darkcomet | 51db189fed4125f4fb72ac9a078d1a95b9cb43be5c57259ad22a099c0b77d1a4

Analysis

max time kernel
203s
max time network
202s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00308.7z
Size

1.7MB
MD5

110f2dbedc28666c7d8ccd4bba06d2b8
SHA1

96cbc48fcab1450e18237dc77fd0e7d7e944a77d
SHA256

51db189fed4125f4fb72ac9a078d1a95b9cb43be5c57259ad22a099c0b77d1a4
SHA512

08ac80abb77925dbebc23b57ed4adf995a7a369f1c40d125ef9f73b7ced947343203510b0ad6b34dba20643ce3e13cbcbfbf9404f26b74766420a8b87d8f479c
SSDEEP

49152:bcAdQUY0kuem8NGQM3gR6Wf26YbWNjCUt0p:bLBxTe7GQdXfb9Co4

Score

10^/10

darkcomet modiloader netwire usa botnet defense_evasion discovery persistence rat stealer trojan upx

Malware Config

Extracted

Family

netwire

178.32.72.136:3361

193.124.0.151:3362

Attributes

activex_autorun
true
activex_key
{0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
kgTjYgBY
offline_keylogger
true
password
ebefob44
registry_autorun
true
startup_name
TeamViewer
use_mutex
true

Extracted

Family

darkcomet

Botnet

USA

185.142.239.190:5655

Mutex

DC_MUTEX-BHTA0F4

Attributes

InstallPath
MSDC\msdcsc.exe
gencode
URy5L19mbwqc
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exetmp.exesvhost.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe"	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe

Modiloader family
modiloader

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1924-64-0x0000000000400000-0x0000000000456000-memory.dmp	netwire
behavioral1/memory/1924-71-0x0000000000400000-0x0000000000456000-memory.dmp	netwire
behavioral1/memory/1092-121-0x0000000000400000-0x0000000000456000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-94-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2
behavioral1/memory/1188-418-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

Skype.execonime.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe\""	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}\ = "Ver933"	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}\stubpath = "C:\\WINDOWS\\Qedie\\conime.exe"	conime.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\bitsadmin.lnk	svchost.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\bitsadmin.lnk	svchost.exe

Executes dropped EXE 21 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeTrojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exeTrojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exeTrojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.execonime.exeSkype.exetmp.exeAdobeART.exesvhost.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exebitsadmin.exe

pid	process
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
2780	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
772	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
1948	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
2692	conime.exe
1092	Skype.exe
1848	tmp.exe
1188	AdobeART.exe
1844	svhost.exe
2428	msdcsc.exe
2804	msdcsc.exe
1052	msdcsc.exe
2132	msdcsc.exe
2320	msdcsc.exe
2808	bitsadmin.exe

Loads dropped DLL 25 IoCs

Processes:

Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeWerFault.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exeTrojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exesvhost.exetmp.exemsdcsc.exemsdcsc.exemsdcsc.exesvchost.exe

pid	process
2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
2780	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
2780	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
1844	svhost.exe
1848	tmp.exe
1848	tmp.exe
2804	msdcsc.exe
2804	msdcsc.exe
1052	msdcsc.exe
2132	msdcsc.exe
2132	msdcsc.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exesvchost.exesvchost.exesvhost.exemsdcsc.exeAdobeART.exeSkype.exetmp.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\msdcsc.exe"	svhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeamViewer = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\msdcsc.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC\\URy5L19mbwqc\\URy5L19mbwqc\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe

description	pid	process	target process
PID 1492 set thread context of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2432 set thread context of 1844	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe	svhost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2780-94-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral1/memory/1188-418-0x0000000000400000-0x0000000000507000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe

description	ioc	process
File created	\??\c:\Program Files\933.txt	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe

Drops file in Windows directory 4 IoCs

Processes:

Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\WINDOWS\Qedie\conime.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
File opened for modification	C:\WINDOWS\Qedie\conime.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
File opened for modification	C:\Windows\SysWOW64	svchost.exe
File opened for modification	C:\Windows\SysWOW64	svchost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
1472	1712	WerFault.exe	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exereg.exeTrojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exeHEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exenotepad.exemsdcsc.exenotepad.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exesvhost.exenotepad.exemsdcsc.execsc.exeTrojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.execmd.execvtres.exebitsadmin.exesvchost.exeSkype.exenotepad.exemsdcsc.exenotepad.exemsdcsc.exenotepad.exesvchost.exeTrojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exetmp.exeAdobeART.exemsdcsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeART.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies data under HKEY_USERS 27 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitsadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\dllcache\\bitsadmin.exe\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Modifies registry class 64 IoCs

Processes:

efsui.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "11"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "12"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\1\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	efsui.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	efsui.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 62003100000000002359912a10204d4943524f537e3200004a0008000400efbe2359602a2359912a2a000000280301000000010000000000000000000000000000004d006900630072006f0073006f00660074002000480065006c007000000018000000
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	efsui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\NodeSlot = "7"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\1\NodeSlot = "8"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	efsui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewVersion = "0"	efsui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000100000002000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1245"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\1 = 4c003100000000006d59c28a10204c6f63616c00380008000400efbe2359a8296d59c28a2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeTrojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exeTrojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exeTrojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe

pid	process
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
2780	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
772	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe

pid	process
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
3000	taskmgr.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
3000	taskmgr.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exeAdobeART.exetaskmgr.exeefsui.exe

pid	process
2780	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
1188	AdobeART.exe
3000	taskmgr.exe
856	efsui.exe
1192

Suspicious behavior: MapViewOfSection 17 IoCs

Processes:

Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exebitsadmin.exesvchost.exe

pid	process
772	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
2808	bitsadmin.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exetmp.exesvhost.exemsdcsc.exe

description	pid	process
Token: SeRestorePrivilege	2504	7zFM.exe
Token: 35	2504	7zFM.exe
Token: SeSecurityPrivilege	2504	7zFM.exe
Token: SeDebugPrivilege	3000	taskmgr.exe
Token: SeDebugPrivilege	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
Token: SeIncreaseQuotaPrivilege	1848	tmp.exe
Token: SeSecurityPrivilege	1848	tmp.exe
Token: SeTakeOwnershipPrivilege	1848	tmp.exe
Token: SeLoadDriverPrivilege	1848	tmp.exe
Token: SeSystemProfilePrivilege	1848	tmp.exe
Token: SeSystemtimePrivilege	1848	tmp.exe
Token: SeProfSingleProcessPrivilege	1848	tmp.exe
Token: SeIncBasePriorityPrivilege	1848	tmp.exe
Token: SeCreatePagefilePrivilege	1848	tmp.exe
Token: SeBackupPrivilege	1848	tmp.exe
Token: SeRestorePrivilege	1848	tmp.exe
Token: SeShutdownPrivilege	1848	tmp.exe
Token: SeDebugPrivilege	1848	tmp.exe
Token: SeSystemEnvironmentPrivilege	1848	tmp.exe
Token: SeChangeNotifyPrivilege	1848	tmp.exe
Token: SeRemoteShutdownPrivilege	1848	tmp.exe
Token: SeUndockPrivilege	1848	tmp.exe
Token: SeManageVolumePrivilege	1848	tmp.exe
Token: SeImpersonatePrivilege	1848	tmp.exe
Token: SeCreateGlobalPrivilege	1848	tmp.exe
Token: 33	1848	tmp.exe
Token: 34	1848	tmp.exe
Token: 35	1848	tmp.exe
Token: SeIncreaseQuotaPrivilege	1844	svhost.exe
Token: SeSecurityPrivilege	1844	svhost.exe
Token: SeTakeOwnershipPrivilege	1844	svhost.exe
Token: SeLoadDriverPrivilege	1844	svhost.exe
Token: SeSystemProfilePrivilege	1844	svhost.exe
Token: SeSystemtimePrivilege	1844	svhost.exe
Token: SeProfSingleProcessPrivilege	1844	svhost.exe
Token: SeIncBasePriorityPrivilege	1844	svhost.exe
Token: SeCreatePagefilePrivilege	1844	svhost.exe
Token: SeBackupPrivilege	1844	svhost.exe
Token: SeRestorePrivilege	1844	svhost.exe
Token: SeShutdownPrivilege	1844	svhost.exe
Token: SeDebugPrivilege	1844	svhost.exe
Token: SeSystemEnvironmentPrivilege	1844	svhost.exe
Token: SeChangeNotifyPrivilege	1844	svhost.exe
Token: SeRemoteShutdownPrivilege	1844	svhost.exe
Token: SeUndockPrivilege	1844	svhost.exe
Token: SeManageVolumePrivilege	1844	svhost.exe
Token: SeImpersonatePrivilege	1844	svhost.exe
Token: SeCreateGlobalPrivilege	1844	svhost.exe
Token: 33	1844	svhost.exe
Token: 34	1844	svhost.exe
Token: 35	1844	svhost.exe
Token: SeIncreaseQuotaPrivilege	2804	msdcsc.exe
Token: SeSecurityPrivilege	2804	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2804	msdcsc.exe
Token: SeLoadDriverPrivilege	2804	msdcsc.exe
Token: SeSystemProfilePrivilege	2804	msdcsc.exe
Token: SeSystemtimePrivilege	2804	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2804	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2804	msdcsc.exe
Token: SeCreatePagefilePrivilege	2804	msdcsc.exe
Token: SeBackupPrivilege	2804	msdcsc.exe
Token: SeRestorePrivilege	2804	msdcsc.exe
Token: SeShutdownPrivilege	2804	msdcsc.exe
Token: SeDebugPrivilege	2804	msdcsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exeSkype.exesvchost.exeefsui.exeHEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe

pid	process
2504	7zFM.exe
2504	7zFM.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
3000	taskmgr.exe
1092	Skype.exe
1092	Skype.exe
1092	Skype.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
1372	svchost.exe
3000	taskmgr.exe
856	efsui.exe
856	efsui.exe
856	efsui.exe
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
636	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exeSkype.exeefsui.exe

pid	process
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
3000	taskmgr.exe
1092	Skype.exe
1092	Skype.exe
1092	Skype.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
856	efsui.exe
856	efsui.exe
856	efsui.exe
3000	taskmgr.exe
3000	taskmgr.exe
856	efsui.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

msdcsc.exeefsui.exe

pid process

2320 msdcsc.exe
856 efsui.exe
856 efsui.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

pid	process
2320	msdcsc.exe
856	efsui.exe
856	efsui.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeHEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exeTrojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exeTrojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exeTrojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.execmd.exeTrojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe

description	pid	process	target process
PID 2716 wrote to memory of 636	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
PID 2716 wrote to memory of 636	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
PID 2716 wrote to memory of 636	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
PID 2716 wrote to memory of 636	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
PID 2716 wrote to memory of 1492	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2716 wrote to memory of 1492	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2716 wrote to memory of 1492	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2716 wrote to memory of 1492	2716	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2716 wrote to memory of 2912	2716	cmd.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2716 wrote to memory of 2912	2716	cmd.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2716 wrote to memory of 2912	2716	cmd.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2716 wrote to memory of 2912	2716	cmd.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2716 wrote to memory of 2780	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
PID 2716 wrote to memory of 2780	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
PID 2716 wrote to memory of 2780	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
PID 2716 wrote to memory of 2780	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
PID 2716 wrote to memory of 2432	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
PID 2716 wrote to memory of 2432	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
PID 2716 wrote to memory of 2432	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
PID 2716 wrote to memory of 2432	2716	cmd.exe	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
PID 2716 wrote to memory of 772	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
PID 2716 wrote to memory of 772	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
PID 2716 wrote to memory of 772	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
PID 2716 wrote to memory of 772	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
PID 2716 wrote to memory of 1924	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
PID 2716 wrote to memory of 1924	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
PID 2716 wrote to memory of 1924	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
PID 2716 wrote to memory of 1924	2716	cmd.exe	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
PID 2716 wrote to memory of 1712	2716	cmd.exe	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
PID 2716 wrote to memory of 1712	2716	cmd.exe	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
PID 2716 wrote to memory of 1712	2716	cmd.exe	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
PID 2716 wrote to memory of 1712	2716	cmd.exe	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
PID 2912 wrote to memory of 2328	2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2912 wrote to memory of 2328	2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2912 wrote to memory of 2328	2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 2912 wrote to memory of 2328	2912	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2328 wrote to memory of 2692	2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	conime.exe
PID 2328 wrote to memory of 2692	2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	conime.exe
PID 2328 wrote to memory of 2692	2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	conime.exe
PID 2328 wrote to memory of 2692	2328	Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe	conime.exe
PID 1712 wrote to memory of 1472	1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe	WerFault.exe
PID 1712 wrote to memory of 1472	1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe	WerFault.exe
PID 1712 wrote to memory of 1472	1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe	WerFault.exe
PID 1712 wrote to memory of 1472	1712	Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe	WerFault.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 1492 wrote to memory of 1948	1492	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe	HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
PID 2432 wrote to memory of 576	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe	cmd.exe
PID 2432 wrote to memory of 576	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe	cmd.exe
PID 2432 wrote to memory of 576	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe	cmd.exe
PID 2432 wrote to memory of 576	2432	Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe	cmd.exe
PID 576 wrote to memory of 2948	576	cmd.exe	reg.exe
PID 576 wrote to memory of 2948	576	cmd.exe	reg.exe
PID 576 wrote to memory of 2948	576	cmd.exe	reg.exe
PID 576 wrote to memory of 2948	576	cmd.exe	reg.exe
PID 1924 wrote to memory of 1092	1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe	Skype.exe
PID 1924 wrote to memory of 1092	1924	Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe	Skype.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00308.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\Desktop\00308\HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
  HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  PID:636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a34i95xh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES695E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC693E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
- C:\Users\Admin\Desktop\00308\HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
  HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\Desktop\00308\HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
    HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe
    3⤵
    - Executes dropped EXE
    PID:1948
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
  Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
    C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\WINDOWS\Qedie\conime.exe
      C:\WINDOWS\Qedie\conime.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      PID:2692
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
  Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2780
- - C:\Users\Admin\AppData\Roaming\AdobeART.exe
    "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1188
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
  Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\MSDC\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDC\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2804
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\URy5L19mbwqc\msdcsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\URy5L19mbwqc\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1052
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\URy5L19mbwqc\msdcsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\URy5L19mbwqc\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\msdcsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\msdcsc.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDC\URy5L19mbwqc\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2428
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
  Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:772
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    3⤵
    - Adds policy Run key to start application
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    PID:1372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dllcache\bitsadmin.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dllcache\bitsadmin.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:2808
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe -k netsvcs
        5⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: MapViewOfSection
        
        PID:1368
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
  Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Roaming\Install\Skype.exe
    -m "C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1092
- C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
  Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 164
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1472

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
PID:1008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Documents\aa.pfx
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES695E.tmp

Filesize
1KB

MD5
b59d2545a36439667d726f3a39da54c8

SHA1
94c506283680e8da5353d69517166966a5a34e77

SHA256
f5e7714ee6fd8294c2e71b022a3fe010d401aea85444c3da3929f47c028c9c5b

SHA512
adb846e3859c95c0407cc0cfce5d3d73f29dfbbec6e4e3c3d287e91ddf1464795594463a476e1833178a4d1d3d876a4e641ba34c05420c72b0b1dbfa3e58c676

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\Desktop\00308\HEUR-Trojan-Ransom.Win32.Blocker.vho-8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66.exe

Filesize
107KB

MD5
bd81c2de752d949eb31c88fc87f8efb5

SHA1
b274755b636c0af44351641749c76b633089f5b5

SHA256
8b56e899651dc7bd029d31851d4cd393d4b3b95330bedfd54dcaf7fb7f608e66

SHA512
7307d4d948acf46686cf24cbdd03f60076f259069e522ee1a6bc202dc71084737f8d9a854c07e8ce577eb3339b4b93aebe2f0c743f0adbc244e0f6613dbf96a2

Download Submit
C:\Users\Admin\Desktop\00308\HEUR-Trojan-Ransom.Win32.Generic-5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa.exe

Filesize
134KB

MD5
5c6c5b00d4cd08cc02e76978b0fe5d7b

SHA1
c397c78cb55e4d12a364aa0852f98c03ec9c76b9

SHA256
5c0e7e0eaf646ac019130e4faf545ddf528008afc55917e5f34587ba4d0934aa

SHA512
027e73931ece68d19d3540272211ba08d3798a76101218fda805af082bd8ac77173d71037a8e90dbde5ff41d03b3cb9d5ac665ec2b5fdc73302ebe442be4406d

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Bitman.acpk-ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0.exe

Filesize
24KB

MD5
6dc336b2b1b4e8d5c8c5959c37b2729d

SHA1
0f410b275e7e071db42f42e69268cf847025eecf

SHA256
ad6b850e833bed4a42e95c4b555f95fe83cd6da090eb3a7df6a709cf286982e0

SHA512
d47ab74c2274b92e483cf01f8d4839362864adf974f5e664bf2ce7d2ba36b8e877e90392bb3eb318b372f162997dd0049d1028fc898117a2dc87de394db48b84

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Blocker.atix-1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377.exe

Filesize
957KB

MD5
1cc5992e3ee0fa5921b92d367646fc9b

SHA1
7ec9ef515371c0361d37b0330b5fc009d0b8e2d2

SHA256
1b34e0b01540d60b993ff26c8d483bcf19ec133bfafc11dfd38b42df766ef377

SHA512
65327700a09ba08401d4cfdddf4cb8c05597045c17a38b7ab76e5c3cd9c914e3334c51b951c6f81d974c0fecdf0ecd68cc3fcc5e789866b4d42f30ee1673e79a

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Blocker.dvjn-48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72.exe

Filesize
1.7MB

MD5
5b1e8dfd21f1ba1c5c1e9cf3ec92462b

SHA1
bf07b87b17fd1fec8ca530fac6476e720b540a9e

SHA256
48fa183c4e1f34573e9d71dca59a75733e126c3cc40377119f3b30a1f65eed72

SHA512
08c2ac00e8c104953c88cd10e97c7082d8c811c9a0842c760a8f224db7d65364d36f8c0c9087a56b3dcc6ae0a772ccee80f76988f533be3c31aef343aa89b6ea

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Foreign.nxjq-a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03.exe

Filesize
594KB

MD5
10a0b68b6131d0326271f0fbc5424ea2

SHA1
8405c13e963196fcdea24a51d80354cf78a38056

SHA256
a1b60d0362fa6977a5c3c67bf2ac9ad83007d0f1901d6dea109c02b9caf08e03

SHA512
f4897e03b43009a5b7f573ded04d914a1b47cb5452e788354aed70fa67b347b36d44baf28ab44fcec426e460fea790d7b215b5c781f417f9530396c306e7d0a6

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Foreign.nxse-e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab.exe

Filesize
318KB

MD5
65ab089194a4080e861171e1e1cffd77

SHA1
095f1c0e07f77c2cd1b24f128dc508670cf2ff51

SHA256
e3e9f6286b9203402802576a1ebb67caa43498330dd44ae92b159738ab1915ab

SHA512
70fa5a8b7b56a21f2c79b069189a62092fdd95c44b5ee47d642e323f04d2d497f4786e2b56e2777036fdd8fa4ac6f9393dcd97a4b0a7bea13845a6b194700012

Download Submit
C:\Users\Admin\Desktop\00308\Trojan-Ransom.Win32.Locky.a-328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3.exe

Filesize
95KB

MD5
a61252e123e7fe72c5c8e7b560c89ede

SHA1
2ffbc8a22d4a09f42c490cbe6eec8715e69c0d2b

SHA256
328b653b2245b20ac929cfbd10274c38688dd5663d625071da1c66f47f9810d3

SHA512
d2a11879f0fa1f29b8ccf0a944844a7a188226191e703382422d03744e697e7eabf7cbcf1d7cbd38131df4e9dae4cf4ea6449bf395650474633959da77896f7c

Download Submit
C:\Windows\Qedie\conime.exe

Filesize
35KB

MD5
c17f7c9c9265c4f8007d6def58174144

SHA1
a6eba12dc63b80b67b42045387d4acb9f2e690a7

SHA256
a993fc70efe56b5f7acdf2c7982fa7c8161fa5bc5007e6f6331a37c3a0060367

SHA512
b59fac1d2e3fa67cd42dbcc8c80435bd8e0ba98e5e4651f200bb292b702ac40084b6c58d0747157917b6e5962c07027de2d1296914b8da981f76dd7c0fac0eea

Download Submit
\??\c:\Program Files\933.txt

Filesize
129B

MD5
93795f5a597b33724c22622f8412b62d

SHA1
bb9a144822d943d90e5a85ba4bcc0426c6082b91

SHA256
070c9a9cee493e123ad69853bc8857640a5c5e90a6b2294bc9bd7883001677d4

SHA512
8fa2518c53de13e97a3927dbe2ac318eda4237f3c64fdd0d43c6eff6b9ad5f582558fe97ace652e45ec5c795a68dd3af575e447214cb1c544618d62599a47fc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC693E.tmp

Filesize
664B

MD5
99b9e0d0ef7cbceb39545570b097246a

SHA1
41c544305705ecaf3424ce569e4fbb23f9709faa

SHA256
6561a6d5b068b269798797753158b40fe568a158a4b78c8d2f6c62897a93cc7e

SHA512
ab4dca26e231ceed14ed2493259db4fcc95c1e5a998e62e67d8b09e14e08207a8a6eb09f1c441630a244386799001d19686ab44c56d23c54b0a8c351202b3dc7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a34i95xh.0.cs

Filesize
9KB

MD5
dd77c1928e3217e2270f8a81e80e2980

SHA1
93ef98060bbd0fc8038914ce5e722f3ad205cf59

SHA256
ea77dcfa228432361f403e83bc15e05c4ea9acb84a200eb368a10efe02c1b1d7

SHA512
670562abd3298c112ea4a63648ba60df126da4cbcd7e10376844603c2f520addfc85f639702dc133e41f6321518e226aceff6ebb0e8b78d0f0447af72387aec6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a34i95xh.cmdline

Filesize
669B

MD5
c92218551ebb0c506d2b4b2daafe4c70

SHA1
0fbc245bd9d2c812c731d1b8835bbfde076d0f9f

SHA256
86356c52e61c424bcf0f21fb974d6b701b78600a028b427d43d0c9bded7527d1

SHA512
9423acaf4cfa194ddd4a3bdbf40b2272e7df122ce47143d9e81c864e7cfbcb809eb8374f92f55a2b8f861957b245eac4232b9654385820381e241c3134d834ae

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
690KB

MD5
b0333463dcb349f5af70ed26de59a8dd

SHA1
3205c75f5962886b25994ff331ac79aa75cb5e52

SHA256
91096dc1d13f6e0431eb1932e97149c4cd51f03bce32db8ed020094f2b21543f

SHA512
77660e96fb8452b25af7c105b5cf629ffad2cca6482ac541bd56d8e87b3df986645c4dd1195e0f7a8a9ef7e3dd2199f23e9cf28533c74c880e14d4d8d0327002

Download Submit
memory/1092-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1188-418-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1608-129-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1608-157-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1844-107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-109-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-111-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-120-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-118-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1844-113-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1844-115-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1924-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1924-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1948-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2328-55-0x0000000000400000-0x000000000040E49B-memory.dmp

Filesize
57KB

Download
memory/2328-51-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2328-35-0x0000000000400000-0x000000000040E49B-memory.dmp

Filesize
57KB

Download
memory/2692-928-0x0000000000400000-0x000000000040E49B-memory.dmp

Filesize
57KB

Download
memory/2780-93-0x0000000002F10000-0x0000000003017000-memory.dmp

Filesize
1.0MB

Download
memory/2780-95-0x0000000002F10000-0x0000000003017000-memory.dmp

Filesize
1.0MB

Download
memory/2780-94-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2780-37-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2912-33-0x0000000000400000-0x000000000040E49B-memory.dmp

Filesize
57KB

Download
memory/3000-16-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3000-18-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3000-17-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download