dharma | 01b0dac333ed7b7c8eed9a13edd5f97097a4d078702fed6017c19fd92b3b8ca0

Analysis

max time kernel
68s
max time network
68s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00324.7z
Size

2.2MB
MD5

e8ea940bde02dd24073a6989eba9a3c6
SHA1

96971422c42909f37669a3834067af96acafee9b
SHA256

01b0dac333ed7b7c8eed9a13edd5f97097a4d078702fed6017c19fd92b3b8ca0
SHA512

5a44ffb9d68281f5620d7d0af2d794b70b0f5404ab69c2eb3de0f3b9391b34e3e3d6366dbd7dce4bc0b1c3e0510a18b19308caf09269819c5971a3bc31324d12
SSDEEP

49152:pbzi7nb5prHNdAfMpjfZVsRnlP37dtZxPTcbYSE/WcAZwkx7OlUHb6Dk6L6lyhRf:9i5BHXAfWf7sL3J3ubYspqlaWDLelyR

Score

10^/10

dharma gandcrab backdoor credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 515B8657 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma

GandCrab payload 6 IoCs

resource	yara_rule
behavioral1/memory/1256-4410-0x0000000000400000-0x000000000045A000-memory.dmp	family_gandcrab
behavioral1/memory/1256-4415-0x0000000000540000-0x0000000000557000-memory.dmp	family_gandcrab
behavioral1/memory/1256-15686-0x0000000000400000-0x000000000045A000-memory.dmp	family_gandcrab
behavioral1/memory/2648-20278-0x0000000000400000-0x000000000045A000-memory.dmp	family_gandcrab
behavioral1/memory/2648-20279-0x00000000002A0000-0x00000000002B7000-memory.dmp	family_gandcrab
behavioral1/memory/2648-20282-0x0000000000400000-0x000000000045A000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-515B8657.[[email protected]].bip	winhost.exe

Executes dropped EXE 8 IoCs

pid	Process
2616	HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe
3036	HEUR-Trojan-Ransom.Win32.Onion.gen-66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f.exe
2652	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
596	winhost.exe
2264	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
3576	winhost.exe
1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
2648	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	powershell.exe
2948	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sejysosphny = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\uacfxs.exe\""	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe"	winhost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4DY23DRT\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	winhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\98Y29LGS\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	winhost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUMHXU73\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U8F4PBMO\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\winhost.exe	winhost.exe
File created	C:\Windows\System32\Info.hta	winhost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Perspective.thmx	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\vlc.mo	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dili.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMSMDB32.DLL.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14833_.GIF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153273.WMF.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153305.WMF.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DLL.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\deploy.dll	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\j2pcsc.dll.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00391_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeFax.Dotx.id-515B8657.[[email protected]].bip	winhost.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.id-515B8657.[[email protected]].bip	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF	winhost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	winhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Onion.gen-66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1452	vssadmin.exe
2364	vssadmin.exe
1636	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
2616	HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe
596	winhost.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe
2948	powershell.exe
596	winhost.exe
596	winhost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
596	winhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1852	7zFM.exe
Token: 35	1852	7zFM.exe
Token: SeSecurityPrivilege	1852	7zFM.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeIncBasePriorityPrivilege	2948	powershell.exe
Token: SeBackupPrivilege	988	vssvc.exe
Token: SeRestorePrivilege	988	vssvc.exe
Token: SeAuditPrivilege	988	vssvc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1852	7zFM.exe
1852	7zFM.exe
3516	mshta.exe
3220	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2948	2652	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe	32
PID 2652 wrote to memory of 2948	2652	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe	32
PID 2652 wrote to memory of 2948	2652	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe	32
PID 2652 wrote to memory of 2948	2652	Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe	32
PID 2948 wrote to memory of 596	2948	powershell.exe	34
PID 2948 wrote to memory of 596	2948	powershell.exe	34
PID 2948 wrote to memory of 596	2948	powershell.exe	34
PID 2948 wrote to memory of 596	2948	powershell.exe	34
PID 596 wrote to memory of 1080	596	winhost.exe	35
PID 596 wrote to memory of 1080	596	winhost.exe	35
PID 596 wrote to memory of 1080	596	winhost.exe	35
PID 596 wrote to memory of 1080	596	winhost.exe	35
PID 1080 wrote to memory of 1804	1080	cmd.exe	37
PID 1080 wrote to memory of 1804	1080	cmd.exe	37
PID 1080 wrote to memory of 1804	1080	cmd.exe	37
PID 1080 wrote to memory of 1452	1080	cmd.exe	38
PID 1080 wrote to memory of 1452	1080	cmd.exe	38
PID 1080 wrote to memory of 1452	1080	cmd.exe	38
PID 2948 wrote to memory of 1348	2948	powershell.exe	41
PID 2948 wrote to memory of 1348	2948	powershell.exe	41
PID 2948 wrote to memory of 1348	2948	powershell.exe	41
PID 2948 wrote to memory of 1348	2948	powershell.exe	41
PID 1348 wrote to memory of 2364	1348	cmd.exe	42
PID 1348 wrote to memory of 2364	1348	cmd.exe	42
PID 1348 wrote to memory of 2364	1348	cmd.exe	42
PID 1348 wrote to memory of 2364	1348	cmd.exe	42
PID 1256 wrote to memory of 3932	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	46
PID 1256 wrote to memory of 3932	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	46
PID 1256 wrote to memory of 3932	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	46
PID 1256 wrote to memory of 3932	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	46
PID 1256 wrote to memory of 2400	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	48
PID 1256 wrote to memory of 2400	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	48
PID 1256 wrote to memory of 2400	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	48
PID 1256 wrote to memory of 2400	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	48
PID 1256 wrote to memory of 2684	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	50
PID 1256 wrote to memory of 2684	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	50
PID 1256 wrote to memory of 2684	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	50
PID 1256 wrote to memory of 2684	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	50
PID 1256 wrote to memory of 3852	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	52
PID 1256 wrote to memory of 3852	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	52
PID 1256 wrote to memory of 3852	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	52
PID 1256 wrote to memory of 3852	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	52
PID 1256 wrote to memory of 2004	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	54
PID 1256 wrote to memory of 2004	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	54
PID 1256 wrote to memory of 2004	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	54
PID 1256 wrote to memory of 2004	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	54
PID 1256 wrote to memory of 328	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	56
PID 1256 wrote to memory of 328	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	56
PID 1256 wrote to memory of 328	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	56
PID 1256 wrote to memory of 328	1256	Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe	56
PID 596 wrote to memory of 3548	596	winhost.exe	58
PID 596 wrote to memory of 3548	596	winhost.exe	58
PID 596 wrote to memory of 3548	596	winhost.exe	58
PID 596 wrote to memory of 3548	596	winhost.exe	58
PID 596 wrote to memory of 3516	596	winhost.exe	61
PID 596 wrote to memory of 3516	596	winhost.exe	61
PID 596 wrote to memory of 3516	596	winhost.exe	61
PID 596 wrote to memory of 3516	596	winhost.exe	61
PID 596 wrote to memory of 3220	596	winhost.exe	62
PID 596 wrote to memory of 3220	596	winhost.exe	62
PID 596 wrote to memory of 3220	596	winhost.exe	62
PID 596 wrote to memory of 3220	596	winhost.exe	62
PID 3548 wrote to memory of 2528	3548	cmd.exe	63
PID 3548 wrote to memory of 2528	3548	cmd.exe	63

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00324.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1852

C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe
"C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Onion.gen-66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f.exe
"C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Onion.gen-66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036

C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
"C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost
  2⤵
  - Loads dropped DLL
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\Desktop\00324\winhost.exe
    "C:\Users\Admin\Desktop\00324\winhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:1804
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1452
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:2528
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1636
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      PID:3516
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "vssadmin delete shadows /All /Quiet"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2364

C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe
"C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Users\Admin\Desktop\00324\winhost.exe
"C:\Users\Admin\Desktop\00324\winhost.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
"C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:328
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3616
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3776
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192

C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe
"C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-515B8657.[[email protected]].bip

Filesize
24.4MB

MD5
0ef91baf68ec3d12d1ee2c326654b57e

SHA1
13bb91c392f938f7ff6f25f00a11cba26889afdb

SHA256
6769a26846b59ef41d044a5815f2c28358437ff09303209e084e01537af0eba6

SHA512
421eabb2cdf04df044db6d6db5f6815d6f064651ec67adef76f2d1706be77f0b167b02ccf39bbcc265dcc57500e8c77b86acc63f8d5fd8d428eddb6c573d3bad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
5b5fa5a605c82a06091e31961d7eba51

SHA1
fff201cdae77797446afb2287cca88e4fd6f325e

SHA256
5eca12ef60bd1d5d18c016da0beb7589e54fe47a8cea60bb3ea09fbf28168d2f

SHA512
5547066ddcce11168dc675cc8f9073fb63436dfb89c268dbdd3281023728d8c92098f0ee8a64a2256b3584673f7b40f745dab9993b1b1a56c3205e0b34e0b04d

Download Submit
C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Generic-fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346.exe

Filesize
723KB

MD5
90ae451b03968953d50df68285784cf8

SHA1
88ae2246c453eb7ed6fe74a811e74d022dc9d7bf

SHA256
fe14de3877e188f7992fe2ff4a634fdda8be042804cae5a9177f265dc74e6346

SHA512
c99eeac2c27653e9055d9ab45d7b6eff2368c2b8f84785d6d94e1a7d08b45c6bdfb00982a4f323597186491c3d14d180986bffda9fdcca70a7a5fa11b8164eb5

Download Submit
C:\Users\Admin\Desktop\00324\HEUR-Trojan-Ransom.Win32.Onion.gen-66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f.exe

Filesize
1.7MB

MD5
0092c1db163b6da7f04d535b5929dd06

SHA1
97fea09eb0337eebd8448783e8e71ae6c503ec55

SHA256
66dfd96baf2768f41c1a7410465c849da3c6667174aa53436e1317fa0f35764f

SHA512
4968149b04173cead5fa05f33bcfe997d3e246f3d8fa92b0bc208431c886673fbf5bdad5a94a503638d1ce56ebed6df1e786341fd71c4959d421f939eb8221d0

Download Submit
C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.Crusis.to-b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546.exe

Filesize
318KB

MD5
5bcad58742ab33a6a5bd9c9cab7ad515

SHA1
720b278aea44a2f523db8c03231c40c27de4275a

SHA256
b075ddb6ef76d0c09fe78b78d116a2733bd54980286e777e09f82c491c7af546

SHA512
6ce007046f44c381252cf88006df1001086086fea9b1232b9fe8dd664d5ea4c4fad742fa6444dd407ec0a211043ad664c922e353bde796d52f7f1e996c9d02ac

Download Submit
C:\Users\Admin\Desktop\00324\Trojan-Ransom.Win32.GandCrypt.bmy-ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7.exe

Filesize
300KB

MD5
85bbc7246f161dd1113959e6ac54c712

SHA1
11b5d6f924077cf6ca003b8a62d30012bc3139a5

SHA256
ffb6e434f978a2b54649512d171972d4da3c25c3899ca120b91d80e0fd5ccec7

SHA512
04099cd79a50f47f6fc55f765d9ee8b9c23cb21da803a42c3805004038ac33520852547453d8b5056aa56df2228f992702f243b8ba050e577a543ef4829c4d66

Download Submit
C:\Users\Admin\Desktop\00324\takeaway.ps1

Filesize
3KB

MD5
fda66947f0bd73ca11c9c76cf7976f8b

SHA1
1013736912b34aec7f92ea664b0afa432cad7e92

SHA256
6853c94c1549afebd308ada271af7be545eb1f9c43de1d957daa84dfbd53ba5c

SHA512
ec47b5210ae0ddea8e7ce7060e95e9bf8c7c2dced21bcf811719e0e2d2ec74b9e71e45875bdb97ec56fa781c860c4495d0f04a9c0ee5ebd5d25a587e15fcedda

Download Submit
C:\Users\Admin\Desktop\00324\winhost.exe

Filesize
92KB

MD5
43fbcacfd0f5c3b8d710f7d3ffdb97e7

SHA1
ac240398af8e6edbcb20a979497c1786f78e4983

SHA256
ec5ca723ca7efc123e905486ae7c855e3bbc6934d0411946e23c28f8fbebaeeb

SHA512
3d9faabc575b5c8a48f3a30f635137e91969ec902df9e828ad65c2844d80a1a6bdd6339ac9cc496502b6dbb71de6ce9ea6f2991137a7c8e62b3f4ffa00e5fdd2

Download Submit
memory/1256-4415-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/1256-15686-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1256-4410-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2616-357-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2648-20278-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2648-20279-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2648-20282-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3220-20266-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/3516-20250-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download