Analysis
-
max time kernel
86s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 18:32
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00320.7z
Resource
win7-20240903-en
General
-
Target
RNSM00320.7z
-
Size
1.6MB
-
MD5
39ff9a6a7b15b4bda77edcb789ae5f8a
-
SHA1
668e58768e9676bcb9945fee78699487b8308cea
-
SHA256
2737cf080df29967878d0f4161291dce55c2fc40d79f9c42ac51ae31bf624b07
-
SHA512
5be455c739e1018c9443f122fec602ba447c269c1d97f630f49bbe076f84dc8d32b9d1256b4016e08bca9af5c7de244c6237985564e6c803051e4f9cafde9476
-
SSDEEP
24576:R8OMBf51//LOZFku7d/t8s+5hyVWaaH6pdSEYzUiSomNdhII5Q:eOMR5Z/KvkuNdG3/WdSEMUMKqMQ
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral1/memory/1868-101-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1868-100-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1868-98-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1868-95-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1868-93-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Renames multiple (102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe svhost.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Executes dropped EXE 6 IoCs
pid Process 2412 HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 1868 svhost.exe 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 2440 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe -
Loads dropped DLL 2 IoCs
pid Process 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe = "C:\\Windows\\System32\\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe" Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Documents\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DFSC7KT7\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N5RJMVSE\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PG1T8SOQ\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Public\Music\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORIYJR4N\desktop.ini Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 bot.whatismyipaddress.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Windows\System32\Info.hta Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Admin\\ranso4.jpg" HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2944 set thread context of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 1616 set thread context of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 -
resource yara_rule behavioral1/memory/2440-10767-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10886-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10768-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10881-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10880-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10878-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10864-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-10936-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-19777-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-19750-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21074-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21082-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21083-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21084-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21089-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2440-21092-0x0000000000400000-0x0000000000607000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Java\jre7\bin\j2pcsc.dll.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153087.WMF Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\RestoreConnect.nfo.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.XML.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Currency Rates.iqy.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml.id-5620676D.[[email protected]].arrow Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\Chikdjd.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0016000000018676-380.dat nsis_installer_1 behavioral1/files/0x0016000000018676-380.dat nsis_installer_2 -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2876 vssadmin.exe 2144 vssadmin.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005608f8c8b94eed2a3d5056ffddd5bd71383be6833363901a5331bd49d5b7b817000000000e8000000002000020000000f7307ad734b6b160a8211bd4195a7bac096d959d552a475e9fb2f7e08b3eedc320000000c1bf7ada71929a4a5549f88142e60529224836f2716a3a6791d60b17eb45ac464000000085afe60448eb2e7897e6c84440f336c4c0072774b590c49def2d164c00773de92ac9c9af1bbddb322064909208e7c13e6d1acd51ca30bab0a5728bf8a7047f1b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f013d5513135db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000009d97cb7f18f7643e89da880881dec5c80f0a1422e5cf2f5f86abc2b8a020b520000000000e800000000200002000000016e040566b58ca5b8fff9a82851a5e155b49d2a73e0f19ef7573486e9f758334900000004ab4b05b8f05e940ea8efe80c9e98ab88236bf98bd4a774ff8d47acd7dc77e3b1fdcd072aa451041c830c831267fd014fb4bfcee5d8356275a00c3601a6f0070a9dd0384e365e988f9667f84616171042cbcb25261dcf6ed0368ca172bca6f2494397ab3901c07af7f8fd97e9ff13753d3263e0087e015c5f1f04780502ef1c5bfae739646e4431279f26d6b338de5fc40000000f1cc9bdbd4af4b02cd59787c1f8c9db38e23ad61bd8929b53cd07ec946aa3f28f16e91e88835d2e0e6add15dc9820b9118f5314e7379c02606a37353e15ccf44 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89909801-A124-11EF-A5D8-F2DF7204BD4F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437598245" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\Chikdjd.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 2440 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 2440 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1964 7zFM.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 1964 7zFM.exe Token: 35 1964 7zFM.exe Token: SeSecurityPrivilege 1964 7zFM.exe Token: SeDebugPrivilege 2412 HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe Token: SeDebugPrivilege 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe Token: SeBackupPrivilege 1764 vssvc.exe Token: SeRestorePrivilege 1764 vssvc.exe Token: SeAuditPrivilege 1764 vssvc.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1964 7zFM.exe 1964 7zFM.exe 3352 iexplore.exe 3352 iexplore.exe 2776 mshta.exe 5848 mshta.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3352 iexplore.exe 3352 iexplore.exe 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 5744 IEXPLORE.EXE 5744 IEXPLORE.EXE 5744 IEXPLORE.EXE 5744 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2152 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 33 PID 2944 wrote to memory of 2152 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 33 PID 2944 wrote to memory of 2152 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 33 PID 2944 wrote to memory of 2152 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 33 PID 2152 wrote to memory of 1160 2152 cmd.exe 35 PID 2152 wrote to memory of 1160 2152 cmd.exe 35 PID 2152 wrote to memory of 1160 2152 cmd.exe 35 PID 2152 wrote to memory of 1160 2152 cmd.exe 35 PID 572 wrote to memory of 1892 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 37 PID 572 wrote to memory of 1892 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 37 PID 572 wrote to memory of 1892 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 37 PID 572 wrote to memory of 1892 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 37 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 2944 wrote to memory of 1868 2944 Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe 39 PID 1892 wrote to memory of 948 1892 cmd.exe 40 PID 1892 wrote to memory of 948 1892 cmd.exe 40 PID 1892 wrote to memory of 948 1892 cmd.exe 40 PID 1892 wrote to memory of 2144 1892 cmd.exe 41 PID 1892 wrote to memory of 2144 1892 cmd.exe 41 PID 1892 wrote to memory of 2144 1892 cmd.exe 41 PID 3352 wrote to memory of 4240 3352 iexplore.exe 46 PID 3352 wrote to memory of 4240 3352 iexplore.exe 46 PID 3352 wrote to memory of 4240 3352 iexplore.exe 46 PID 3352 wrote to memory of 4240 3352 iexplore.exe 46 PID 1616 wrote to memory of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 PID 1616 wrote to memory of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 PID 1616 wrote to memory of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 PID 1616 wrote to memory of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 PID 1616 wrote to memory of 2440 1616 Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe 48 PID 3352 wrote to memory of 5744 3352 iexplore.exe 49 PID 3352 wrote to memory of 5744 3352 iexplore.exe 49 PID 3352 wrote to memory of 5744 3352 iexplore.exe 49 PID 3352 wrote to memory of 5744 3352 iexplore.exe 49 PID 572 wrote to memory of 6000 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 52 PID 572 wrote to memory of 6000 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 52 PID 572 wrote to memory of 6000 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 52 PID 572 wrote to memory of 6000 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 52 PID 6000 wrote to memory of 2076 6000 cmd.exe 54 PID 6000 wrote to memory of 2076 6000 cmd.exe 54 PID 6000 wrote to memory of 2076 6000 cmd.exe 54 PID 572 wrote to memory of 2776 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 55 PID 572 wrote to memory of 2776 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 55 PID 572 wrote to memory of 2776 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 55 PID 572 wrote to memory of 2776 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 55 PID 6000 wrote to memory of 2876 6000 cmd.exe 56 PID 6000 wrote to memory of 2876 6000 cmd.exe 56 PID 6000 wrote to memory of 2876 6000 cmd.exe 56 PID 572 wrote to memory of 5848 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 57 PID 572 wrote to memory of 5848 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 57 PID 572 wrote to memory of 5848 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 57 PID 572 wrote to memory of 5848 572 Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe 57 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00320.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1964
-
C:\Users\Admin\Desktop\00320\HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe"C:\Users\Admin\Desktop\00320\HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe"C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\Chikdjd.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe"C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:948
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2144
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:6000 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2076
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2876
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2776
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:5848
-
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe"C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe"C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SUA_CHAVE.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3352 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3352 CREDAT:275469 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5744
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-5620676D.[[email protected]].arrow
Filesize24.4MB
MD5d93a6481aebffb6d0d249872abb1b83e
SHA16d339d6affeede87b9d937c52027a0a5752c8afc
SHA2560ceb9ef1236cd3d6f31bf91edb30f02ce8b476231dcfc3aa6e8276b5fd55e8d3
SHA512a355b2c39bf1eb32f58fa481b70fd67aa9560dfe55b506a1a895dc45bb780f766f710899fb1891f7f153b17e4077927ba6371d27475d25cc8541d252fb5acd38
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD53541b6c4c3efb161bbb27ea2df92bfac
SHA19c9d7b212f5cdf306e67f334e3ab70481ea82e73
SHA256c58d4ae0307f7f06f1ca025f676fa10dbc9854d4ad54b06670e801a5305f98d5
SHA51232347aca09729bb0e27a2e63363834544d13212621b0d5cff610b044e93823a7126385a03ac075505930077855394f87169acf5c408c867811d743a125162141
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cb1b4277eca7ec63e6e9f9e89ce19da
SHA15ce22579074dfd85333a67060a19683bacc34b07
SHA256fed72719e7908b3cf3c9ce7144a518db88a6306b4364a9e29f3c5831c5e47a04
SHA5128f460afd00d55fad5d5a7a9e6c79ac2a10f6cc667e66e9070cead035ca59ade180b7663132efd9afd4a5afcdb2cc182ab117dab64d0b21d99aeb1cecf2e35867
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546febe16ad56b64163f8a3dd721230ef
SHA1b01529ac64f48260420fbe86d0c9a294e7b3dd0d
SHA256b8e37572e21af4e78ecd75439d9e760c8d3c7668e95c758d490771c41dee7a16
SHA5121e8689c2d13146102ab0ddce72ccb83467ac6dfcbb54e9cdc4213e07a9e302b754336c3b51c4b8acfaf8ec7bb4c2f2f040c3b0932c35a9b08dd1daa616576d44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c04f354671a241a065b26ab1304bad3
SHA18828475065cb049a16171a3d6f777bebd335e38b
SHA256b6af4cfefa70d63498fe0612f9661c14a738b962a27d99036b2c097feebb2c7a
SHA51224de1744367c90a12d56eb2e39d3c8182c3f6b333a4c7b68adaedb28e266c0a8d421e493f3e746844bea4ecebf448382315062b72044b9ce252d5df6d8159acc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a1b3a1ec8d0f63b2ac29469c8d1f18b
SHA14926bcc9a68c080ef7950dbd7e4f4e37966a5e4b
SHA256b1bdd2300d9ad0537e3c0bdabcbb212dbff7ccb3d35c64183edf83e5fac12843
SHA5122ea3a0f5f372d73b7e2175df9c9f5cae65ade8d3eb8bc314fcebb7c0efa7c116f68030c851fa26ec218c76fcddb9522260d3527d3647aae2fe7be168bf2b42ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3ad8dd13f312511c4645fcce683392c
SHA183001e20a3aa29e5bc62e4370c1e08d6c94664ae
SHA25642d27a156b5a7bc2d7e99dc250704c81d484035168f6db33be06b95f6532cfc3
SHA5122c6aa844666dbcb0b4c8c47b5a2c0397ae561988126d4f2480a1d0c8288415631c1953dd4bb8560cbd6b991986051777bf02fe9304a461b56b39286ee98d2fc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5723df649d55a8053cc43f13e960db0c5
SHA1acfff2e422bf9bf651b7b75bd743dd2c7063c189
SHA256bc1b3386ca05bba8c2227a1d06bdd55d275f3299af2f39eb5d7a0543378a25e9
SHA51262592eee72423ea408e863516f990b48408e5b0d33920b2ccb986fd736a59b7e84f37dcdcca72d1bc1d184baaee98d59102ea4088308c2886280e7607c47f45c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560b448ee84dedefa8b0fb03c359de26a
SHA138e3499330aec785ecf2d01b8ff1242ee586587e
SHA256aa0fc2eb61fe6ce87d1e6f2d9a7018386a94d9ab65d1c50554d34879a69998b6
SHA512b00329f60103bcfed55220476d8da2e69f22c547b740fb81e200ffa449a6cf4636dcdfebe4fe470f1ef44f9d126dcf2eb9125def98b2b8bdaaa6b9f42bb08c74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57efe35f5666ba32e05d48fba8d1a80c0
SHA19596d1bd628f735a6dbd926e35062f2f6566c576
SHA256129d2f3ceaed86a7ea61786c7ed5b1a33b6c384ccb419348a86cecde3575240d
SHA51261f4c474d0f4f05ebee88015b7dfa5f2a1f342dfe1364748b54b86f1018a59922dae25406b95f3805917dd69cfb058fffd1df69f9d377cd0b52f8759d0ceab8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1a58347616b438ac02ce8a1e2abfd40
SHA1f7d5857739ecc43930fba47f9eb40c2cceb848e2
SHA256680d30294b908b7ec0fe36bb39a5f080f97b15cb8f7665562d93d43cda674781
SHA5126b13fe3481caa87d1e1a26960336e970a6d04f09ad6a26f6574f0bf6a4ee6ac4c2ac15fbfcf183ed3ad29aab651e2af649172382794192067072f61581c4e29d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cc5c78015ba5f7c780fd3f38e68bea9
SHA1be278db192b32273740d7429522d72ccb2edd149
SHA2567e79e14069570b1440ee1a175f77537d7ab7afdf72dd396eed340642bf2076e6
SHA5127911bb0831941cee9893da7f3a98f4009bf12c85e1ef1e97ae59e850173426d01f16b1b848b7fa66e5e6908636bfac131726f1d8821e0f9eddab383f056f7001
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a9b7fb6d24a2ede2bf55490128618ee
SHA1666789bde6fe5e68d54e29bb22254088f80e7f4b
SHA2569796987649d9015aa2d29e0db1730546757ad9ed967b1769ff38aeb8d80626a2
SHA5124930fa6b9525f4fb78b765e278805565bd1d5ae8694620fb475acf2ee8bc39f1321aa209bcabcfb0321c94c4157eb26be5c59473f8dd60fd5a39d87b9032525a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5635c4b9c7d3cac1843d53409db2dd7fc
SHA1aed59439c7f3744d71a23bbf7c209dbbfe9b25c0
SHA256a393aea41cd14a0d174530d2f8548d19c3ad7f925466cea97f3c40682b08c1fd
SHA51258a19949b8174fd25dcde2b88caea880d0d348f4de711df3e6845e0243ce5f5039a5752dd072cd5fe8e80bf10c74af46fa295c03552efc06f2bcb87528089c28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b2da943ba8b2f2fa7b62a626ea2811d
SHA1beb882312e2a8e9f71409cb28385ad4339a8da7c
SHA256ba7b49b7518458c9449f4c541b6677819540406e225eb55f4a80f791b0b7bacc
SHA5129065503ffee41f49d5fe93f4afa1caf780d80f2816c398d9c66f2c67cfc289e7b0320e98e7321df2dd14db27d5ae1201dd569feb012db81ed1df29d8e4ac3aa8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50907a13dc2ea408a60e931b1d033bc85
SHA1de772e8c797ebd8c0f4ae224f729cd104c82289f
SHA256b99f15504f0e4771f12b269a2ed1a62f13e135b817c6d4ca5ddded9958bafca2
SHA5126490ae616243a02854e4b647f7de6c6933c425e4462ce1d9d97b38f06e69ed0cae006fb8e1bddf5a2017050255c93b52888160f0567c79a56e34842b737f7302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aee868587c8d1991a27a80d148c53527
SHA1002bfb024a00b4f7d0f8f825575a2185b54d7576
SHA25628fdb53c8c9449181b41c29e09401e7f45f7ae945e5fff3180fc6b43f66656af
SHA5120bf4b87f1ab38cd9857069f6527a7af1e52fa386d95c86a2a0677a0e4430d3f406a7ebdd82a0c877edc85b41533a384ed69e6f378b680dacad44eee3a52c9663
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e4811b4c7f0bd7db758fc7065c9adc1
SHA157a65ca857062fd6a98a35f5604d5dfc6107b59b
SHA25669b1d5d105d4624c71a0927fca635259e06691d1687426d57431f53c74dcc842
SHA5125fadfb1b69cb81da4da36901b107ee019c0f754f92f068f64c804b33f471de38ae8aafa123cf5c6d45358f6f5f29b3578dccb3bb3facef0f6ad3ec87124154bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2ac8b958bb9c91050aa6a55ffe2d977
SHA138ddf4f395deb1ccf5aaa465965021fe03b83dda
SHA2569b43e43b79fcf1c322dd8e4f875c2af44f85590a5d4a6e2d18caaf333f39d4f3
SHA5129f9e4c7e952eceafe78c0f904408fd972ef56ed12c5904a8473d66a3ef517e2d416c251ce88eae90f24d596032145d06497e8a2af7d155b5e737035ac2e352cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559c3ab29ee65501ed155d70fe7e6fd04
SHA16a743a0ee60bcd3da736c3519c1b7782f8390366
SHA2560558731f46efc0492996806a2b3a342a362121efe7ba1cf97020f7c56029c229
SHA5122a2a3bca86e5397ae1da4e8951a2cf50f574296f8197d3e4a4ff694ce69261dcf94ee92c714b8275574c1a48f9489ee8f2da0dfb8893ce27708ace298517c185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5023160d48bb1973f46aac1dc2185c8dd
SHA16b231cd64e9342940ace870c1438d38e188a663f
SHA2561e8c34cae45fe3178c813d6f288b1570228e7fd84c738440e76652ca58f1845c
SHA5120475e207a214ead1e8906cea0ba79ab2b7d1d2b0eb6611b2f2d1fa68e15af91e4739f12781439057dc83d08a7be71bcaa88c21d61bd801b7fff8c655c75cc01d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5f9debbd48a62d5c3f8daa45f34f1ae84
SHA1922568341c63e2359be008f1ab2c89955087d3a4
SHA2567da9ab280e263b6153fa2bfd7b89ddfc83597c83d28127cc200353972a8b88e3
SHA512c6dceb7121e7eaae20c725ba43bfaa933b95ce6ee47e6e19d15b99661c74e2563efd7d6f1149d5b9ceafe5daa0561539bcab36eb883bc0b1deef9913459ff786
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\bqMkpxhui[1].js
Filesize34KB
MD5ce07affa04803b8889da4add31fd43dc
SHA10fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA2568c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
192KB
MD5541241c3573506cb7d3c4890ea30f845
SHA19feac8d9a9fdfa8fe9ab3f7fd74d90d0e7fd8f0f
SHA256ebbe44ed0503a0997b63e979f398c2bda54da5b57c25ae660cd107de070902ea
SHA512634d19666e5ec8c25dbaa86d0e6a23e8e553a6655d83af1e5522b14ea52ecee673f083b8f4ad460d21a836fa635b1535b40e545fbd074c9bbf94b03300a6d723
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\Desktop\00320\HEUR-Trojan-Ransom.MSIL.Agent.gen-711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e.exe
Filesize217KB
MD510597e7c2e644d9bd346844f08328c0b
SHA1333242463e606a75f9fe69035d62c1a228126545
SHA256711b3409eebf7438827e3c2bcfbbd2b3e2c607e6327d7159ca8efaef6fdeae0e
SHA512c124f57a783bac1231e1676122e483f4797fcf36bcc13aac322b58dee446b689cc70eea38670dc5c34469ebd902b1c78c7fb432a1f0fa335738cff1e22d3b34f
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Blocker.dvjn-31cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f.exe
Filesize942KB
MD5611cec4d0be6b6da848b7ae05f085e91
SHA1aa9202dedb2c061916c350153580c6896174dafe
SHA25631cdbc1a2bc6fe4a2bdb1d889c6fa5952cb47e566d8cb5c09602887c3cb1aa6f
SHA512ae65ee33c79fb2d901c17a1fd695dd023ea0429a47bdb74824a9ae8e6cba3bf09f9290ae64de9e131d874ae09fef6313c6b448d29005667550716dc76d4bf885
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Crusis.to-453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1.exe
Filesize92KB
MD5a43246f1ec961b42932f8b656b2f09fb
SHA12d09ae6a78e93d1b97de98ff6c8e3a146f2d6820
SHA256453dfb5846033893d35b3f6f52b8e6f183513f84c877ba9d09bdc57239487dd1
SHA512c0bfacc064e12359fe9b714dbd3ee3533b9ffa8b47df14ffd982ab55794b063c6cad28e30614e2c936c2586580a17b6e6c8fefd78fb77ad20798489e45f15587
-
C:\Users\Admin\Desktop\00320\Trojan-Ransom.Win32.Shade.omi-41f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b.exe
Filesize972KB
MD592073a096c689e8168fee4295c978af9
SHA16845a4e1bef44fe25ffdca2e414c785c6ae656d6
SHA25641f949dbc9c45451dd1bbc9a8f0376dd78f9c2c99313a9b8de5488ec83599c2b
SHA5120bd9bc71d60b1b86973b3c7dd4a2f8495b5e298fc520915222617987c574dadb53e85042a17290a2b1e40adee3ec91b93c72ffa2a20860f971a8447faa8a53bf
-
Filesize
64KB
MD54666cf403e0b802a9fe939f077d81064
SHA172a4d873df059ae6140ab14663b402770e8c3853
SHA2569439cf9950b249063f7027472a91dbabe5c00cc606646f284cc2bac8dffb1e4c
SHA512977f15a568d2ebe4c93e66b93ac26e0389ba570d374b1de900e1e05e678a5ad71d3345df501a4efb0b81a7f1bd858a8273c22ecc70b1a075349d496d5dd9c9a1
-
Filesize
64KB
MD5591618c075c74082fe24afdf70a9cbf1
SHA1080b13cd1cca2b7163127adb9f9fcee4d0b32947
SHA2563d5210f27757b8bae991c30384125c666ece091446625bbb1cdef23ebc317c8f
SHA51248da4bd3f102116c12643eb9ad2d8809bdaf87db06652e256878ad4e6d9a0404f0b1a8783818156e103029fef410103391798b283f559f710295920f8df58c92
-
Filesize
107B
MD5f612fb50a230ef24b60257c38cd34a2a
SHA1794ecd8b269cc3c9db122000f16153b966b8c691
SHA256d8914579421880723fc53f20d50781ea106946cae7836864c1d6357562c735f1
SHA51273fa58eb0cb4c0628523af1bdef233a9372ea46814e4886231c698cfed2affa122aea80b146f3bffb68e8c3d09a48abf5123fc2a9b3ddf1450a50dacdcb8dcf0
-
Filesize
64KB
MD5d4de7ed6e848ab263ecb0a7389598c90
SHA1d0bfd5abc136344837767470e99c54a29373b719
SHA256ee4fd3f4eda01fa2e573db5bca00fe9a2d5bb8c8e1ffa6afe3d57018eb48caf3
SHA5128ef5ef16b30071d57a99fe79bfe94bffb4dbcb2d3eed96ea77b3c2229651adeec2eda9265c14852253c0d6d2c049597c3006f3ac98060ad1937de3101cf2c725
-
Filesize
16KB
MD5f197198ad8e2d24b9731438aac2c7fef
SHA1f3d5e268a81c86a0ddcc065db3a2339eea780dd6
SHA256be7788b314f1a2a9f4aa8f9104a8ba308e315443451806bda150250b0f5fd32b
SHA512e682471c9f4c806b87e2afddf35384fdfb473bccfcce72a2b2bed35d5e36625dfbb1a5dd4dd2a2c1ed268b1688ddffa5d1ed065682c4a5e19df7f03c3489c09c
-
Filesize
64KB
MD537db077dfacae998753b5f613a91e72f
SHA16e360244064823f424462b22ba01819fc1afc601
SHA25653f24d4ceb5ea8cbba7cfa89297b685d0fedd7702b06df49ca2b3e6045a2079c
SHA512f468b58edda12c643c50074c15d74db6f2efe04edd4e4d6e2c6f7895f8c8d20c5024bb5d45fb8b8f6baae3e1384250329b059823c411fdfae8b428635f58dadb
-
Filesize
64KB
MD56b35a84e8979f502e1c949a39ae2ea49
SHA18f35f8ad3382642d42d11387b13c9b360557a924
SHA2569cb58692bd84b346cf91d9c58820282b9b8c1042906ff7bac77e1da14a80f4df
SHA512ebffb59977501ea0dc5b05326595a402d0ea1f68ee95150d790073111d8946989f9330699fe5341df594cd8f7d73a1b29130446e481368e0b2e036db5920d0bb
-
Filesize
64KB
MD52edcdc16c9a2231c49a6949cf38e168b
SHA19147b5bbe9f7da0ec1337afb43e304af2ed42397
SHA256cdf3cef7a11f78278279569a9b855d7bda24b064ea37cbbd212d27f79827ca54
SHA512e1f86b7bca177626c72533493f90c067c2e7edbe66b9e1596c8d0dddae7eb481a328fc2551ddbab3632040aa1d9656e4881cb4dc02d3632f8311d152607b46e9
-
Filesize
531KB
MD5a41d86d4e31e2d54b289849284060fc0
SHA14bc7fbfa4852be61b85f0bb0b0bbeec561629062
SHA256f3fc779c7a802d7db8f156beba8309e89f54c9d5774294adf2329eafbd5f26a0
SHA512be976780b647dd6fc7b980390c1f5845c0f773c4af278e791c652c348c10927e5cc6c2daa1768c4d6bfae289d04f72aad0b7347479e70267e9966bfdf8884f5a
-
Filesize
128KB
MD5939915666449b009eeb80fa41ee53e0c
SHA1fb985cc50df5a53d694631ff8cedb1dcd93186b7
SHA25654769ab42b8b7c46acffa0313b954386501868cfa37a8a6ae7c7a545dc3c924d
SHA512cfaa07e0d23eca6739f8f1b4aad88fa6fb5c195a9b8fe0f4a823f0f796de82f9752daa42d10c01c43951ddfc67c24e3365abc0c197c61435902c5cb158d9d54f
-
Filesize
64KB
MD5fba0bd41b1e855b9149024490b081005
SHA1e91b52be4a715f993f7b18759d10c65a074efa08
SHA2561bd7fc47f5efae84938eb217aa5982992b510b55ecadf61740cad336c3e733fb
SHA51262b9a0555bb232ed8994f6df453e43e2e79310c87408794a9e21f6b932fe318f4d50f20bcdedf7dbae34c2968515000bfe38ea34aae200281cf1e8d3982328c9
-
Filesize
64KB
MD5e024598cde5fce4f477bb5d197f4b51b
SHA1acea3c607e829d8b20eadacfe0da8cce9bc59e20
SHA2562bb5887b91ce35f21d720acc5cf6038a5f3f221d0ff21e425eba913957b8568a
SHA51292ff61e17055ee3d9c981d5e632394dc07a20d6b1ff9a8a7b37d27402fda3f595de9c537c0c795ec53f3ff2ac48bf4ae014c261261f4a36722803c6bb1056116
-
Filesize
192KB
MD515444c379a04ca6d3f63d3a6b08f8bfe
SHA127aebb98eaa814035f0a52cf1773cac001c93397
SHA25699a1aa000d909892506cceddca813bba3e1dbf125589d8bb5f48b9f93ae12160
SHA51210c9092620295b99a744dbe13b56e8ca3a849623dcc7484d1567367bc9f89a21e21f4f4702440d904f95f7b620cd1dfac91070a431961b347739a750c7e0b6b3
-
Filesize
128KB
MD5d71080dd32a84024fa73d76f0cd92bf5
SHA1e13f8d18573919ab740d2f28e7f7116f8d78fc1e
SHA256add9369912840457f9413e5dd5d0c8342a28072274d2e53fd36df52e5ceaa32c
SHA512abacdd656b1c841b71a55d8ad4b73359e2ff2c0d83c755f08b48d22c6aa2c833dd865a2808514425c7f87c254472a88785bf0c6615c17006d358caab8cd049f1
-
Filesize
64KB
MD5840422b0831474fced284f041dabfcf7
SHA16b8ab96b46c08392902b912893205a491e943140
SHA2566bbd2186bae07fd08026aff75de87a567be1b7ceb9edddc88041a2f028de0d28
SHA5126036e037f4a81aaab29741a76318ab7f0ef013f82be4cef4226ade751a8e34ec426fc7a78728f55ed5ec4b7932cd954fc7e741150cea8e517dce3acd7ec2e2a7
-
Filesize
64KB
MD52e35aed1d6bc3368205087ab82e157c1
SHA1b7bd4b9a6c42ce5ea4b73918c8182d5fdecd12e2
SHA2565ca0a7077c7d1bb3b2f7ac8bcea17afe3e201c7b6d045dd6cf128d24e6db1921
SHA5125b969278ccf8e2a268dbe9b38ba5233595bed410884fc06d1974d81c2b3d55bc7be323443440c487715eed504541a430c5c559e33e27eab3cf063891de490216
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883