e2d52764e0b736b39a163350c863cff199870f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
d3566b8700e2ae0f106e46b73f559d67

SHA1
93414da8beb85273ce6d8358436bfad0721de66b

SHA256
7475d31242b29fd83f88ec1cfa7233078cc388146b4b1d61078ba9a2282ea14a

SHA512
5f81f941a1bc375a4111e0be6576ad3b8856fc8cff569c24ecf73e438e9b082f57e79b84fa521eb2323a8f33acf2b143369dd2d898b2e298e92c8c2e53333ff0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
800b98790298ff9e276eedce97c41562

SHA1
001520046d0bad659eaba644453dea42fc0499a4

SHA256
9730674edd0b5ff12f2f0de719ced505204a6608afb28f72c3e7b46054769778

SHA512
1eb49515b44b89a6d5bf6a7d6df209a1beb46bc82999e68b4ca7e2ac76ba9897ecc6a184d142d56fe85bb17cc6f38f77a84f2b7ca0509116001335127cbbd263

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
e2c5e3388781810492147b1b99eafa7d

SHA1
f1e8c095f22e39ed67d982bdacd5558d2e9eb09d

SHA256
4818704f75d590b8bb918009e483f2ade4c58633206567dc60dfdc437068ca50

SHA512
992df0a6cbedf7c1630752337b074e94a9189cfd98486ab4d7bfbc457b3e42e2a0701c7d23dc13fa87812f27ae0a10bf42656225b05d508af5b7360d5f353be3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
e1fe4fae3f9cff7c82f1245e6d29d8e5

SHA1
75503ec9061b401f0632cccb784e11e30931c632

SHA256
f5b4622ca041c0e17b3dd5dbcd46ce89e001ce24081444b4396bcf8df9319718

SHA512
177b08537e885acc7afc78fb0c951ba2ed41f86864940d9876c2040bd49595672149a77b164e93ea2c3a8f86871b0425fec55d2431b8a5fde5090c1861a4840d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
9008ae975d2ea32465f942942854c08c

SHA1
7eea1de42081bce86e2d024bd36f864b2c190e46

SHA256
31c8eca5c5fdc8505b478fb816b00cc6986c6bc0ef1e29ec14dd2a1148e10700

SHA512
00849f46513279ebfce51268b3619011effcc2a56bfeea4af80f11c8f88477170b0b66ba4a59bff457aab35d880462d6871c6a78eeb0ddce9258c8a581180297

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
f781315e94bb4f9ea00bdeb730bd7804

SHA1
1745185fa55c430d6da29ebab91197c92ffbfb19

SHA256
925112b9b2caaeecbdf8be8af79b270983e55fff839fef19f097378140a8555a

SHA512
e2f2cc2ebb23478ca8054038a10e330cb8ba42b87363a5b40104a2e2a236e5280fc88e343eff58c5ba95683c947a5f66e2e0057dfd91f140fc9c7c7e67e70796

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
8325b3b84d8f7f1c8e6af91349a0bf8e

SHA1
d6003b95a4c3cc06758a486cbd384dcef6971a5b

SHA256
599e69559e834bd8bf2e656b52b71d3127f5c8f3a1fae442407735597f5bf471

SHA512
1bf55e3afd6212128e14f69e372f13b0969ee823d472ef1e01f9f14e191ea55eff52f64670f45029c78a4b58283bebfafb12f41b180e62bb93a2ef997971c802

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
6c759885748a95da1eb505d7a933d0f5

SHA1
fe42d0bce97acc9baf8c114a0fdc74e452546222

SHA256
e4a36dd47836c34bf5158cd5bdfce3c634b0097de73101c72e018fbcd3bb866d

SHA512
ecb94bf506f3ac0a42abc42b5629756a414b787cac1bd89949e2154174ddb4db3c58df56cd606048e67f7d2bfad5131876cfba4a79599e3ef8d5c7be557d9b1d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
21430d30c4d6b0132fbcc08b089d5dfe

SHA1
beead65017b2a4c06fcf1900a4f66bbf9a8369c6

SHA256
61a3ada9d283d40f5fea665c4d1cc8f86bd31bc38be19b6a2e0669e40737a41f

SHA512
de1438d0d03dd9757f6b7b0f76fc81e18d70a44b7780c08f2501c8e7cc0e166bfadea25bacb7784ac04ab14ecb20791f46971acc91aad1adc2aa13cf51474f59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
eaccfec83a5217a62fd3197c3496d3dd

SHA1
8ec3fc28da3d7bac7e40967e88b6bc1c551e5e0a

SHA256
faa690693d4ae76e5b09581c711452e75695a5706695d4472a302d1e2c5d3eb9

SHA512
201245f48ecdcedcd13fe748d0a24295c44a88a408de8fb0fd67ea283adb393b60b21c6eb7d8390a7ef479dca687fe8560a851ee3401d8c67e79c471f1e912d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
b4f8902bc933506ab45d9252c6e8169f

SHA1
9ea8f196448c4d7a8bced63216f95014631241a7

SHA256
ce89cca25a51f081e4a6a85d522a70369d6a55f36bdd454cd452762ec47170e8

SHA512
3e00c84b49df1a6cc1bc9649dc3ebe2bdaaa3c945af9ebd57f49f2212132d9fe4a776fa51d74992c55d65c508d5332e2f4eefcca95a8f655447264e0dbefeccc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
318B

MD5
20d487db1a7fc5727f5106dbb78f7d29

SHA1
184bc1724afbb69d55e81568c57c9af5495616b4

SHA256
b4bb8d7c1bc384cf51a212955e133128fa7f7f9d6359f40f25aab38a587e25f6

SHA512
8ff0bf257566acf637c031f192756ca367c511ef319965d0c2f66b7d33cd61e664c358547660549f7222c3b8605521a8a1e23b7a4b2b339460cc3ce0b36b4026

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
dfbf2a1c4791b94246a6059a1caab63f

SHA1
7a91c5ad1390a258a81cba04348cdbbe0b5e130a

SHA256
cfafa31ddec515f1045a0648831034ab9a28f4aaf2a8e5c209eaaa845cd55a7d

SHA512
9f6b9ce2bcd99a19bccd40de4ad0657ea72d02d59c1941b82a6874eb9421abbde54e8a0222c647f7cf0c1d67dba80413f6dc9d53ca03d10daf3697c004b40705

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
ef914ba7c879324851318ca793dcc0eb

SHA1
12a9db5190e0e3c9c689c511c0e3e57a6ee5dff7

SHA256
dc7ed2212da21a6b17c07d042fd13441600d34c35e905d88fca66a00d1e15f3c

SHA512
bc1625f58c309c7c6abad7e2a7101be7456b6da2f2e03393063cbbd2b4537f6f0ee68a7ebff20d4a4af7e8f74d751410f9968cc805742f25ec54ee4efb79e21b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
84258de2bbd3c60e616e9b5b7f7a0011

SHA1
314756a81c162475ff8820cf6d43b120d11efb7e

SHA256
003a2e8697b2ea223cd7291afba643da0ab26ab10581262184c2556c6047f5e8

SHA512
19f47f6887791e05e6458c4767d387b796792e71060e4de53ade9380835384254ff99474d9d2221d89cfc23c773ab3cefd80428b94d6488c2a54a25c50f4bdf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
f5c3cda2cd59770b81e2796a74eaa740

SHA1
80c9240626dddc0c4ca77fea5416b3182a2c7f10

SHA256
36e964055999b5a90195c5aa056f743f35d251d74fa32abaedd3ef0b56e33a3d

SHA512
e8fa57cbd3f89343c253e31103421c4ce30e930d5147e9c91e554f04028d555ba6475ff08af3dec9e79f891440ca20d16ba539d4ed3c55ffc306d97ccfd1d0db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
2301287d7fbbecb3032a21299edc5555

SHA1
c692a58980655bd37b94e0d913a4ebc8510da391

SHA256
cb701f4ce9a8206d575414b7d1750f6c4a72ce2f6bdc99395a4423ff32f840b3

SHA512
fe418603aa0bb62c8c6b241873c527cfd543d965d10f22a942f879b9371626bda3a3973a644c89a403ec8f6001b7e18782df4548990ffbd0a0c1bdd4c5058f3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
a3f818f8aaa4e0b7f3dbe5e938ff90d1

SHA1
36087c50bb59019f145fb6060c0851e5546919a9

SHA256
e3f2916da657f9733070bd797b9c0d0226470d83288811a312d009c391d02a9d

SHA512
a41dee932a15c7314ff2d0be68317857f82dd696e8601919bb1218a2a3a5d02709d52e413317f432ed1a595aa2d14471cf43496a45508b0fb6efc3ce02e6afe9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
254faf9367e5be749b53a1b2e48da0c1

SHA1
a4602d26f92e561a3f61fae791e001ba9154bff2

SHA256
9279871c162fd3f88bd3c935925cea18b93cd96b165bf15fc539d5b3d465e0ba

SHA512
133f550bd9e4653603c9e0bb36f637daede322b556acbb582cc7bdc7d8b855a07aa39f5cbf237d2fb7fc72b5800f000e839b839fb566a895d72819bf503ee7a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
8b6ae35709ac5e0a8c12ffbfd1674160

SHA1
f220990a9d9314e1900ba2b502e2de6b9e082d93

SHA256
f6eee8a39f40872b41cd2a1ea4d35e76f9011412eaa3e955a610197ca1097d7a

SHA512
787ad9d67b209f5f61f49db7ee12f86f57720f7e94ce9bf2f2143680a7a8144f3234bcde66f833f469dfd2303db3eaf1a0b06a9d580eea9c2034f2db8b0f556c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
9c20269d447aa06d97b1e68c3ba693a1

SHA1
b304d13290f84b3fe86d015d887939a549b465d5

SHA256
196d0b4469c202ff126eec569831a6a9c1e1826b14869bb0ff0c8be68b39b47f

SHA512
2b99f8bc9b181ff1026c86f660d087c530889d285b1bc30250c98da3e1759c522cba3711bd86f6d36ffb87e49011367267369041287362bbc8c499e774cbd30b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
70870888f2a58c87049411a9e99eb137

SHA1
c7f40e891e095d864cb740c2396b56ebdf8a4722

SHA256
bd12556c38a981ac0003c0d0e554f1a9ae0e5e37117d99489978fb50fcac5e7a

SHA512
64af7c47b48fc6f14ff81374fd6f94e07b76e63b09fe73dae5a5377851426adcbe040cf3866a96d00023692f2021750a405294a21796f5951fbf6d725b984fae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
ea4cdeade71fc9b99e32d0323153f38c

SHA1
6c6cae005e8ad88408276a5f0f09effa3fb7b49b

SHA256
a369136911234875039de1a12954ca4585891884cf767402c11ef3d84a103c4c

SHA512
f3bc501bddddb07813ba7bec6902c7ddc7ed7b652d6756cb687964e6ac8bba26212ed28c5a38e8f8edc7497ab4c0c5401d3288c2bb729dd1840be7b337c55fe1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
ff1e9cdd5d9087ae5ac24f949f3ec7b5

SHA1
b1ca61c851979c3c88f06bd356434ff36e7785b6

SHA256
65058b621417f6311fd5c0e02e49b6fe55904176ba9712412e8b88888c4d33f4

SHA512
088cb2e34019cccef3d3473c6e464fc55f4a9d796dfeae360bca28df3efe9dc4a6b6c3ee80ffc24226a77277f81276f2424694e8475385dc649ae63e8bf95444

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
df310528d0989b1b64831b547793e061

SHA1
8a9b4621bec770d5d8e9ca35419f7f0295e4070c

SHA256
c323fcb895ef9ee970a5486b5830a98d22ee6131d815cc133943d406aa8c9cc3

SHA512
fe76884a36d7f8e07073fc0f7d16b93ed2b6de9714f1713ed8f6958baaf13d5906e1e895e5862545a68d741eafbcbc1c77d73388025568979cc5030b2ea42a4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
fa7f31e585fe3448aeabf7ec20509075

SHA1
145afabef33cc43d0704cac9b3e8d08310983472

SHA256
0b9045166d37e1310021cc17d24d9f9397ba516ea5448a0a5b7cc1a26bedbaa6

SHA512
33875b1edc79125ac8475ac6ed3f744ebdafe3a977a245a82c06a6ad0e90ddf3a944cb580db81f778af5aa0693029c9cc049619c0d998c0bc89a0cb5f2142d24

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
46249596137a2ef7b6ea416b8bb47b53

SHA1
d2a3fce7d5a56d7770862b51ceaef05657dbedbd

SHA256
b3b6867ec103cf839d8deb970c438a406f54ab26a41c61fba79158d68a524933

SHA512
c14479607d96c9affdcde62cfea5e2f8484cf48e4b0c260ab13deb3e608b80e1b11e07846408470eaac5942d1caa6f7a50c17bddcf4b86edae4955bd3e6b5634

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
fdac914de41eeaed9a958c6b557ee36f

SHA1
6964396c1587874b2ce568ca0fc6ae384417ae25

SHA256
a614a2360efd37f3b67bd1f21cab67acb7eb3b4cdef30b337c86323d74ee85f2

SHA512
1ef136752af32a8253e0750b4d4cd922de9f06f4b0475ee6ba76c3064f4a537d6102f8d369d15b2dde89665a7ebe77ab16e9bb3bd92aed055409c664e9b52110

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
200fcb4acc6ee327afd70286eee21345

SHA1
5885270cd0553fbb2390df9d21bc43e17e69773b

SHA256
c83deba8ad4db254f3cc33b369846540eeb792b650ae39ab309662d27be4ef62

SHA512
5f6cbd172edcbe95a7531a7cada9369831c0a3a654292644cfe3c1bef239c19c6e2f0cdd19b3918e90fdb7e29d8b28ed7f7f5fd626dd30a9799993aaa7d2adb3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
30a18b6d95911ebdddc1ead0285f3e95

SHA1
655b92501e12e6735d168858b9506e80deec9d7e

SHA256
28926817a06cc5f9b5be810a347b476faa8dddb9fed2d00ae068359c4b7d1ff6

SHA512
305580735904708d1396777cf5467630eb4a34b943f2d4892b3671b988c274262adbb80d4f551915d1880769b6aac29d25916b18899a6a74deb8046c1278a7b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
697abc33c59c2f67ba147bc12ced22e6

SHA1
9a1506eae2a2d0ffa1f8912adc80b04d30a8cd51

SHA256
1b16b5bdd14f0e705d7d626f7e73bf6eabcab5303eccc3837fa8ddbef1048d8e

SHA512
3bdce922505c97b63e2e317559591acde297db63a103734c4d041ca2700929ae62f16eb8f26dd41c19359e8f5db7b90bbc9752d12445c4832777dfed1072ca9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
9f165280bbd859b637b59b1effbb8111

SHA1
cf176c964e0bfca9eac3a0d27a36e72ddbfaf91f

SHA256
40ba8d410c54aa08232c50418a9dfd8cd2c9968a927f6929256465b461acf2cd

SHA512
f3e26d12431acd05a39d6c9870a974e0b845ae755414fd8ef2e633891213eb3cd9f3d3816fa87462da2d012ee55b97275580608a83d9b2c289591561ecab5b7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
73ead20bf8c544629f92646377df030d

SHA1
de6ab247e1ba248cb0ebbc3af94467f826596d60

SHA256
005c57c18077429961c343327ab251e1d6d1269f95056ab357ddcf8bde6e4ab6

SHA512
bd3f3b8d3e7af2ae561c60a0856a50345565bbae962ba7d3792820f4156e1ce6265bf391ce32dba75ba151f37071d67ab145f94d00d2ee1a862427de2929cfc5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
3ac7b8a400e4c0fa25c7809be5e9d602

SHA1
6c10c5230ba419c45f06eb20ecba105048a11bbb

SHA256
6bfe2917b33dc9095fa79b7cecbdcffabdfdd41405020bf7d003e9dc70bd8901

SHA512
f5cf95d802e6e13313fd21f5ef3a15e9fcb9dd092e7909ef11581dca1a28154da3bf8c7b790907c554f60f82dde613ed5b8457b1c88ecd4262636971cfb04f4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
807B

MD5
9009664a617d8249331c7cdff00dd649

SHA1
73ad7af39e990ddbfa1c4cb22db0228f8d8838bd

SHA256
903abf02610fdcbbcd23af47a3afe299ce25ec18c90f67232a40a5cef35f8dfb

SHA512
29847ba1a592f224fe8b29170986b5ae111d8de42a928eda9d35e3fafc7c956df69e545d11d79192670e1c79d9afbc47d4d067b44c701dc823b152a0aea974a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
806B

MD5
371dc3828772b579388f54d55b97b119

SHA1
f7fcee9785ed5f8681dbc98bcbc01c8bac5baf1d

SHA256
cf9442480533f012eef88300028e4797e0c673bd9df2fa53f892e0236dfd0412

SHA512
baf41988a23524138eaec868cb857cdea0b11b36476737d8157387cea6c17f6480544e01f18f9533c22e5f2bcd27346f4863bf0464a5fdec7338075b824c2ba5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
5KB

MD5
a6ae8db527950806cf5c4ff90c4d214a

SHA1
a8e534e327237590a2608b20f3a86913807132cf

SHA256
5f217c062cf3c67cdd7db3a85a6f4b0105a237dd95a847daf00a228768ae562d

SHA512
1d246e5519dfc8ee2da99150c61a32234364c15279eed1215f6765d6b6eefe056c45f9b033db572f76ff710cbb5119e9c2b60f8e84dc64afb5afaa7832dd5190

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

Filesize
809KB

MD5
bf9a4846aebc7c05f454f8a69acc261f

SHA1
06d64d3bf050b2f7d7b362004671f839f4136967

SHA256
c6210e253086e72c6f3f7c62b1a6b9227128780733d5785b8648d1c71c3a7865

SHA512
df903a5aeb044f60e28b0017f9cc2cc11c48d2e2204abeb8c689f3a788ea31aea2751ccc3f19dabd3b211319625c311090f474ede802940393ed449268a137fd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
4dc9bd6202a83a6d822592b05e9c5b36

SHA1
3c6778ae92c5d7f2429920e93ccfa23d09c501a9

SHA256
4f4c6b0458edd400d0555af2e57c1d35b0555134d41751c64248a95742b73f3f

SHA512
3020ca978b154dcdb45d50d9f8f988bfca050d9164ad4d5c4cff0b5fa3112d78f9e942a2c4d93665dca700c22524355bd794825843e3e449b44394973bc7c80e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
27B

MD5
cda93a7a4d59748f32eb7786acb0bfd9

SHA1
58968eb5144b708a8e55aad0c04580e1951a9360

SHA256
19d776d99b83d04a620cbcb223838902695b22fb328e6eb8dccbc1454e821da2

SHA512
3b26d4ef527b757f88eaf8c697c6d5f0fdabda7a5ec5a02a0a2384e890ed137189c5b1019a98bd5a95999a6083fdef099ed207c4381644f8e6fe54daa54df5e4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
27B

MD5
4d57f6a09f7c9ce5e360ad1b76d5e4b6

SHA1
7ca65fa6f5dc7fa1358750020f57093bd7438ba9

SHA256
50673f7e41f3594c92e9fb7dc72ebeeecc897c4d936e55632ac98d7bb871373f

SHA512
dfd9e32a707dcaffcdfeeb3dbc8aba84b2a69191673956c46fd80e93660620e0b04644a0973709aa6598f228a14d9c8511e44c894166bdfd053429fde1beee30

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
27B

MD5
e4c3b78273bb993089d93a319d0a0681

SHA1
76c2724f7f86a2d6d44107c6ffdb1a78b46992eb

SHA256
c746577cac28d123cbcbaaeb7a8006d218738076374b068859d494b7b3067f16

SHA512
93d16d99a6cc3c68b2fa5de8c3f7279c1205c7cfeaa5d8122e97f0a28a4fed68774f402c540ba3fb2fada0b3d0e7ec301568c217a05b2d173d7e2ce3b134f80e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
27B

MD5
20a901a42a0aa6ce9cd35803c50bf804

SHA1
f32d9bd4d14a5da1cd326e2029b51c4912cdaf02

SHA256
30402268b722689ef82a43f9e0393447177c3e845b2dd305b6aadac1c437f1e3

SHA512
9538819f395a57a0a2e78dccb9cbf4d14227a08e4ee8f80e6e5cd4c27a6f143d62424313243ae800d964bc4fe31541842516a5cf8b88acec6612e483bb4711d9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
63b9946224b956f89c16f0e242f4397b

SHA1
372691809fadb5265b4df41a39490a024bd786fe

SHA256
85d49f22739171d00e52e0bab4c10e89ed3f10e148aff965a57a7ca2f90daa05

SHA512
72825f7e378ecd52069119ee98945bed4cafd6635a16cae6b669f24fe2f3cf0ac71c6f72764b9e67040e5acb14b834d77574601398439abf584fcff69943d9e3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
daff72e68bf9ef721b768d40a637a53f

SHA1
01355379ee8e807a687948fac07696fd6566cba4

SHA256
32e719e5bd32494dfd3764f38c1e4e9417fe0f66c627f4b7c5a0716207b25eaf

SHA512
54c688bc1e666c33a732f8b01c01d41367e41924c9deeaa92dec6f658e5e3098f8c6bacbba0297fb5984b5210c2040938e7d41dd49a3531c79d35bab79956447

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
cd58288d3d46a2e8760375c80d5e9293

SHA1
eb292462cfdf388f415c6a69fe6237f1a8a71599

SHA256
914f17281cc79c00adf4e70bc1808308d91a759ebeb2f87b122df16a6fc56c97

SHA512
ed6666597baf8343649951dfcc0fcc06bcdac16887316fa7b56b4c3871f4f06c33248a50f5c38ec7ce23aba1a50f7d367940e6551101861ea5fe145ba57670ef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3fec8ea007a8aeee8fec78f53e007ea6

SHA1
f491bb8b2ad6850ce0ea1727ff4428fc86c53fb9

SHA256
c31ede88df6a1f7dbedfe22f8fe22d0a6c2ca7657d82e3ddf20e0d261a645bfb

SHA512
c10aff7a30d4a11e5b37e97a68465658565433c772c41125356d5346eac0fdaeddccdd11cf31e90bc33cb95f8a4aac81bd594a21e356585a33deb94a97cc6aaf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
781cd9508791115346c662880cbae5a8

SHA1
ec829c33591a6561a1fe93c3f5584289266abe70

SHA256
c157a0d4699104baad007ee15d05624d5e5c44f7edee74c4a099d83df0a4ef0f

SHA512
a5fd081fe2db56e0a0bdb61bbb791b72001a3042c58193990e40515c7dc9b96bfbe5404eb33bd3645016b94b5a72f0e47db75ffe3df0867594b9c097d31e52ef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
a01fc8b11dcfed48209b66c663f92bac

SHA1
4903692cb952d7b281887e7779874459d2be0ad6

SHA256
7579b19fe0faaeb0b01c1cbb791a7b53f48b34c02f667412bb6bd3541fa3b54d

SHA512
5aad8abcac6accd1d7416ae22272792d308c04d8e165b63b95ec76b495fb695011a77b84c6da8907cbac34ac0a96f1968b154ae21b6ce229879b6bd693d4cfae

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
133B

MD5
400956f098c13d57e621fe2510767e78

SHA1
acb8d6d67153b759df1c909df70288122e42bd9b

SHA256
3450492d666d01b599d7f42b596558fe7a86b24469f90882a14440ce51f836c3

SHA512
1aab15f5558e41588a76f30fa15a758960263f29a636e3cd237c4acbc7f75e2e8d423600fb8754dff50da58eee70adb64b6630034ec52df059f0b6f3054a4764

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
d46f5e617a464681f042f1163e6f0035

SHA1
f7c20deab5f210017f43d6c05e7b0fbed8bba07f

SHA256
0ea5d346cb3df6e14d433e434a7c8ecd7dd83325c11dab82f0895a5594325978

SHA512
589febd99a1fba4e7a0b8f9e49b22f8ea0eba3dfe4bbbf928f1b062a7d8c5f31d50bab88d4a00b7a6a9bc277832f32f3da83afad263f32ef2e008ecd66a91b2c

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
41B

MD5
46d991ef003465999c09eeca695bd8b6

SHA1
b8ea3388b622397994f96810772f0ca1967be2b6

SHA256
b31ac4965e6aef292e3c60883ee1dd18dd344a5c7971807bd3a757a84683c5df

SHA512
0e9e34c98fcedb4161e1d9f658b0fad1bfdc95c8e56610c55fb4e7ee3e0de0ee35f541916f5ee7d52266c257949ee4c5f3700e6191c981672aeb913b72f1fb17

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3274b5753af25043c4d25f1c7cd6f8a5

SHA1
8beac4389d41ee0a9e3339bd4da464f4fc119a4b

SHA256
d32044698701c9107b393bc113aaaad2880467fc67e354af74d2b361bc402926

SHA512
da2eaf3ff5170a964aa33f1dc2e7dec4fb69af9d6e80ee53b510b740ce2336da7bb7653b39848bbfe647cc2ba09316f9459f45649361cbb3385b21c7ee6add4d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
bf0b9baccb7d27fc891cb650c4300de3

SHA1
b374a5a5e833465484fafa60d7668a2075a59360

SHA256
946e353eb5dd2705b94888ff62a6605b5aa6ad77da1acc946e9b6e830877bfb4

SHA512
121af8476fd54defb4e975b4d3734c19a2bd156cb1328b7f0ae38fdc9fd2a2381b9ff9e99a7dc630f8cee5f4e12911ea61eb3736b6df8de3d2ba9cbf6015979a

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
3KB

MD5
ccb6f914de523e82298bcc7d8b1c0759

SHA1
e895f87adbb839e48e8e2e3b3e6796846e290897

SHA256
8774a66c3403c6f573c9931ffc972612a02876d42f90fdd88785a9239e90f3e8

SHA512
820d7d8939c1a26d015ee0721ea11a7cef674c5256978a12e3344cc6bba072a4617c77b66b0e2fc0d600f9a5f06f314e611090213dd9ac67e020893b35fab84e

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
27B

MD5
9dd485f8389f769b5c3c6738a7a54eb8

SHA1
6f8e4bd340893aea89b628cb800decd742938cc4

SHA256
cccd2ee6b0254cdeed2223ccaeae41ab844e86261bd680aed4b99a5a73d5c76c

SHA512
974dc1585418f58c6af8cc90c5a1b7dd56aaada2b16beddc141d0ab82358f5cd744e0cd773da7120a0d04be9bb19ae0b2b1f6bd2a4f5471a6cf6b290e38e8c01

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
efb8da49307b189e0e2f25ef9e28cece

SHA1
5103a1eedfc0330b57de8a46c50cbe43292cef46

SHA256
3c20c7fabd7dbaf72c814e4e893df29629b7fef578734c2f141b1083cea8855a

SHA512
7d6ebefdea9ac6aa75a9d325a95ac87b4bf2ec8c143176ff5ac3278100b92040d0c78c109fe97bab6ee3e7f9998afc69c3fb6f91c9751b0b9c35af9e139bbe65

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
27B

MD5
a07b54a49e7fabf5962b4ddf6e1bd29b

SHA1
032d2ad089f243aa7d9ebb150b3fd44ad9c31b81

SHA256
ed113c778d1652614de9e15af80021903c23a53d09de778cc6afef1b5d7c94df

SHA512
218417425f69892556df4e17a4f974deb325727e0c0b4a2287077d3ff1ab067821fbfb2083aeda181316bfb9bc3a0712ecf52ca55764130b50094f302abf5ecf

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
27B

MD5
f4d8511db5e893ee11366827e5f81e93

SHA1
49d3c2f60e845799142efd98f8590aa937cf27ac

SHA256
6c5ef573bc96ea7d4d8ac3c5ca879802beed32abaa19559f0b754667147a6730

SHA512
9b209c1446019cdc1659fe7c506e9cd057fe0f066743125ded45bec055039ae56c7497f8d140b1096abb72e3ea26e16f8860cd2ac02f9ada7fca1dc67e02b06a

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
27B

MD5
d74b4f034b50c3278e17e15f3d083acb

SHA1
31a147be5e9a56eb07173d573a81278d78daa04a

SHA256
e72a8cc3c4e666fda551bfe3d073ccb6962f3445d6988ebcfd36a5f3eb8f63bb

SHA512
5c81122dfb6731efb688dde8eb243234f0b9a1515e08e0090dba165e1d40baf8601fe4985038cf8375c9ad77f4c1a61c7567c7bc95c8dfb924b1817af00364ee

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
27B

MD5
585cc73d599344efbb063aa52e69a0cd

SHA1
100631b62261331fd62e427be855af2a3907349b

SHA256
8d00313ba35b8cfa400d62e437f77b25550b470c28c9a94389de1038ff56ca84

SHA512
9d5ec7acc1e03e4ce0c9513c58f6e53c5a7a160ce78a96ac49499a0e55779715a24b4bc6b16faf0181149fad0ad281818acf9994972ce06954dd55a25d8b7e2b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
27B

MD5
0b8c258c6f07b3834c2106b60756e5b4

SHA1
b1bc19eb9e3879c1d12f9a14185a9f9195e9c7a2

SHA256
97c1bbd6e839f0b99925999fa7ba46d71591218ce8863e3f1e93c6e258141b12

SHA512
a9ec50e4492ed8472dab2a295f1da8e032348fe674508d3739e24044efc7118aeec1c8378a30eef4cb37b75da43a38d9bbae75536a9cff35f84fd5f30b85412c

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
27B

MD5
6b4fef0f58bf0d11f8b40111e89c008b

SHA1
2bc457ecfb3ffba12dff240a2f4c858fe89e1ff4

SHA256
691f53faa17f1366db01c6824ac7d86556f8c7ae02de3263de96b6a7fa45df11

SHA512
28f5fe4168cce36df68d22bc3230164b4b7aaafe372a4eb638357e65ffecd140583581696f240f7b4fb6f1889cde33f861d386082062ae855504fc2098f26cd5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
356eb356d46d6c156866032ca9e7a3d0

SHA1
4262ef5b6a6caef14e474b906533e7e37353af42

SHA256
fc7bf719b8146e4de91d18f2ea908dcebbafdfb5c397c7ef567151c0a088f357

SHA512
c5420122bf7773a7bd6663791094e0a0560c555a715123b3078753a05ec07dcca04d5e73bb43f62fe8162dd6e44330a19260694e514d3fdfe9330bdfb4f6af73

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
4B

MD5
b1819aa38dd3fddf2b0499e14c1eb223

SHA1
be645f6b63baf5da3c5e065c54f605a9793f83ce

SHA256
63549c4789267a9204475e5151b71c9588b35a2a0aff766fbaf7a7e0910aefb7

SHA512
5e5b91219c1436738b0d5edf56fcf6e292bafa6f5039e73cea1420c82c2678f02966263f0a5fc6e0e7c2a95c1652051f2b83299b7e5b8e2a9831a30a15b5ceb4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
240B

MD5
f4e07f3edd37ed0e1aa691344ef92140

SHA1
adbf0c71de6b2953b13752c9b2c70167958debe5

SHA256
7283266f3845e9055cea851224fd885ac70ab6f3532ac9dac3b1649e343ce8ba

SHA512
3c556ff49ab02735b66388adda7353129f0ef4d108fc900c1112fead8f5dcc02616f3423571af60b8948ad35c608aa2fc3d38116f5820e6188373443be1db59e

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
180KB

MD5
bed93e486060f98e84a70154e74536a8

SHA1
4acc1f7b5bca5a3b02211970e698f7710a52552d

SHA256
43b977804238e2673e40c375de4ddee21d83b4457ff1cc79a69284b912ec0acc

SHA512
65158d4780782c358450884e23e6027c3e657c97c0c88a0479f687c032635f0c67dc4c42df98f8b28fc2f36a4ab5d2ea02154b5638943ee7a7cf74d2a9bf1ab7

Download Submit
C:\ProgramData\ctfmon.exe

Filesize
826KB

MD5
a8347481e8b974e0501429ecf6d1dc08

SHA1
a3d134aeec18e66ecddeb3b2f27a5315d28fdc7e

SHA256
13654cbe13a3585b28b1b19042a49da0531a8db0a93ff7c6d6e52c497f247cda

SHA512
e337f7e96762efce4ea0e67922307578286843efcc9a210e65475b26743c03ecbbf5d3dcec041eef0f103f081d18e203b66041ce52b59d0951b41a52eb69b201

Download Submit
C:\Sicck.exe

Filesize
157KB

MD5
9e1df6b03289389309b8d1e0168aba3a

SHA1
9a0b3592544c23cb8518b92e11dc79167dd89230

SHA256
cba8829b1989d484a23b2338cd013fd321837d55f6151605e9b454c0d6fa0543

SHA512
fcf290a814fe89dbc261f8fc7be1dacfe93a2b0977020b10af77cedf91bb20391193bc1f8448fd8ed23dbf5d1e693f4744f0254688573938c13e9919cd4a403b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
026e4d60a74548300934065a37f48eb5

SHA1
24570d20fdd4ef52f44e4800841656422a9f65be

SHA256
b20f86d492152cb6955b628e6f1bacfbdb571c55de6258101fc809d8fb023244

SHA512
66ab6eb6730e3e862596681606205d29854eb170f4769ecf30bf8655228661cb364aea84396376ecd1f0efdf9b338d9a9f83d71028e823ee7bb0cefd37e54391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f17379d131627dd649a7f78926c1a9f0

SHA1
7b73685bd7d86ef71a5473bf66e40234be614190

SHA256
c9034c4d8e678d6840c695cee7e8be86e831415e76f615c803870ebaffa00fd4

SHA512
a29d85d36662f06e621634fcdd3d8535f3bb33c562a74d56546b72e0771e070ab0655f1fef06a1b20cf7ffceea39e371ab7814951ef818cb679b40eb0273a35e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
862bdb8e47c06c6ddce6a2bbb4862139

SHA1
3660e3f9cfcc529da84ed8c638a33f8c865a518f

SHA256
5d150123e5b35cf0018fe035116062fb707ccc1e60a5de399829de33b1ad1799

SHA512
4853f8fa96eb95f7acc67dbb6d89d2f61693a612e45701ce1a202526b0e76daf2dcddd8bc8782e6e3c385a5d278858635a5802400169bb3157c6c265b1f1e4ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eddb56de2d4c10da690c33b7e3b8a923

SHA1
ab3d4347dc12e50d2a8a6e985bd3b53befe0ba17

SHA256
f13fa4abf1fc1e754e3793392165fe84239386da37eb5a20bd0b4a31ae6fe5cf

SHA512
596247f15421ca7d8a1ff9e3e01529a2919e23947e7642e9016f05fd2a939a8f6adc34316785f5deb6daba088c1306d6cc32bf9d94c6437f9d640b48479dd4bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f16f1e41fffa27c4448fd6b1690bf743

SHA1
c6ca2d6756182a2b48537c24b7bce7ed9a00a61e

SHA256
16d14d18636b043f00e3df3dae8274afe068a3ff2e692a3f003b6d2048a12724

SHA512
e37789c3e5ed4f41fa88bfde77b57ee9961a5f44ec47749ffd8e9c8cd9110a4a48a2d35a76b7a77e5ee93f1a752e3be1b4c748ac105bb5255aaf33f0692e1a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc47e024a792d4dfd3a9153710e33de4

SHA1
9461bbdcd2fa9f0214224ffcb2629e09fa57e42b

SHA256
692f0e9028c147f8334312b98dcca3b2e5483d96b8ee3fd27ea4f1cbca0a1a1c

SHA512
3d1752b27d5d69b7bf58dd765ab5f540433667fdcf5908aac8b0e24d46b5ea2a3d2ee6730b204aa42849dbcfc374779d8b48aa75e927cd9345a5b970b7fe4b85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04b5dfc0a55c9ba671200e65aa472fe5

SHA1
32bfc31ac9cad243aee245f4bd14455e98b46b4d

SHA256
04c910ef151fae02028f32610feeaf22b396658f73d5a7a272a84a7eb67b1c0b

SHA512
4ce8c3e2cb55ff59bf507fca740af98af7dce841eb0e308867a3f80ac499e1ac6484c20a469c106290ea8f38d17d2bae5fcb22b790443e3f3addc0652ddcbc9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f5e54832f0583eccfed7e3d387b6a18

SHA1
2a2e77154a30291d050180b942df5af700f668aa

SHA256
a1fc304d85a2aed74c4315070a0662d572a32a9816cd7a1f74bd3895184468a0

SHA512
0573f1345061cc643e0744859ac5ec92bc2b9975217ece4f93b38f9ed783b9a65243883cf7944d686d5541c2300e198acaa12d60b5d0f4b60cfa07260023b29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba8ad2a9e737e296d835cc266f243f32

SHA1
f9a1f2b013e9e8a4019d9f48015b0bc7ddcd53c5

SHA256
22f2a6de3c63556ff0d869d2b84d037676323ec8d7211838d919323aee7634ce

SHA512
f1639adae5816f4b817ca34a36bd6b99930f9600390bd3fb4015212764724da4948c1f1dccbf7322f344b6cf5590c3f347a7353a48b5e1578685bd192f0955b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3181f3170240e5f983b0643f8bafadd

SHA1
99956e71d9e353319198ef5d531541ba0df99b43

SHA256
dad33713ab21ef96cada428187f0a400adbff4e733515e765c17793c81cebbc8

SHA512
a2a797805bab70235352fe960f7b1e4bb2cc440c4edf8b46f52ff870e163f36358beb66631a887f64754e609b58191b91dd16e530fc59af59892f1c784ad87c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dec688479f9b72ff9242bfbfac124b1

SHA1
e0caf2c2f59f549db79e579f9ad28fd87d584194

SHA256
38b3c870709b91046f15ef9821f0db0a3841e3bed19f9c9907879b2a524559a5

SHA512
f3d84de8c0cc54e35272052654c435e9f02f92bc7b1a337df2ab854c8bf10ee53997d7d6f5edafee4969857403b1bd2548b2a20c00c513d00a79da138e3d16af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad57da9a4386c9dd6d10c77f30a5efa6

SHA1
5d7fb32374e3c72830ec9952bd660541b906d217

SHA256
e9f0bdbcd8722b289e01ea4d98b52d3cdb613bfa348def619c0f466afaeadf68

SHA512
e074dd9810d5ff35004c21098dd977feac7143db5b507c88869f90cf94f5a6f948d3a27770848d3ef32dc3cdf25155990f4d7e993837d80348044bb56b0d79f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d168f39117874aab60ec015cbd4f37d

SHA1
0b53927854fc927a43eb155aea853ca7b79462b8

SHA256
4462770c6909c63ab263acca384d985d650a81705d980b1542f60c3bfa721903

SHA512
6c034a7891fc162e10ad4008ded23d5ab79ee9d78dcf018b37c58cfd49d7543b8a5bb458ee3b5ddf019d860fe058b03fae2016401fe378de68193db3dfd4cf8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd97c5e60df9be8949e15820375767bb

SHA1
ab1939ff336ced6c09f7195076fed48587dc3236

SHA256
6bb21c4deacef5e335e069e682d489342439750f15a1d8cbd2d44f53392e2e3a

SHA512
3fa61e13fb409c91385aab784cdad7f234a966af1ce3efd29816e1edf27cfe9040f83836438702c90e77c74cee3b9810872e7653a4ed59858ad7220cc3bc59d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae16a4021238a2617e64f24a156ff78e

SHA1
7e75627e7c6a659219ef3ad471d30bc8bc3ac921

SHA256
53ca30e0195c4631058bbba80d4f62c3f0162314ab19636103b7a8abd8d0e3c8

SHA512
ecba3afd9988e10ce4c1940c5915bf1b5fab4b6ef21aa00c9b54fd02068aacce264843d3bc96df993b1903370d93d8f70e557dd0256462a3609bc0d2372ae487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
660e8d1a9bf39061302e81dde5465a3f

SHA1
372a470c7076ba9eb60b777578b2f0a35b2ef888

SHA256
26882bc113f734ad9d4b734caafc0cf6aff4c2574da7694ab11ef0b13aac3dbf

SHA512
bb63aca071d22d704d68324ab658e5877f4a6eccade8dd82460a91b762951537f53f81e9d9d5697d8b258b36d48b5f6469d0b7f1e3b38b61483971418914b33a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e2ee22826e2586c7cbddcd3eade126a

SHA1
1cba901ffb1486f688c01687d340d9cfe256814b

SHA256
f3c6326e631e0b035b562fbaa050df41131fa2f234b7d818c7a9a0bf0f059299

SHA512
af051329762c551e920212ab18d3ef482a5d7cb82056418b7bbf9e2f3965fcfff1944d055931b5dd145eb76b39ef4ca50d7bd4f76195aa3eb319332815e6edee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37e97d85f03aa0583e95f279c947b640

SHA1
34c8ce283e7c7deb861f1ec624089c6109ffa69e

SHA256
26c9383c393086078d84d7106356002a80c982800ba7a3b374230da713421f52

SHA512
e921e7793586bd8b1c952792bede136fdbe4e9da4830bc7614de2b98c565c732a6776b219d39d6f5f9f025e0d756559a6f85bfdf4a094d9340955d1db2992548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bf9cfdf4b9e34def1592215bdfebed9

SHA1
19764ad036c59fd45607b8862f15bf7053882e5a

SHA256
83d3c62395047c6a7c77e1392464717d2c4e423f905be205485f91d0668cb4c0

SHA512
d5e0a87bdbe1484235b8356ceb75e37a097bbfdb07e0265f0797e7d33ed2089f1fe150a21329f06944cb9be5a00cf9dfa58b4e6c925f5d9e31c8a91cacf9b64a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca86902fadb734a25715c0b60be53d4c

SHA1
a8942d8d965e90c33996d4ab0794c324ce4c77c4

SHA256
59bb948a5328aa8d4c0bc74f18cdece6012b7d08dbed25e6bdf2a56be6d58110

SHA512
a5ad206e92dce9b298c224ba22f821ec61f1ce3a2eea1a76b29da92fb1bf02aa850ba62de80c1f60d84d2a355be5837b5f4f3012f92ff51fc105be4f81464669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
48980d686d13255edbc4e52eb438ad06

SHA1
0fad0aa5873768a885ffe6c6c302101982b9d110

SHA256
7f2879a34528c0de73a16ed5c61898f64851173b5ff278bfce0e172d068f99d8

SHA512
1dc7cb1fea3301336b8f05966c9a673fb9e8e167f730f7e59610c319fb7cf2c510cb9e37481058cb48cd8aeac523231c1d75f7716d70865c51aad18db42cfd97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
c094601eea3e04ff40734c8b0288d1ba

SHA1
aed700ae74b3807eb1dfc1ac78caab62a3e2360f

SHA256
0cff048d2e0a95f2f2f343191614b91e44f1786850b5b756b2620181ec196d2b

SHA512
ec6b624c1625d0230ee07c948ff562e4470c1d7cfc7ab0c3d504e62d08054c8ac61fe664759c6ea50742dae3b1228985bf9f8507c2afdf53f35af2aee442adb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
80b59e61c8a2086f33db19fc900eb71d

SHA1
0706ba00b4b44e07bd8fbd3a53e424711d372845

SHA256
6be1aedaeeee9b6a425e3e5c3cbbed1015be79aa6e684312843efb2b3522a3aa

SHA512
5459e6666fddc33120d540dc91486f407af2b5f9aaf3dda1b7a416d3b4b7a18845823bac3c8bc1a8b496c239f29b391c464d389ea9d5b7c42964b7a202cfe7a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ReadMe-w3c.html

Filesize
4KB

MD5
03cf3439ba072c9b201be753acdef1b9

SHA1
8e903dd7fdc7c59293f0e9147bc63e3c46bc9809

SHA256
6825fdc397c63ae638c494ce09a964b25b3bc8bb8ff54225a9520244918985ad

SHA512
83997f1e13f8f280fb9f5c512b958c9701b34af2c7767fdaf6e9fe5778ef18780245eaf814d3567ee7f9f94a83aef5d702c74bd8ce251383b981c406ccd7111b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\ReadMe-w3c.html

Filesize
4KB

MD5
9481addc9a25b8499fec1f34132c39ac

SHA1
d3782a84fc4d98d6182a159cdebf99de8f105f75

SHA256
72797c16a06d90965b88b31bd60f7ad33593a7cc3111df7cadf7e0f4bc7ca1d9

SHA512
5b02ac7fddea1ad64eebeab0927b7019f84d413c9fd890c17c21b40ce5fbcf8eacaf8f8027774df4b060c607c081e12bce500d7285516bfd882205f534366727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
8KB

MD5
c9b6f0707b005fdecdbb82a07ee2ddae

SHA1
bfe342382421febf4887b1a7d3aa90888836ea36

SHA256
3bb856bdc3aae76f73dc49482ae26aeded2731025826d7eccd64daad3db3dad5

SHA512
23e6f68a0d50f9f33eec553201a8814a1042af391d837dcc68a797496915873ef2de2a2d5b124dc719842547b0676f5812b7d12c161b46cc9937a0d15442511a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
90f968afb83058c702cb20d420417e7b

SHA1
eb96eb0baf32c9a421375409ee88513fe1735c5c

SHA256
a797bb473f198bc72904113b88eabc2566df399b224a59673ad972eb4da0ccca

SHA512
efdaffd1bb494ef0e74cfe32c9b5e012dadfd0e068707e138f22921e034ddc702cd6cae167353b2068d7643ffdb94e33d27f026ad63bd754f2fc261e5015428e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
8KB

MD5
1984268f962e3c76a5d29e29a2e5a882

SHA1
6fec09fb26f758d9901b61e7ce78f0bda796364d

SHA256
a273e221c9e07ea63176cb22bb194a64197ecd55a8f1d72a3116f875b07f6f35

SHA512
480b0bc11c530d66a424d38cfd94213123d3a4b3214d67196337d77bb583dd320569e947363e814f8585462853e58f56b889522849a47584fb164619d23680a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
202KB

MD5
95bb806d7120b6eb5daf3d86f47df3f7

SHA1
30f9cbdef38bc6d68ba8830de681d67008933b45

SHA256
a34b547e920dd21e0479108057daacb40755f80ad7b6e2751b8e3e1f4a9ef79e

SHA512
9258c1111d88435763712f022a2d3c934d7ca0ecacb8e2291cd2a2ff4d50f9fb9a451830d4392a56723ce1b363494658c0e368ad37186602b184f8d5f605424b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
202KB

MD5
9c56be4459ea5d046617690826ea7e16

SHA1
edec7d389d05a8a90d1776f365fe6e83a33ee3b2

SHA256
5589e2637531eef76210e82824eb2104ba9f9d4550481b18b70f3c090c27270c

SHA512
e139a2d42f7f15286188712ac8691e78c2ca6dcff1a72969b6890c8ccf769ae35fd462fd80e6d719cf787a90352dff0e50c6db9ba4688d304b00f83c62f60c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
225KB

MD5
25859ea049a6f51b1fbac001c4b8d8a1

SHA1
bf1dc408a82b96f3711270cda2667c4e736a5b20

SHA256
7e1e0e294431e3a9a0d7bb91578eac08b4e92aef30f503107d721585c878f66a

SHA512
0b34524265d7d89e8c60e6aaaf1bbfc73892988d19277e8ca69bb4854e6b56770fdecfc78c2f222e1f40f16ff3807d3d2dd254cba20bf81dd123fcfe84f81579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
aa751058ccf97335d6f96de195985329

SHA1
53a00b2dd19dd7f4c9e42e1b1cd1b2bffe6994cd

SHA256
3435fbfd34b9d9b9045be552145da4c359974dc61369f320ddc247bfba6a8316

SHA512
4034709feab2ee53233f0b7a450190e5411111838f2a2fd24f9474fa3e39aaf8a6305bc41462a84fe72f924de0919a87091c3d45a36cd49bd0d2f839f13918db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
6f8f10ed781ba4eb70f1b26593cb6cb6

SHA1
ebd88a274ea6fe5e1d5d345190aa8014540b8b4b

SHA256
8bcbcd49daa549db8ad91a2a7b980bc1c81b6c46c74dd1b7589f43b79bff3d3a

SHA512
d573aa52a49de07f191dd3ab4605f60766ebb13b8fb6af9956687d0edca0aa0a4b13bb6055e0b81e57b8f74f591364bd6338957161bf680cdc8e45f517f9a4ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN6BGAW3\desktop.ini.KEYPASS

Filesize
67B

MD5
cd5be1b0ff1afe2e18bb7cff453c2d78

SHA1
70c72755dba33e570d3699515e1c9448c5e4a2ac

SHA256
308dddb6de14e1b54406afeb437a6660d7d0418de565a4c045d46b0760a5baee

SHA512
9a9f5777a2bf6b305201e88fa63e5f8ecce4265006a002552d2cfc49ed00bf405c834ea5f3d99dbb3b0ed6494cc343ee014446b2ec9b636b09c72bd568938648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
4787b70c61d8595e4ad5b3e4e8cf4fc6

SHA1
1bf42495e1b99b53fc399065dad17b14fdb04cbd

SHA256
fe9375c2f9123b1f4bf0021c48f0915301aad42fcf1041033cb8d1d76bab7d1a

SHA512
ff10247e02ba6fda7dd009e74861ac8c460e154bbc42ed4ff58332197807a7aff3c6b7ca7520a28b9d47713610367006c2053afb246f395b1d6e2b8b1cc1f59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini

Filesize
645B

MD5
6ce81a0bc02d431e2c62e1442eb7df04

SHA1
fc717b54b5f8d201082e64c730f8cb6446121d2f

SHA256
1c05f28f00524598bc4228baf89226d44000b4ef86dea745d60e72d5d18791cf

SHA512
18cc455246aa5c0ea0dd216d4530666dfcd85433744fbd8c37d7c890ce6fe35efa901f7e262d2728282aa8793fc55ee529efd906b98e8ad781bf182b994fdef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
0328f500b522e10f4449edf4ca726106

SHA1
c3d004e072faa3433855e3860a5ca6245f1a6e4e

SHA256
d6d8e61b78888cec3ea21b682d725218b1d0b9c2d9462f6bdf6c1fddc3569d8c

SHA512
013665d5d35f03749baa020e399a25ec8571f1ab54ac0770d52c129881fb5471b85aa9421d37ca2c555cd8bd669c4e57b58ccb17ed7f498c9c287fcdc7ce1690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs

Filesize
512KB

MD5
87a7bd472db5f0a7987a119f7ce37bda

SHA1
41546a3e9905d3b71ed630128231d94c587e97fe

SHA256
7c061c1dfc76f4434d39fca8cfcf06803dac43fdcd61cd1a2b6e51bcac1d3dd0

SHA512
69c12050a37f3d44f384764ba85637366e810f679ac408489d262d14d6b0ed7b248606d7cd54c2fba36569e3cd14709b922952d2c850cbe5ae1a64bf3ec2c228

Download Submit
C:\Users\Admin\AppData\Local\My Inbox Helper\My Inbox Helper.exe

Filesize
2.7MB

MD5
8052003e500e26d2c4c0659cf06fc246

SHA1
25a98e3553be7cfade033c504d9a2068517a229e

SHA256
2908a84aa26483bcaccb06f6f2c8f9c97a70ed45927df43dd48f04caa16f6dd0

SHA512
349a58b2bff78b8385c8623fedce1d909297c2bec4568f87035891c9020c13bd052a296c48754a1a1b20fa2021330f697ef60c82376ab5d5a388c539e4fb3404

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P0JC783.bat

Filesize
2KB

MD5
88aa5c8f460d3f2b0cb941885f4d6802

SHA1
f8d3fbf9cde2b4caf178e00f680eb5c068bd70d5

SHA256
0ea474970328ebb26055e77a2dba2d9e9054f7a1a6f972c5ec41279cefc1a148

SHA512
e4efc3476e8ee59f679ec970deb51f5b54c4d366bd543d4a2626be94768a0bf70b51df44ac65e78a395d7013b4af56571751da14fd4e0c9d799235e6f728726f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD56A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD6E4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
352B

MD5
d57f4fb1e5ca0ab9dbced75b02a1dfa7

SHA1
e3a457a422a982811b84d5f4f8dcea5f500da8b4

SHA256
6ec2c55f892707040acc734b09ba81117b733805f5fb1746368a2ad752d6a414

SHA512
b0ea9c1f83c556b57f1851dec7092b2b77f88d414d8f363ea18d5eb1811eaea49dacabc3113215bb92698698fb6ac2f5d7b3983d707dbce0f5d9eb7a216ce570

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
352B

MD5
8720237dd87339e6bc1a525abeb0cb92

SHA1
91822b2afd40fd17dee3af5102239f7dbe836dcc

SHA256
34842e6c5f0f15dae531282e10025c7b4e5e7ed983717bbc653d7a7718728376

SHA512
6eb370ed4beae659af8b3c62abdf27da4b6150290fa3a39aaec23f17872382b621a9d10e2918a4c032d873c7e58a168fa1e81066ca4cf06530ae112697ceb674

Download Submit
C:\Users\Admin\AppData\Local\Temp\getadmin.vbs

Filesize
46B

MD5
d14a6c18536b08c2d91cc10129cec2ca

SHA1
d1fbfc316c335d22da1da32dc8255e01d3629ad5

SHA256
88f0e55be41422957e8f4fec8caf0f9ed4e68d1f0290171ba8f4bd26c19fa17d

SHA512
1ee2a30c0549d94ab0aa1ac80b621edf740f7e76e9c98f6fd5c76b5a669bb736d84d57f048d8663354dc5467d181d1051b88feac0726e38728e79231b6aa646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\getadmin.vbs

Filesize
129B

MD5
ccab54ddd146fa5de5cc5acb4bf9b328

SHA1
bd262a39727c1d97ac6b89f25afb0c00471dfe1f

SHA256
777963b725f17c6511fd34c1eac628ccabf1f889bccfa783e8017c2f58226212

SHA512
0dd9e0cb7290e61294328470dfbd7b488356676c8a4ecb4006d74c9177f58d7bf43c4fde378a44aee194b1024e414c85f440270bdfaffc25d7119f0249e8c408

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB434.tmp\npHelper.dll

Filesize
330KB

MD5
04b6fbef6c229230313beda281aa422d

SHA1
9b23da2fb50ca31938ad5312ae7f174b291fc19f

SHA256
b0457bc4367bbb67b9b995af5368cd7806c8ee67526318dc9cb82eea29415ea0

SHA512
f342263f7eddc9ec68854ea78d91cd80f16462bb33028d986179cd761ed657650a500b7b3ba59a5d253de091b8c20fefacfed9646d88e09469f371f8ceba65d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB434.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\winMacromedia.exe

Filesize
279KB

MD5
cf1226cc134d454b49c78279b405fff4

SHA1
8fa9963e978ba70821331b79b488956f9a63d3bb

SHA256
1a5a9a1fd35ac4b3b764738fd4d73918b9ea309a24364c6001903b43039d1b8f

SHA512
0a5aa83513ce2598a37a821512625e5d7c0399add3349797ea68506e70db01eb8ab47891524cad7b25d87d548e9cf64cf6480b9561e3b6b8ee97d8db8972ab75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

Filesize
48KB

MD5
eda590c206d230defcf1019ece2600d2

SHA1
a370d11331de608915a8792674307ae82e6234a8

SHA256
406d6ad3e5a0686c089abe565833cb94826e462c77b1b1003dc673c55af561c5

SHA512
c0cc695977fc3f6a489b86254ac02899d70626399fd660e83805791c2baa87409cce87ff8e0f3ccca45db195d839eb5a3ebd1e6771bef5730e32f89df3252e61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.locked-w3c

Filesize
48KB

MD5
de73d4bda36882969be21b366434842f

SHA1
5b9a0941cd59ea5f3360447e48182543eeee4dd1

SHA256
859d0eb1a05a151be13c20d15dc11217dbf9e5cd7cab8d5311811b6d50e44608

SHA512
6100f9b55d8445331142db5d2be511327e73644eb478810a7afd15bfb0f8c7c26a77d0b95ea69baa9828e4b2be043499f6d5fa4ec4772be58116dacc504cf32b

Download Submit
C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f.exe

Filesize
577KB

MD5
8e988eaf5767726e63601a609e0486ee

SHA1
0ac262bf8dbefecf9301818993529bcb2821944e

SHA256
2073b0ed73c39354551642459c4ce70c3747d622ca3dc16ea6c8c16f1389976f

SHA512
d0ee7c49c33454f6472f6272d4f63fe582058f06deb9c5005974b83f5ebf7cbe96dd963a5a41c6a1634392569919d39c0d4a7a86bf214d8ec006568509eacced

Download Submit
C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745.exe

Filesize
408KB

MD5
a9b2d45dc6cd5121152742fb24ac6f40

SHA1
ddf58c9685b32496deb953802f3e162a616b0219

SHA256
55bc2b322cbd7dd11ea20e9031b18d30ed2d0c48e1c731d3bb06e7617b184745

SHA512
1dfcaf3f73fe7c1f701201e7f55d97c18820fa898f33373b777ea260701118a091825ba35b633f0009c9eb20fe159d128fdbf082ee49eaee043369cdb0146ad2

Download Submit
C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.MSIL.Crypren.gen-f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca.exe

Filesize
770KB

MD5
ad6c4ae3faa76b698254068df99d57d1

SHA1
ec338c0cdda440871da4ee6a676255fb8a416f27

SHA256
f9e38f82b51d7898ef9569f51b1a9ed58281417e548343098fed5114c6abcbca

SHA512
35afa02cf539a903642b37999cc7cae46dfd07dc6fc2028dad4be43315a66a892052513484d1bee0e90ce73e5419a85b1ca7b6e6652e64b0ae2057ed5e00755a

Download Submit
C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.Win32.Blocker.gen-4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09.exe

Filesize
1.5MB

MD5
a39140200b589708ab45f50721812c68

SHA1
ef1020ef177bc44a48efb598e049c7d13fe9d3c0

SHA256
4fc69a291af1ea8ee05823d3ed983ad00279c4e4441f3060a883eb214b06ea09

SHA512
afe880b0c7bc4b08948a13c53e0b75ce7ca2410d65c51ad6a7dbd2266050d434aa010f21b5e05de72d89654d18959e6dd83bb2832b8b4c0d8bd86d4be58e857f

Download Submit
C:\Users\Admin\Desktop\00342\HEUR-Trojan-Ransom.Win32.Generic-bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05.exe

Filesize
716KB

MD5
cbee8882f64a0da607e0bcb29f9ffb62

SHA1
b91b680dcb02e08d9f55c86cfec73c2eb62dafad

SHA256
bee964f8b61d10dc2c34b4b6f5a01213e811a35c8e3df6eb73b7fd754440bf05

SHA512
246c9225968b856086a1a012460294fbfc8f4d1edf233cd177aa9451132532478dcba081eefc5f73aecf1193de0d4a5e0e38cd76e53b94d479da00b580a49b13

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.MSIL.Agent.ggz-4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4.exe

Filesize
90KB

MD5
e4d1951b179a1de9d22f83227f1026a6

SHA1
53fd14f3aebe3d253af2d505967fd8c6a6c9352c

SHA256
4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4

SHA512
67bf39eed15ff05010bffe7ee4cbe5d06dd8700f1b957b33dd76b72452f447f8ee0888db18ff2755fddd9f21cefbd7e40a42043f1f14438984cb0e4a52e09e9f

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.kpuo-ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb.exe

Filesize
45KB

MD5
d0875e6d0f2298599000f7f7a9289480

SHA1
5bb2f5d8e90b75d9c36c91efadc428a06d7353a3

SHA256
ff46d9fe03d25457deba7b10aab8f26934e597db61baaafbbcbc6d17918009bb

SHA512
b589f1e6fac1f7ce4c27023a698501f2a91211d1be9352a4d33a6e189e355ac381167dea3dc0a7f41b882c63d057874c98c11dec8b40f11d6d8ca64df13917bd

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lbmq-8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1.exe

Filesize
212KB

MD5
56536976497b145fdc39199e0d6d02bc

SHA1
4c910a26b1d7699074ecba152a06fa7060605638

SHA256
8882395917dc24d5065b27f638f94ba949ce1f1ecaa5b5de9e4d9c6023728fe1

SHA512
a621fef8311f76c23683b688a3b42c93cd071ecd58a84dc403f46097c2aef225872dacd6063394a96a3fe40e9ca99a79c6ed9b4efba821226b02f477a2759e99

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.ldar-35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc.exe

Filesize
208KB

MD5
83cd72c5d6f734c308aed40b46704ca8

SHA1
cacd3b6a18e71e0356d767f5db97f5bcc482207d

SHA256
35ad66a94dd28ef478a84ecc5fb98fc509e9fd0e4097b5b17e3e9cb71e8b39fc

SHA512
14969e6609b52cdb9b605890a2671f098bac315d827b875af0f420eceefe13f7da5380b66f1cb0568f28dd8d146f8133c6817cecaceee8609b752410cbfa312d

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.levy-4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441.exe

Filesize
1.3MB

MD5
4b8af22dcd9b3f3fd578cf880a8f2c56

SHA1
072de9fef3a56ac2c601aafe9221231b7a6d5962

SHA256
4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441

SHA512
6d3526e3d9806c01d015d5b0df65ca02e98b3890843d707c3a5655dcec9cc1992327907d90ca4323bd4cd3541863c905d588cf98e6d908e3eafff367fa9f746b

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.lkaa-664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0.exe

Filesize
990KB

MD5
7dbb64de527f787e5e62cea388960997

SHA1
2b35243bbf208b6b026d548ff2295743519b6d7d

SHA256
664833adf062fdcbdba69c40f3f043f1ac34ce45cd583c94ff01e6d342e30ec0

SHA512
8a5d0b097456673727602dfa6704d4518c9ebdf218839619bc1d69374ddd6775c427ff1480522c3331a8586648741550b6e6ef539da66f271716561817a56741

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Blocker.meia-f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77.exe

Filesize
63KB

MD5
e54c1e7cdeb69e7eefe0f6926c0a0ae6

SHA1
75c54c081a0a44a4675fc515c16fd1d376194ca8

SHA256
f275e43433e98d1fc3f6c868f93460e975e3b737e052cce8037abdd518ea8e77

SHA512
ab2d1ddf0b887747dc6204754b8472835769bb04e5255aa21cc450238dcc80e28e65a3a648c9f2908c0ecd566e48f7259213b9048f2c9649bcf4699d823fce80

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.CryFile.zzl-daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77.exe

Filesize
2.5MB

MD5
24bf2e26a150df152869e417ada736d2

SHA1
a223e18c6eac313aa9628e4e7bf728b43ab2a62d

SHA256
daff68b6fa20239505d252f3a5d6c07219d2a0ffdcb782633645a864b334fe77

SHA512
04316d03bb9916466108d753f0b7e39ee8549912c30302d02b548b8e197c743e040487465a4066daf111ca160f92b94cc176489153e5fdcb120beba53ec15198

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Crypmodadv.xrx-951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd.exe

Filesize
61KB

MD5
9e0fd09ae20af32dfb66d844c6de9418

SHA1
2d834ebcadce10b267ab6c20241b62d12706875d

SHA256
951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd

SHA512
97ea9aeb912358cd1f09fa82863ec61388de96e6ba6216a36a648adce846adc3712f1247cc549589a7827419a50606683cc4bb9a1e6849fcb3b19c8661b5d2e4

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.CryptXXX.asdgay-2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071.exe

Filesize
541KB

MD5
8d75650da4c3d053fbe0e84bad55c068

SHA1
3af7ea85d4d3e391e274a84dc83b9fd575d737ee

SHA256
2539ffb7dbf707e0d4031bfcda075ca7bf06007fc558457ca74432a90579c071

SHA512
9c4c7e5121a27b336124c98e0bf9c4b4c997c7a35484ef87ec81d189a6d7101e1388ed9499acac818bea6108c1de0f9ad72769ec9f90091795df6987cd44d9e3

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Encoder.aei-f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe

Filesize
401KB

MD5
5a131b48f147586afa20b0a1a00a1533

SHA1
35d0125d8ca6457ff4604d5e245b2102a9ec4a6e

SHA256
f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9

SHA512
0d01c70c6dbf948ce29491bb81df5bb58e010e775456a168db93973b4dd9fc4a518fff68c7480cb4a79a52b2a8070253b3f06d32e0ac0ecf1c4b1541301a32ee

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Encoder.n-35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe

Filesize
2.8MB

MD5
6999c944d1c98b2739d015448c99a291

SHA1
d9beb50b51c30c02326ea761b5f1ab158c73b12c

SHA256
35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282

SHA512
ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Foreign.ldqm-e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6.exe

Filesize
279KB

MD5
44cce7ce39b8b2560a3ee6b892b8cb87

SHA1
e8f0622aba6192f3df1d6618184bd0534ed9e010

SHA256
e1936dd3f073c4b959dda43b660bf048b435bbcd0de3747bf53f04b6125272f6

SHA512
eb6bb7e94cb2fa14785bb0104b817059f7ad3d478eb26523cdf1b9e1e240c3e544cc8cbd94eaeda28248d95469d175745b4c75168a02817fa4fae9c28432085c

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Foreign.obfr-3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d.exe

Filesize
943KB

MD5
21bcfce92ba425727e86a12ce2b24a0f

SHA1
22d15c1d2f4aa1609525e94b9f81b7456debbfd3

SHA256
3d561c3b90d639500373124149828d7f8e8e7550d113b071d5dbdb1eb7faa52d

SHA512
17177eddb1c2430889b8fbab17343f3c3d932a3fe67a3c23ff2d6871f5ad046ca5fa844ba233a89890104184e796284319e1e7ebe47f79f4c73d6b9877d4e057

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Purga.mp-24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085.exe

Filesize
500KB

MD5
cc74e57fa7575573e12255a4ef6d77e3

SHA1
ea4c747239a8accbce0577daf0fef5dc5a08c347

SHA256
24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085

SHA512
17f7ffc19b481da3851af9b818b9b84e515e17d039b0fdbe749cc29108f60cee054bd42f017e295ade3523f9ccd25d8c2cda022215b12a5d2e0c9928974d8a8f

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Shade.oxu-ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74.exe

Filesize
1.6MB

MD5
4039c1e8c180688104b67c315473fdb4

SHA1
fb63df4c92ea7b861ecb1bef2ce48b67f5d37df2

SHA256
ea8772f373c29b2b731e4926a4c96facf93226dbeff5f9513387351cc0dc7e74

SHA512
794d41a12ba38db3e799e87817404c93879457dda397ac64888b3a54965458338008f81542fbc80d0a7c2a037f17f96b2c551d1abf166ee3ad77f64a2a719e08

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Swed.a-fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de.exe

Filesize
68KB

MD5
1d79ad8323f4c0d42a5886be05a9c635

SHA1
ce40f723074765819876b2ae579d5b1ad78558b6

SHA256
fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de

SHA512
77704129642a75c6bba54ad2c174ddf131190e1ed327d9ac57300cb10777f7498712edd66c66be485004717c4bd278d865855072bfed28ca76cd715ebff460b3

Download Submit
C:\Users\Admin\Desktop\00342\Trojan-Ransom.Win32.Wanna.zbu-04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3.exe

Filesize
3.4MB

MD5
f42d29367786af1b8919a9d0cbedfd3f

SHA1
28f4efd9fbb9bb8e14d2946da97eff28fed682c9

SHA256
04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3

SHA512
fb0f9703f592ec503f65c261f062df043d5dcc50f3732f73edbc7b6bfdb5988b272db9ee14d37f9b5bf237f4472f42a9993b0da202ee2b6f9b6da765436f4010

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
ab8cb12d08aba01c0a4e8ace0bcd66ba

SHA1
b8abfe25e7e00d6e4058522cb34bd2f7227b41ca

SHA256
e6a1f978bec77b22ab2c19bdf869a265684046bcc8ca21c3689010376c8604bc

SHA512
4a2ddf852763a3063ef2870ce5f2d69f44e8d5859954d5e8a552ecc2333143ec74a70733b4602505d8fcbd085ada869fdd3d50ecb79c44cef5517811f198d62e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\ProgramData\mmkt.exe

Filesize
1.3MB

MD5
45184aaea2f47f6a569043f834690581

SHA1
09320ff533c6612e548ac7452d71c39f3ad13f16

SHA256
8fd09186e5d2e2bce989f94b9a1ee4654382d396ca2e2680edacdcf8e21a4385

SHA512
40dd31db4d73c248116ae7abc92195de2f0b5e7eed78f3bb418ba7dcf197f13a364f26f05fdaaa42cf89ea28cca606b1d33cf11a5d4f01c4dea931ebfcb4cbd2

Download Submit
\Users\Admin\AppData\Local\Temp\genialness.dll

Filesize
64KB

MD5
4092ba050b6be1584a69b74ce68c6feb

SHA1
cedbb9da0279563ffb153c073846002d30b32a7a

SHA256
927d80753547868763a121a10bbe62d9fd9ce6ef205275e4c120bca30723c9e6

SHA512
d3322541cdbef2e28ff0aa312f8da4d2a95fe9ab2f5afe990395dc00707781e4852145abf8a5294b0a71cca7d17e84bcfcb90f1fb81fdef2411083cfd933f95c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB433.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB434.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/328-1337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/328-1399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-1353-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/348-421-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/380-963-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-1354-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-1348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-1338-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-1438-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-1437-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-1453-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-919-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/380-1305-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/644-295-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/700-1275-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/700-1272-0x00000000022B0000-0x00000000024AE000-memory.dmp

Filesize
2.0MB

Download
memory/700-767-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/856-1845-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-2524-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-1306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/876-1308-0x00000000065F0000-0x0000000006680000-memory.dmp

Filesize
576KB

Download
memory/888-998-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-175-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/996-179-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1136-344-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1136-1166-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1136-97-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1144-174-0x0000000000ED0000-0x0000000000EE3000-memory.dmp

Filesize
76KB

Download
memory/1172-166-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/1176-1010-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-1318-0x00000000006B0000-0x00000000006E2000-memory.dmp

Filesize
200KB

Download
memory/1348-1319-0x00000000006B0000-0x00000000006E2000-memory.dmp

Filesize
200KB

Download
memory/1348-1317-0x00000000006B0000-0x00000000006E2000-memory.dmp

Filesize
200KB

Download
memory/1420-1015-0x0000000000D30000-0x0000000000D62000-memory.dmp

Filesize
200KB

Download
memory/1420-1014-0x0000000000D30000-0x0000000000D62000-memory.dmp

Filesize
200KB

Download
memory/1420-1013-0x0000000000D20000-0x0000000000D52000-memory.dmp

Filesize
200KB

Download
memory/1420-1012-0x0000000000D20000-0x0000000000D52000-memory.dmp

Filesize
200KB

Download
memory/1520-1349-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1520-402-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1528-655-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/1608-95-0x0000000000400000-0x0000000000B5E000-memory.dmp

Filesize
7.4MB

Download
memory/1608-342-0x0000000000400000-0x0000000000B5E000-memory.dmp

Filesize
7.4MB

Download
memory/1608-1350-0x0000000000400000-0x0000000000B5E000-memory.dmp

Filesize
7.4MB

Download
memory/1620-105-0x00000000013E0000-0x00000000013FE000-memory.dmp

Filesize
120KB

Download
memory/1664-47-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1664-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1732-104-0x0000000000AB0000-0x0000000000B1C000-memory.dmp

Filesize
432KB

Download
memory/1732-213-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1868-970-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-96-0x0000000000E00000-0x0000000000F0D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-1304-0x0000000000E00000-0x0000000000F0D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-343-0x0000000000E00000-0x0000000000F0D000-memory.dmp

Filesize
1.1MB

Download
memory/2000-347-0x0000000001090000-0x0000000001189000-memory.dmp

Filesize
996KB

Download
memory/2000-98-0x0000000001090000-0x0000000001189000-memory.dmp

Filesize
996KB

Download
memory/2000-1351-0x0000000001090000-0x0000000001189000-memory.dmp

Filesize
996KB

Download
memory/2000-408-0x0000000001090000-0x0000000001189000-memory.dmp

Filesize
996KB

Download
memory/2044-838-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2044-400-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2056-1263-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2064-923-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2064-106-0x0000000000A40000-0x0000000000B08000-memory.dmp

Filesize
800KB

Download
memory/2064-628-0x00000000043D0000-0x0000000004414000-memory.dmp

Filesize
272KB

Download
memory/2428-409-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2428-1352-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2428-99-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2428-348-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2804-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-196-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-508-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3028-160-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/3028-1419-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/3324-1441-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3324-1451-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3836-1511-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3836-1320-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3836-1465-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-1725-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/4232-1602-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4232-1498-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4236-1847-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4324-1440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-1688-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4448-1729-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4544-1599-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4544-1690-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-1727-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-1767-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4840-1446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-1439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-1463-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/4852-1464-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/4852-1461-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/4852-1462-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/4876-1806-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4876-1765-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4944-1598-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/4944-1597-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/4944-1596-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/5080-1467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-2110-0x0000000002100000-0x0000000002132000-memory.dmp

Filesize
200KB

Download
memory/5172-2111-0x0000000002100000-0x0000000002132000-memory.dmp

Filesize
200KB

Download
memory/5184-4772-0x0000000002880000-0x00000000028B2000-memory.dmp

Filesize
200KB

Download
memory/5184-4774-0x0000000002880000-0x00000000028B2000-memory.dmp

Filesize
200KB

Download
memory/5184-4773-0x0000000002880000-0x00000000028B2000-memory.dmp

Filesize
200KB

Download
memory/5248-2978-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5248-2317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5600-3654-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5600-4539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5792-2973-0x0000000002160000-0x0000000002192000-memory.dmp

Filesize
200KB

Download
memory/5792-2974-0x0000000002160000-0x0000000002192000-memory.dmp

Filesize
200KB

Download
memory/5792-2972-0x0000000002160000-0x0000000002192000-memory.dmp

Filesize
200KB

Download
memory/5792-2971-0x0000000002160000-0x0000000002192000-memory.dmp

Filesize
200KB

Download
memory/5828-4517-0x0000000002FA0000-0x0000000002FD2000-memory.dmp

Filesize
200KB

Download
memory/5828-4520-0x0000000002FA0000-0x0000000002FD2000-memory.dmp

Filesize
200KB

Download
memory/5828-4519-0x0000000002FA0000-0x0000000002FD2000-memory.dmp

Filesize
200KB

Download
memory/5828-4518-0x0000000002FA0000-0x0000000002FD2000-memory.dmp

Filesize
200KB

Download
memory/6020-4521-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6020-4777-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6248-3647-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/6248-3648-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/6248-3649-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/6248-3650-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/7000-3653-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/7000-2975-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download