Analysis Overview
SHA256
1149ed9ea9f52479ac6b28f048afbea32353e7a5c28030a9b78a58d75a3e6609
Threat Level: Known bad
The file RNSM00274.7z was found to be: Known bad.
Malicious Activity Summary
Locky
Modifies WinLogon for persistence
Locky family
Troldesh family
UAC bypass
Locky_osiris family
Troldesh, Shade, Encoder.858
Locky (Osiris variant)
Deletes shadow copies
Disables RegEdit via registry modification
Contacts a large (533) amount of remote hosts
Disables cmd.exe use via registry modification
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks whether UAC is enabled
Indicator Removal: File Deletion
Adds Run key to start application
Enumerates connected drives
Sets desktop wallpaper using registry
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Program Files directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
NSIS installer
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Enumerates system info in registry
Gathers system information
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
System policy modification
Suspicious behavior: CmdExeWriteProcessMemorySpam
Gathers network information
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
NTFS ADS
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-22 21:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 21:51
Reported
2024-11-22 21:54
Platform
win7-20240903-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
Locky
Locky (Osiris variant)
Locky family
Locky_osiris family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\cache.dat" | C:\Windows\syswow64\svchost.exe | N/A |
Troldesh family
Troldesh, Shade, Encoder.858
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Deletes shadow copies
Contacts a large (533) amount of remote hosts
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Disables cmd.exe use via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "2" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\windows = "\"C:\\Program Files (x86)\\windows\\windows.exe\" -a /a" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\idaqetrw = "\"C:\\Windows\\yzulacic.exe\"" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\cUhFZfEf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\builds.exe" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.njar-406fa10854c4b3ffde28943cb675c42483f085fdd7c4b57df38912daa6edb894.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe" | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\securityscan = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\log\\C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\log\\securityscan.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "\"C:\\Program Files (x86)\\windows\\windows.exe\" -a /a" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Enumerates connected drives
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ipecho.net | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.nfhk-2339ef9524f93c7ef81bc4ea418870b24c9a7f4a9b864018086d910d691b3af1.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\windows\windows.exe | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe | N/A |
| File opened for modification | C:\Program Files (x86)\windows\windows.exe | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\yzulacic.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\yzulacic.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FF5A3C1-A91C-11EF-A2A1-C60424AAF5E1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\8e-ed-f9-c3-b4-fc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecisionTime = 606dd5f1283ddb01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecisionTime = a0ed80f9283ddb01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDetectedUrl | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecisionTime = 606dd5f1283ddb01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C516145-FEF4-44FA-8817-A61CA3B822E3}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ed-f9-c3-b4-fc\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID\毐e | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\毐e\RunAs = "Interactive User" | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\4§ | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\4§\Certificates | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\4§\CRLs | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\4§\CTLs | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\00274\winmgmts:\localhost\root\SecurityCenter2 | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jumk-f361657dd1de5938387fd4da2b6141424f156609b658a61dc335267d3f3ed1db.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\00274\winmgmts:\localhost\root\SecurityCenter2 | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00274.7z"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540.exe
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240.exe
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d.exe
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe
HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.NSIS.Agent.q-11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641.exe
Trojan-Ransom.NSIS.Agent.q-11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe
Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jumk-f361657dd1de5938387fd4da2b6141424f156609b658a61dc335267d3f3ed1db.exe
Trojan-Ransom.Win32.Blocker.jumk-f361657dd1de5938387fd4da2b6141424f156609b658a61dc335267d3f3ed1db.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.juvg-a8d7884b1d96480b1c287722e519810bf50bc98df55ae015b2bb41453c97bb4b.exe
Trojan-Ransom.Win32.Blocker.juvg-a8d7884b1d96480b1c287722e519810bf50bc98df55ae015b2bb41453c97bb4b.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe
Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvig-eef6492ad91611a19d9d06b7daed99465d66cfbcdd7fd7fc3b8b617cfa545600.exe
Trojan-Ransom.Win32.Blocker.jvig-eef6492ad91611a19d9d06b7daed99465d66cfbcdd7fd7fc3b8b617cfa545600.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.nfhk-2339ef9524f93c7ef81bc4ea418870b24c9a7f4a9b864018086d910d691b3af1.exe
Trojan-Ransom.Win32.Foreign.nfhk-2339ef9524f93c7ef81bc4ea418870b24c9a7f4a9b864018086d910d691b3af1.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.njar-406fa10854c4b3ffde28943cb675c42483f085fdd7c4b57df38912daa6edb894.exe
Trojan-Ransom.Win32.Foreign.njar-406fa10854c4b3ffde28943cb675c42483f085fdd7c4b57df38912daa6edb894.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.adyn-a971c1a0330a4946b8608f1f4ee8aab6b525578713f4114c215ed7df43e3c603.exe
Trojan-Ransom.Win32.Locky.adyn-a971c1a0330a4946b8608f1f4ee8aab6b525578713f4114c215ed7df43e3c603.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe
Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.bil-05732ede48f8437b96291442446d5fd3972768a0f642c7626248c60ff92abd82.exe
Trojan-Ransom.Win32.Locky.bil-05732ede48f8437b96291442446d5fd3972768a0f642c7626248c60ff92abd82.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe
Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe
Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe
Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.oz-b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0.exe
Trojan-Ransom.Win32.Scatter.oz-b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Zerber.uzf-e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295.exe
Trojan-Ransom.Win32.Zerber.uzf-e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.oz-b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0.exe
Trojan-Ransom.Win32.Scatter.oz-b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0.exe
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe
HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\scvhost.exe":Zone.Identifier
C:\Users\Admin\AppData\Roaming\scvhost.exe
"C:\Users\Admin\AppData\Roaming\scvhost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Zerber.uzf-e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295.exe
Trojan-Ransom.Win32.Zerber.uzf-e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295.exe
C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240.exe
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540.exe
C:\Users\Admin\Desktop\00274\Trojan-Ransom.NSIS.Agent.q-11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641.exe
Trojan-Ransom.NSIS.Agent.q-11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\log\pass.exe all
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /k systeminfo
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe
"C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /k ipconfig
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exe
C:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /k HOSTNAME
C:\Windows\SysWOW64\HOSTNAME.EXE
HOSTNAME
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2172 -s 536
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 204 -s 488
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys1CF3.tmp"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys38EB.tmp"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys6C0C.tmp"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:209929 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys96C3.tmp"
Network
| Country | Destination | Domain | Proto |
| DE | 131.188.40.189:443 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| FR | 193.70.86.51:80 | 193.70.86.51 | tcp |
| PS | 176.121.14.95:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | agentlora.duckdns.org | udp |
| AM | 31.184.234.0:6892 | udp | |
| AM | 31.184.234.1:6892 | udp | |
| AM | 31.184.234.2:6892 | udp | |
| AM | 31.184.234.3:6892 | udp | |
| AM | 31.184.234.4:6892 | udp | |
| AM | 31.184.234.5:6892 | udp | |
| AM | 31.184.234.6:6892 | udp | |
| AM | 31.184.234.7:6892 | udp | |
| AM | 31.184.234.8:6892 | udp | |
| AM | 31.184.234.9:6892 | udp | |
| AM | 31.184.234.10:6892 | udp | |
| AM | 31.184.234.11:6892 | udp | |
| AM | 31.184.234.12:6892 | udp | |
| AM | 31.184.234.13:6892 | udp | |
| AM | 31.184.234.14:6892 | udp | |
| AM | 31.184.234.15:6892 | udp | |
| AM | 31.184.234.16:6892 | udp | |
| AM | 31.184.234.17:6892 | udp | |
| AM | 31.184.234.18:6892 | udp | |
| AM | 31.184.234.19:6892 | udp | |
| AM | 31.184.234.20:6892 | udp | |
| AM | 31.184.234.21:6892 | udp | |
| AM | 31.184.234.22:6892 | udp | |
| AM | 31.184.234.23:6892 | udp | |
| AM | 31.184.234.24:6892 | udp | |
| AM | 31.184.234.25:6892 | udp | |
| AM | 31.184.234.26:6892 | udp | |
| AM | 31.184.234.27:6892 | udp | |
| AM | 31.184.234.28:6892 | udp | |
| AM | 31.184.234.29:6892 | udp | |
| AM | 31.184.234.30:6892 | udp | |
| AM | 31.184.234.31:6892 | udp | |
| AM | 31.184.234.32:6892 | udp | |
| AM | 31.184.234.33:6892 | udp | |
| AM | 31.184.234.34:6892 | udp | |
| AM | 31.184.234.35:6892 | udp | |
| AM | 31.184.234.36:6892 | udp | |
| AM | 31.184.234.37:6892 | udp | |
| AM | 31.184.234.38:6892 | udp | |
| AM | 31.184.234.39:6892 | udp | |
| AM | 31.184.234.40:6892 | udp | |
| AM | 31.184.234.41:6892 | udp | |
| AM | 31.184.234.42:6892 | udp | |
| AM | 31.184.234.43:6892 | udp | |
| AM | 31.184.234.44:6892 | udp | |
| AM | 31.184.234.45:6892 | udp | |
| AM | 31.184.234.46:6892 | udp | |
| AM | 31.184.234.47:6892 | udp | |
| AM | 31.184.234.48:6892 | udp | |
| AM | 31.184.234.49:6892 | udp | |
| AM | 31.184.234.50:6892 | udp | |
| AM | 31.184.234.51:6892 | udp | |
| AM | 31.184.234.52:6892 | udp | |
| AM | 31.184.234.53:6892 | udp | |
| AM | 31.184.234.54:6892 | udp | |
| AM | 31.184.234.55:6892 | udp | |
| AM | 31.184.234.56:6892 | udp | |
| AM | 31.184.234.57:6892 | udp | |
| AM | 31.184.234.58:6892 | udp | |
| AM | 31.184.234.59:6892 | udp | |
| AM | 31.184.234.60:6892 | udp | |
| AM | 31.184.234.61:6892 | udp | |
| AM | 31.184.234.62:6892 | udp | |
| AM | 31.184.234.63:6892 | udp | |
| AM | 31.184.234.64:6892 | udp | |
| AM | 31.184.234.65:6892 | udp | |
| AM | 31.184.234.66:6892 | udp | |
| AM | 31.184.234.67:6892 | udp | |
| AM | 31.184.234.68:6892 | udp | |
| AM | 31.184.234.69:6892 | udp | |
| AM | 31.184.234.70:6892 | udp | |
| AM | 31.184.234.71:6892 | udp | |
| AM | 31.184.234.72:6892 | udp | |
| AM | 31.184.234.73:6892 | udp | |
| AM | 31.184.234.74:6892 | udp | |
| AM | 31.184.234.75:6892 | udp | |
| AM | 31.184.234.76:6892 | udp | |
| AM | 31.184.234.77:6892 | udp | |
| AM | 31.184.234.78:6892 | udp | |
| AM | 31.184.234.79:6892 | udp | |
| AM | 31.184.234.80:6892 | udp | |
| AM | 31.184.234.81:6892 | udp | |
| AM | 31.184.234.82:6892 | udp | |
| AM | 31.184.234.83:6892 | udp | |
| AM | 31.184.234.84:6892 | udp | |
| AM | 31.184.234.85:6892 | udp | |
| AM | 31.184.234.86:6892 | udp | |
| AM | 31.184.234.87:6892 | udp | |
| AM | 31.184.234.88:6892 | udp | |
| AM | 31.184.234.89:6892 | udp | |
| AM | 31.184.234.90:6892 | udp | |
| AM | 31.184.234.91:6892 | udp | |
| AM | 31.184.234.92:6892 | udp | |
| AM | 31.184.234.93:6892 | udp | |
| AM | 31.184.234.94:6892 | udp | |
| AM | 31.184.234.95:6892 | udp | |
| AM | 31.184.234.96:6892 | udp | |
| AM | 31.184.234.97:6892 | udp | |
| AM | 31.184.234.98:6892 | udp | |
| AM | 31.184.234.99:6892 | udp | |
| AM | 31.184.234.100:6892 | udp | |
| AM | 31.184.234.101:6892 | udp | |
| AM | 31.184.234.102:6892 | udp | |
| AM | 31.184.234.103:6892 | udp | |
| AM | 31.184.234.104:6892 | udp | |
| AM | 31.184.234.105:6892 | udp | |
| AM | 31.184.234.106:6892 | udp | |
| AM | 31.184.234.107:6892 | udp | |
| AM | 31.184.234.108:6892 | udp | |
| AM | 31.184.234.109:6892 | udp | |
| AM | 31.184.234.110:6892 | udp | |
| AM | 31.184.234.111:6892 | udp | |
| AM | 31.184.234.112:6892 | udp | |
| AM | 31.184.234.113:6892 | udp | |
| AM | 31.184.234.114:6892 | udp | |
| AM | 31.184.234.115:6892 | udp | |
| AM | 31.184.234.116:6892 | udp | |
| AM | 31.184.234.117:6892 | udp | |
| AM | 31.184.234.118:6892 | udp | |
| AM | 31.184.234.119:6892 | udp | |
| AM | 31.184.234.120:6892 | udp | |
| AM | 31.184.234.121:6892 | udp | |
| AM | 31.184.234.122:6892 | udp | |
| AM | 31.184.234.123:6892 | udp | |
| AM | 31.184.234.124:6892 | udp | |
| AM | 31.184.234.125:6892 | udp | |
| AM | 31.184.234.126:6892 | udp | |
| AM | 31.184.234.127:6892 | udp | |
| AM | 31.184.234.128:6892 | udp | |
| AM | 31.184.234.129:6892 | udp | |
| AM | 31.184.234.130:6892 | udp | |
| AM | 31.184.234.131:6892 | udp | |
| AM | 31.184.234.132:6892 | udp | |
| AM | 31.184.234.133:6892 | udp | |
| AM | 31.184.234.134:6892 | udp | |
| AM | 31.184.234.135:6892 | udp | |
| AM | 31.184.234.136:6892 | udp | |
| AM | 31.184.234.137:6892 | udp | |
| AM | 31.184.234.138:6892 | udp | |
| AM | 31.184.234.139:6892 | udp | |
| AM | 31.184.234.140:6892 | udp | |
| AM | 31.184.234.141:6892 | udp | |
| AM | 31.184.234.142:6892 | udp | |
| AM | 31.184.234.143:6892 | udp | |
| AM | 31.184.234.144:6892 | udp | |
| AM | 31.184.234.145:6892 | udp | |
| AM | 31.184.234.146:6892 | udp | |
| AM | 31.184.234.147:6892 | udp | |
| AM | 31.184.234.148:6892 | udp | |
| AM | 31.184.234.149:6892 | udp | |
| AM | 31.184.234.150:6892 | udp | |
| AM | 31.184.234.151:6892 | udp | |
| AM | 31.184.234.152:6892 | udp | |
| AM | 31.184.234.153:6892 | udp | |
| AM | 31.184.234.154:6892 | udp | |
| AM | 31.184.234.155:6892 | udp | |
| AM | 31.184.234.156:6892 | udp | |
| AM | 31.184.234.157:6892 | udp | |
| AM | 31.184.234.158:6892 | udp | |
| AM | 31.184.234.159:6892 | udp | |
| AM | 31.184.234.160:6892 | udp | |
| AM | 31.184.234.161:6892 | udp | |
| AM | 31.184.234.162:6892 | udp | |
| AM | 31.184.234.163:6892 | udp | |
| AM | 31.184.234.164:6892 | udp | |
| AM | 31.184.234.165:6892 | udp | |
| AM | 31.184.234.166:6892 | udp | |
| AM | 31.184.234.167:6892 | udp | |
| AM | 31.184.234.168:6892 | udp | |
| AM | 31.184.234.169:6892 | udp | |
| AM | 31.184.234.170:6892 | udp | |
| AM | 31.184.234.171:6892 | udp | |
| AM | 31.184.234.172:6892 | udp | |
| AM | 31.184.234.173:6892 | udp | |
| AM | 31.184.234.174:6892 | udp | |
| AM | 31.184.234.175:6892 | udp | |
| AM | 31.184.234.176:6892 | udp | |
| AM | 31.184.234.177:6892 | udp | |
| AM | 31.184.234.178:6892 | udp | |
| AM | 31.184.234.179:6892 | udp | |
| AM | 31.184.234.180:6892 | udp | |
| AM | 31.184.234.181:6892 | udp | |
| AM | 31.184.234.182:6892 | udp | |
| AM | 31.184.234.183:6892 | udp | |
| AM | 31.184.234.184:6892 | udp | |
| AM | 31.184.234.185:6892 | udp | |
| AM | 31.184.234.186:6892 | udp | |
| AM | 31.184.234.187:6892 | udp | |
| AM | 31.184.234.188:6892 | udp | |
| AM | 31.184.234.189:6892 | udp | |
| AM | 31.184.234.190:6892 | udp | |
| AM | 31.184.234.191:6892 | udp | |
| AM | 31.184.234.192:6892 | udp | |
| AM | 31.184.234.193:6892 | udp | |
| AM | 31.184.234.194:6892 | udp | |
| AM | 31.184.234.195:6892 | udp | |
| AM | 31.184.234.196:6892 | udp | |
| AM | 31.184.234.197:6892 | udp | |
| AM | 31.184.234.198:6892 | udp | |
| AM | 31.184.234.199:6892 | udp | |
| AM | 31.184.234.200:6892 | udp | |
| AM | 31.184.234.201:6892 | udp | |
| AM | 31.184.234.202:6892 | udp | |
| AM | 31.184.234.203:6892 | udp | |
| AM | 31.184.234.204:6892 | udp | |
| AM | 31.184.234.205:6892 | udp | |
| AM | 31.184.234.206:6892 | udp | |
| AM | 31.184.234.207:6892 | udp | |
| AM | 31.184.234.208:6892 | udp | |
| AM | 31.184.234.209:6892 | udp | |
| AM | 31.184.234.210:6892 | udp | |
| AM | 31.184.234.211:6892 | udp | |
| AM | 31.184.234.212:6892 | udp | |
| AM | 31.184.234.213:6892 | udp | |
| AM | 31.184.234.214:6892 | udp | |
| AM | 31.184.234.215:6892 | udp | |
| AM | 31.184.234.216:6892 | udp | |
| AM | 31.184.234.217:6892 | udp | |
| AM | 31.184.234.218:6892 | udp | |
| AM | 31.184.234.219:6892 | udp | |
| AM | 31.184.234.220:6892 | udp | |
| AM | 31.184.234.221:6892 | udp | |
| AM | 31.184.234.222:6892 | udp | |
| AM | 31.184.234.223:6892 | udp | |
| AM | 31.184.234.224:6892 | udp | |
| AM | 31.184.234.225:6892 | udp | |
| AM | 31.184.234.226:6892 | udp | |
| AM | 31.184.234.227:6892 | udp | |
| AM | 31.184.234.228:6892 | udp | |
| AM | 31.184.234.229:6892 | udp | |
| AM | 31.184.234.230:6892 | udp | |
| AM | 31.184.234.231:6892 | udp | |
| AM | 31.184.234.232:6892 | udp | |
| AM | 31.184.234.233:6892 | udp | |
| AM | 31.184.234.234:6892 | udp | |
| AM | 31.184.234.235:6892 | udp | |
| AM | 31.184.234.236:6892 | udp | |
| AM | 31.184.234.237:6892 | udp | |
| AM | 31.184.234.238:6892 | udp | |
| AM | 31.184.234.239:6892 | udp | |
| AM | 31.184.234.240:6892 | udp | |
| AM | 31.184.234.241:6892 | udp | |
| AM | 31.184.234.242:6892 | udp | |
| AM | 31.184.234.243:6892 | udp | |
| AM | 31.184.234.244:6892 | udp | |
| AM | 31.184.234.245:6892 | udp | |
| AM | 31.184.234.246:6892 | udp | |
| AM | 31.184.234.247:6892 | udp | |
| AM | 31.184.234.248:6892 | udp | |
| AM | 31.184.234.249:6892 | udp | |
| AM | 31.184.234.250:6892 | udp | |
| AM | 31.184.234.251:6892 | udp | |
| AM | 31.184.234.252:6892 | udp | |
| AM | 31.184.234.253:6892 | udp | |
| AM | 31.184.234.254:6892 | udp | |
| FR | 193.70.86.51:80 | 193.70.86.51 | tcp |
| AM | 31.184.234.255:6892 | udp | |
| AM | 31.184.235.0:6892 | udp | |
| AM | 31.184.235.1:6892 | udp | |
| AM | 31.184.235.2:6892 | udp | |
| AM | 31.184.235.3:6892 | udp | |
| AM | 31.184.235.4:6892 | udp | |
| AM | 31.184.235.5:6892 | udp | |
| AM | 31.184.235.6:6892 | udp | |
| AM | 31.184.235.7:6892 | udp | |
| AM | 31.184.235.8:6892 | udp | |
| AM | 31.184.235.9:6892 | udp | |
| AM | 31.184.235.10:6892 | udp | |
| AM | 31.184.235.11:6892 | udp | |
| AM | 31.184.235.12:6892 | udp | |
| AM | 31.184.235.13:6892 | udp | |
| AM | 31.184.235.14:6892 | udp | |
| AM | 31.184.235.15:6892 | udp | |
| AM | 31.184.235.16:6892 | udp | |
| AM | 31.184.235.17:6892 | udp | |
| AM | 31.184.235.18:6892 | udp | |
| AM | 31.184.235.19:6892 | udp | |
| AM | 31.184.235.20:6892 | udp | |
| AM | 31.184.235.21:6892 | udp | |
| AM | 31.184.235.22:6892 | udp | |
| AM | 31.184.235.23:6892 | udp | |
| AM | 31.184.235.24:6892 | udp | |
| AM | 31.184.235.25:6892 | udp | |
| AM | 31.184.235.26:6892 | udp | |
| AM | 31.184.235.27:6892 | udp | |
| AM | 31.184.235.28:6892 | udp | |
| AM | 31.184.235.29:6892 | udp | |
| AM | 31.184.235.30:6892 | udp | |
| AM | 31.184.235.31:6892 | udp | |
| AM | 31.184.235.32:6892 | udp | |
| AM | 31.184.235.33:6892 | udp | |
| AM | 31.184.235.34:6892 | udp | |
| AM | 31.184.235.35:6892 | udp | |
| AM | 31.184.235.36:6892 | udp | |
| AM | 31.184.235.37:6892 | udp | |
| AM | 31.184.235.38:6892 | udp | |
| AM | 31.184.235.39:6892 | udp | |
| AM | 31.184.235.40:6892 | udp | |
| AM | 31.184.235.41:6892 | udp | |
| AM | 31.184.235.42:6892 | udp | |
| AM | 31.184.235.43:6892 | udp | |
| AM | 31.184.235.44:6892 | udp | |
| AM | 31.184.235.45:6892 | udp | |
| AM | 31.184.235.46:6892 | udp | |
| AM | 31.184.235.47:6892 | udp | |
| AM | 31.184.235.48:6892 | udp | |
| AM | 31.184.235.49:6892 | udp | |
| AM | 31.184.235.50:6892 | udp | |
| AM | 31.184.235.51:6892 | udp | |
| AM | 31.184.235.52:6892 | udp | |
| AM | 31.184.235.53:6892 | udp | |
| AM | 31.184.235.54:6892 | udp | |
| AM | 31.184.235.55:6892 | udp | |
| AM | 31.184.235.56:6892 | udp | |
| AM | 31.184.235.57:6892 | udp | |
| AM | 31.184.235.58:6892 | udp | |
| AM | 31.184.235.59:6892 | udp | |
| AM | 31.184.235.60:6892 | udp | |
| AM | 31.184.235.61:6892 | udp | |
| AM | 31.184.235.62:6892 | udp | |
| AM | 31.184.235.63:6892 | udp | |
| AM | 31.184.235.64:6892 | udp | |
| AM | 31.184.235.65:6892 | udp | |
| AM | 31.184.235.66:6892 | udp | |
| AM | 31.184.235.67:6892 | udp | |
| AM | 31.184.235.68:6892 | udp | |
| AM | 31.184.235.69:6892 | udp | |
| AM | 31.184.235.70:6892 | udp | |
| AM | 31.184.235.71:6892 | udp | |
| AM | 31.184.235.72:6892 | udp | |
| AM | 31.184.235.73:6892 | udp | |
| AM | 31.184.235.74:6892 | udp | |
| AM | 31.184.235.75:6892 | udp | |
| AM | 31.184.235.76:6892 | udp | |
| AM | 31.184.235.77:6892 | udp | |
| AM | 31.184.235.78:6892 | udp | |
| AM | 31.184.235.79:6892 | udp | |
| AM | 31.184.235.80:6892 | udp | |
| AM | 31.184.235.81:6892 | udp | |
| AM | 31.184.235.82:6892 | udp | |
| AM | 31.184.235.83:6892 | udp | |
| AM | 31.184.235.84:6892 | udp | |
| AM | 31.184.235.85:6892 | udp | |
| AM | 31.184.235.86:6892 | udp | |
| AM | 31.184.235.87:6892 | udp | |
| AM | 31.184.235.88:6892 | udp | |
| AM | 31.184.235.89:6892 | udp | |
| AM | 31.184.235.90:6892 | udp | |
| AM | 31.184.235.91:6892 | udp | |
| AM | 31.184.235.92:6892 | udp | |
| AM | 31.184.235.93:6892 | udp | |
| AM | 31.184.235.94:6892 | udp | |
| AM | 31.184.235.95:6892 | udp | |
| AM | 31.184.235.96:6892 | udp | |
| AM | 31.184.235.97:6892 | udp | |
| AM | 31.184.235.98:6892 | udp | |
| AM | 31.184.235.99:6892 | udp | |
| AM | 31.184.235.100:6892 | udp | |
| AM | 31.184.235.101:6892 | udp | |
| AM | 31.184.235.102:6892 | udp | |
| AM | 31.184.235.103:6892 | udp | |
| AM | 31.184.235.104:6892 | udp | |
| AM | 31.184.235.105:6892 | udp | |
| AM | 31.184.235.106:6892 | udp | |
| AM | 31.184.235.107:6892 | udp | |
| AM | 31.184.235.108:6892 | udp | |
| AM | 31.184.235.109:6892 | udp | |
| AM | 31.184.235.110:6892 | udp | |
| AM | 31.184.235.111:6892 | udp | |
| AM | 31.184.235.112:6892 | udp | |
| AM | 31.184.235.113:6892 | udp | |
| AM | 31.184.235.114:6892 | udp | |
| AM | 31.184.235.115:6892 | udp | |
| AM | 31.184.235.116:6892 | udp | |
| AM | 31.184.235.117:6892 | udp | |
| AM | 31.184.235.118:6892 | udp | |
| AM | 31.184.235.119:6892 | udp | |
| AM | 31.184.235.120:6892 | udp | |
| AM | 31.184.235.121:6892 | udp | |
| AM | 31.184.235.122:6892 | udp | |
| AM | 31.184.235.123:6892 | udp | |
| AM | 31.184.235.124:6892 | udp | |
| AM | 31.184.235.125:6892 | udp | |
| AM | 31.184.235.126:6892 | udp | |
| AM | 31.184.235.127:6892 | udp | |
| AM | 31.184.235.128:6892 | udp | |
| AM | 31.184.235.129:6892 | udp | |
| AM | 31.184.235.130:6892 | udp | |
| AM | 31.184.235.131:6892 | udp | |
| AM | 31.184.235.132:6892 | udp | |
| AM | 31.184.235.133:6892 | udp | |
| AM | 31.184.235.134:6892 | udp | |
| AM | 31.184.235.135:6892 | udp | |
| AM | 31.184.235.136:6892 | udp | |
| AM | 31.184.235.137:6892 | udp | |
| AM | 31.184.235.138:6892 | udp | |
| AM | 31.184.235.139:6892 | udp | |
| AM | 31.184.235.140:6892 | udp | |
| AM | 31.184.235.141:6892 | udp | |
| AM | 31.184.235.142:6892 | udp | |
| AM | 31.184.235.143:6892 | udp | |
| AM | 31.184.235.144:6892 | udp | |
| AM | 31.184.235.145:6892 | udp | |
| AM | 31.184.235.146:6892 | udp | |
| AM | 31.184.235.147:6892 | udp | |
| AM | 31.184.235.148:6892 | udp | |
| AM | 31.184.235.149:6892 | udp | |
| AM | 31.184.235.150:6892 | udp | |
| AM | 31.184.235.151:6892 | udp | |
| AM | 31.184.235.152:6892 | udp | |
| AM | 31.184.235.153:6892 | udp | |
| AM | 31.184.235.154:6892 | udp | |
| AM | 31.184.235.155:6892 | udp | |
| AM | 31.184.235.156:6892 | udp | |
| AM | 31.184.235.157:6892 | udp | |
| AM | 31.184.235.158:6892 | udp | |
| AM | 31.184.235.159:6892 | udp | |
| AM | 31.184.235.160:6892 | udp | |
| AM | 31.184.235.161:6892 | udp | |
| AM | 31.184.235.162:6892 | udp | |
| AM | 31.184.235.163:6892 | udp | |
| AM | 31.184.235.164:6892 | udp | |
| AM | 31.184.235.165:6892 | udp | |
| AM | 31.184.235.166:6892 | udp | |
| AM | 31.184.235.167:6892 | udp | |
| AM | 31.184.235.168:6892 | udp | |
| AM | 31.184.235.169:6892 | udp | |
| AM | 31.184.235.170:6892 | udp | |
| AM | 31.184.235.171:6892 | udp | |
| AM | 31.184.235.172:6892 | udp | |
| AM | 31.184.235.173:6892 | udp | |
| AM | 31.184.235.174:6892 | udp | |
| AM | 31.184.235.175:6892 | udp | |
| AM | 31.184.235.176:6892 | udp | |
| AM | 31.184.235.177:6892 | udp | |
| AM | 31.184.235.178:6892 | udp | |
| AM | 31.184.235.179:6892 | udp | |
| AM | 31.184.235.180:6892 | udp | |
| AM | 31.184.235.181:6892 | udp | |
| AM | 31.184.235.182:6892 | udp | |
| AM | 31.184.235.183:6892 | udp | |
| AM | 31.184.235.184:6892 | udp | |
| AM | 31.184.235.185:6892 | udp | |
| AM | 31.184.235.186:6892 | udp | |
| AM | 31.184.235.187:6892 | udp | |
| AM | 31.184.235.188:6892 | udp | |
| AM | 31.184.235.189:6892 | udp | |
| AM | 31.184.235.190:6892 | udp | |
| AM | 31.184.235.191:6892 | udp | |
| AM | 31.184.235.192:6892 | udp | |
| AM | 31.184.235.193:6892 | udp | |
| AM | 31.184.235.194:6892 | udp | |
| AM | 31.184.235.195:6892 | udp | |
| AM | 31.184.235.196:6892 | udp | |
| AM | 31.184.235.197:6892 | udp | |
| AM | 31.184.235.198:6892 | udp | |
| AM | 31.184.235.199:6892 | udp | |
| AM | 31.184.235.200:6892 | udp | |
| AM | 31.184.235.201:6892 | udp | |
| AM | 31.184.235.202:6892 | udp | |
| AM | 31.184.235.203:6892 | udp | |
| AM | 31.184.235.204:6892 | udp | |
| AM | 31.184.235.205:6892 | udp | |
| AM | 31.184.235.206:6892 | udp | |
| AM | 31.184.235.207:6892 | udp | |
| AM | 31.184.235.208:6892 | udp | |
| AM | 31.184.235.209:6892 | udp | |
| AM | 31.184.235.210:6892 | udp | |
| AM | 31.184.235.211:6892 | udp | |
| AM | 31.184.235.212:6892 | udp | |
| AM | 31.184.235.213:6892 | udp | |
| AM | 31.184.235.214:6892 | udp | |
| AM | 31.184.235.215:6892 | udp | |
| AM | 31.184.235.216:6892 | udp | |
| AM | 31.184.235.217:6892 | udp | |
| AM | 31.184.235.218:6892 | udp | |
| AM | 31.184.235.219:6892 | udp | |
| AM | 31.184.235.220:6892 | udp | |
| AM | 31.184.235.221:6892 | udp | |
| AM | 31.184.235.222:6892 | udp | |
| AM | 31.184.235.223:6892 | udp | |
| AM | 31.184.235.224:6892 | udp | |
| AM | 31.184.235.225:6892 | udp | |
| AM | 31.184.235.226:6892 | udp | |
| AM | 31.184.235.227:6892 | udp | |
| AM | 31.184.235.228:6892 | udp | |
| AM | 31.184.235.229:6892 | udp | |
| AM | 31.184.235.230:6892 | udp | |
| AM | 31.184.235.231:6892 | udp | |
| AM | 31.184.235.232:6892 | udp | |
| AM | 31.184.235.233:6892 | udp | |
| AM | 31.184.235.234:6892 | udp | |
| AM | 31.184.235.235:6892 | udp | |
| AM | 31.184.235.236:6892 | udp | |
| AM | 31.184.235.237:6892 | udp | |
| AM | 31.184.235.238:6892 | udp | |
| AM | 31.184.235.239:6892 | udp | |
| AM | 31.184.235.240:6892 | udp | |
| AM | 31.184.235.241:6892 | udp | |
| AM | 31.184.235.242:6892 | udp | |
| AM | 31.184.235.243:6892 | udp | |
| AM | 31.184.235.244:6892 | udp | |
| AM | 31.184.235.245:6892 | udp | |
| AM | 31.184.235.246:6892 | udp | |
| AM | 31.184.235.247:6892 | udp | |
| AM | 31.184.235.248:6892 | udp | |
| AM | 31.184.235.249:6892 | udp | |
| AM | 31.184.235.250:6892 | udp | |
| AM | 31.184.235.251:6892 | udp | |
| AM | 31.184.235.252:6892 | udp | |
| AM | 31.184.235.253:6892 | udp | |
| AM | 31.184.235.254:6892 | udp | |
| PS | 176.121.14.95:80 | tcp | |
| AM | 31.184.235.255:6892 | udp | |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | 0v3rfl0w.com | udp |
| FR | 155.133.142.13:80 | 0v3rfl0w.com | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| N/A | 127.0.0.1:49391 | tcp | |
| UA | 91.203.5.144:80 | tcp | |
| RU | 193.124.185.187:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| FI | 185.102.136.67:80 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | dns.onlineshopserver.online | udp |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | newserverr.ddns.net | udp |
| FR | 193.70.86.51:80 | 193.70.86.51 | tcp |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | ysexyte.shokogot.com | udp |
| US | 8.8.8.8:53 | ipecho.net | udp |
| US | 34.160.111.145:80 | ipecho.net | tcp |
| UA | 193.201.225.124:80 | tcp | |
| NL | 185.117.72.105:80 | 185.117.72.105 | tcp |
| PS | 176.121.14.95:80 | tcp | |
| N/A | 127.0.0.1:49547 | tcp | |
| FI | 185.102.136.67:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | afoh.shokogot.com | udp |
| US | 8.8.8.8:53 | ovoxrsih.shokogot.com | udp |
| DE | 193.23.244.244:443 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | udumydeses.shokogot.com | udp |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | zjosyjomuz.shokogot.com | udp |
| RU | 188.127.239.48:80 | tcp | |
| RU | 193.124.185.187:80 | tcp | |
| US | 8.8.8.8:53 | nnvfw.net | udp |
| US | 8.8.8.8:53 | smtp.aol.com | udp |
| IE | 87.248.97.31:465 | smtp.aol.com | tcp |
| US | 8.8.8.8:53 | xyulx.com | udp |
| US | 8.8.8.8:53 | lritud.shokogot.com | udp |
| US | 8.8.8.8:53 | kylqs.ru | udp |
| US | 8.8.8.8:53 | fdabijotfse.shokogot.com | udp |
| US | 8.8.8.8:53 | uftnu.shokogot.com | udp |
| US | 8.8.8.8:53 | ibyq.shokogot.com | udp |
| UA | 91.223.180.3:80 | tcp | |
| NL | 185.117.72.105:80 | 185.117.72.105 | tcp |
| PS | 176.121.14.95:80 | tcp | |
| PS | 176.121.14.95:80 | tcp | |
| US | 8.8.8.8:53 | iduvyryh.shokogot.com | udp |
| NL | 194.109.206.212:443 | tcp | |
| US | 8.8.8.8:53 | ukukagkkyxu.shokogot.com | udp |
Files
memory/2172-40-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2172-41-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540.exe
| MD5 | 7738a0f27bded4517bcc25882e5768b4 |
| SHA1 | e5bd85329a7f0c521fde2a1bf9c18aef1f1504ac |
| SHA256 | 5024dccc1cb6e30978d587ad4c3ee3154113b27663983d8bbdb706e976229540 |
| SHA512 | 7421838973e31e7534d91596a19e8975275f470302bc3033dfcf8c29b81fe9430aa323a29b120bc5a939ccddbf4ae5250e7529750786c0a151df8f6d81653d0c |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.juvg-a8d7884b1d96480b1c287722e519810bf50bc98df55ae015b2bb41453c97bb4b.exe
| MD5 | de42251a1c948c6b718b07df66489814 |
| SHA1 | 7446d7d3955143a58549eb52482ee75ccd0a94e0 |
| SHA256 | a8d7884b1d96480b1c287722e519810bf50bc98df55ae015b2bb41453c97bb4b |
| SHA512 | 4598dab7b414edeece308dc237315274df0a253f5f8f4e09e96024c3697b289457edb7090e76e1a411f5bde04e2420bc942c4de3434ea7701ceb9283f1abbc8a |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvig-eef6492ad91611a19d9d06b7daed99465d66cfbcdd7fd7fc3b8b617cfa545600.exe
| MD5 | 4e0a12ef1d6cf2f33e10a92d29c5c6fd |
| SHA1 | d205a7ddd5b861b88a114daf262ef69bb74b9878 |
| SHA256 | eef6492ad91611a19d9d06b7daed99465d66cfbcdd7fd7fc3b8b617cfa545600 |
| SHA512 | 54e68e7d0b61a04c68ffb419ce51d2b6bb81ed7d718af8a5faf9c30d5207e10095414a8f1786adfae02ac7a2ab0c050a95f6d3d9b197c3df0d1183b430304f9c |
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240.exe
| MD5 | dadbfe5f8e4a4a1c6067f9c91fa6d016 |
| SHA1 | 78c3d9f5a5d9dfd1b77792d5fe2463c2a83553a5 |
| SHA256 | c4fb056a9eb12109f7a377213c32902ca108798719defd4bd295bdefa9fbc240 |
| SHA512 | 877b6b593f01acbb806baac95f395b713d51b2e37f7f6259e914b75f62443f92fb3e5fe27a0cf59fbc5f75c5c9b6a484ef4b52df179dc7f398250a357dda6a42 |
memory/1796-79-0x0000000000A30000-0x0000000000B5A000-memory.dmp
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.oz-b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0.exe
| MD5 | 2ca0a34a5d7d8474727032339c629bd7 |
| SHA1 | c0f3f722a27f46c8cdf267cbeedcc7d1656cd19e |
| SHA256 | b1a6e3e0a665862d2bb0944ef36718502b9cf75c140a40895f7909df279870a0 |
| SHA512 | ad35da9f0636258000cd51791f3730643d127c28740bc9a63751308e3e6e7326da16f037df1d4f8012944aa915d6725d86a59f3a0e9ca204a5ecc4f784eca6c2 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wwn-ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab.exe
| MD5 | 3dd4ec867f9edb62fa4d223f24fa5a1a |
| SHA1 | af0e2b4c14e995d8eaea86a9bdc68baff3f84ec4 |
| SHA256 | ec3712490cc9323c587af1a61bf5e20a395b7d048cd15dee008a14008ec34aab |
| SHA512 | bc9c9ea7c43f60d34bbddde1e273fbc8fb0699a3547487a1df9a5e58766592fb2272254c5799e20d129cf66d3430ff662a82495715adaf1174549dcc9bef0392 |
\Users\Admin\AppData\Local\Temp\nsj32E4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/2088-97-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2088-96-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.bil-05732ede48f8437b96291442446d5fd3972768a0f642c7626248c60ff92abd82.exe
| MD5 | 59e33a1cadc5641b816d7efd74463bfa |
| SHA1 | f8c632314b74882419a7cfbbf45e2c7bc25eac33 |
| SHA256 | 05732ede48f8437b96291442446d5fd3972768a0f642c7626248c60ff92abd82 |
| SHA512 | b8d353450c6773486f266d80e831c9964c0c2e425ab3fc622d4de44ea314d48e6efaca1c1fda5bba6626b46fa83d5e5c4705af28d66692c42d12169670662ba0 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.adyn-a971c1a0330a4946b8608f1f4ee8aab6b525578713f4114c215ed7df43e3c603.exe
| MD5 | 84ec2e599c08163b086efc5c7eafc1dd |
| SHA1 | 92fb1e6afdbe4939ff50c9a09413b380a417283c |
| SHA256 | a971c1a0330a4946b8608f1f4ee8aab6b525578713f4114c215ed7df43e3c603 |
| SHA512 | f606b656c49707a674b38d7e9e4d46e9e921947bf680b6ea0a3ece532022f153130e952dc4d09c5a25ce1255310aaff910d17399352be993b7c8f498d024d2f9 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.nfhk-2339ef9524f93c7ef81bc4ea418870b24c9a7f4a9b864018086d910d691b3af1.exe
| MD5 | 488dba548544699549a7fab427578b17 |
| SHA1 | bded95cd275ac0a3ad7413f4989520fe75b3f2d6 |
| SHA256 | 2339ef9524f93c7ef81bc4ea418870b24c9a7f4a9b864018086d910d691b3af1 |
| SHA512 | 1993b3b27cf4cce5a7a51154fe2ad9a40eb3d3a866f33c8259bde6c37e11e560d927b767df4ee35e3674c4262739d671c0a9f48a52aaaf030f167221f40d2f77 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jvgh-3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac.exe
| MD5 | e55a49272d877d411d0e20f5de6e8e85 |
| SHA1 | 364f5d0592742fc28a2ca0f49280fed77403cf5a |
| SHA256 | 3bc76450f1a88747fafd55f9b7c9c2751deba8c5c45b36c796844d5562c512ac |
| SHA512 | 22ca9933c2dc0b76b87c43cfbfbf4b53814ef0575315547feae323185ad454f3a4683379a132a80004a737afb219d0d064faa8260771a208bbdd73829337a234 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.jumk-f361657dd1de5938387fd4da2b6141424f156609b658a61dc335267d3f3ed1db.exe
| MD5 | af7b1fcc316f52cc6bf9cb7402993d6a |
| SHA1 | 5982d36b1ab8cc4f18f9cecc771a932b91bd0dd4 |
| SHA256 | f361657dd1de5938387fd4da2b6141424f156609b658a61dc335267d3f3ed1db |
| SHA512 | aa9aeb7a9392ea8fdc269e4b91db24293a3024d2162b680e609c51c3762f292baff3ad06a4cc504412ee3f5ab600d87b4405e7081b0ba376a50d029e136f2650 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.NSIS.Agent.q-11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641.exe
| MD5 | cdba63494872f3879e507148e73d320e |
| SHA1 | 265fbe4d18fc90f091202a9f5dc4c719f31b5275 |
| SHA256 | 11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641 |
| SHA512 | bb458d4e592206dc446b0fad2b51e1e1017072a2d9ed5233c47bc49e861d5369d536bc55418ee18f64553439834d14dfb5ec7cc7fa1c932654628f5a984940d8 |
memory/2016-75-0x00000000008C0000-0x00000000009B3000-memory.dmp
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Agent.gen-ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d.exe
| MD5 | db0a7570b2a2207a4c6d029bc05d8db8 |
| SHA1 | 524a4634b20b47d6b73cc113e22d3100d3364f0f |
| SHA256 | ee2f6223a0b46ad565d4c9b3ca225ce83fc8e1a46d475d95311a183805c1414d |
| SHA512 | d2e1c34d5ed8fac01f8ec56dcac7989b8cb05c8b372934559494635a562b496ff25d64cf077cb2e73db176aaa094dd51c237104c371a5a57262bf4c4aee9920b |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Zerber.uzf-e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295.exe
| MD5 | 16834f3fd826dbb5d134ce3bab29b62e |
| SHA1 | e1c5cbdcffa79ee3e39c2dbdd1c78a36f818df43 |
| SHA256 | e1b93f0504948cb3bc5fb35e11476d0ec2062923c3121d142305485d67a81295 |
| SHA512 | 8b0b30c42360960d5a6e0edb2644ed9f271f4176e7ad1b51a82403ebea36df0130777f364afb920e0d39a2b41a196f106d013c18aa75abe0b9504a4f85b5fde3 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Scatter.no-3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b.exe
| MD5 | baedfa6c150263fd8159ad10b692b8ac |
| SHA1 | 4dec05529698237148ef735f1894881e6065a1f8 |
| SHA256 | 3c53541ce7b68f2d0d5d05c5012655b6d6991a6b0837b643f9766b0b4bdb833b |
| SHA512 | 9aa7c43a6f2b1977e740acaefb1250cbd60df642b8bc16bf36009ffaf7e3f32c094c42c46cc2cfd19b4e6802937e9f4c0f6cf153d2f00e38347bb0523f4d738d |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.wts-3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde.exe
| MD5 | 140ad81e232f2558bae64955668c6b64 |
| SHA1 | c04b0406826f4d24b64cca686ec0e5f995eaf1ca |
| SHA256 | 3fef7ab5964148ebca15a989fbe9988f8ec64a20274881a09345a620ac6eafde |
| SHA512 | a773f6cddcd5e904f3a609da3cd4367c710a9a972317fa95fa066634a51030f3e5d5d81effcc9c629dd2d3560007d6241d7844c299a1cbe7630cff64030f6fd7 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Locky.afku-0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e.exe
| MD5 | 2b29e228383b9f36c6b105e55d17150f |
| SHA1 | 5e1deeef29a0f84ec729b387d237d3c82ad37677 |
| SHA256 | 0c033099ab0236e2c7802c6c4c6b898ab54a1a71d61ab8a0764b8b05130e0f7e |
| SHA512 | b2b28ddcc0695dbf37331703d1d298d8f6ae5fd34bf072ff08817aa6ff34bbaec8c2f5f329efbe8b61d64c7eea78f2cf4aa36a17088f4d4518d5a8d680e2dc88 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Foreign.njar-406fa10854c4b3ffde28943cb675c42483f085fdd7c4b57df38912daa6edb894.exe
| MD5 | 61ba6a925ae416f540b653833c489f1a |
| SHA1 | aca571e3cdb8074364cb42bb055e5019600cbb91 |
| SHA256 | 406fa10854c4b3ffde28943cb675c42483f085fdd7c4b57df38912daa6edb894 |
| SHA512 | 05d476cf1ccf783ea8efdba8af7431c9bac4a69ac6a3233251c231305a9f693b24463c2d8bbe26f348dbab4a36128fb0b5a64ea09acc4a8893a36972a7abd3ee |
C:\Users\Admin\Desktop\00274\HEUR-Trojan-Ransom.Win32.Shade.gen-c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b.exe
| MD5 | 72874c5e59c3cd643aae40345fbca151 |
| SHA1 | bd4522426dc27e2ddbd03d030576495843c6f2c6 |
| SHA256 | c7262483539c3e42d273411e1b94503d8503d35a66807064c5fddf1a7fe7be3b |
| SHA512 | 3a0195567f4ce8d3aeca43910abdefc3dd7406561526ab741c4eed02d0272f39bf3e48d87e1d808609c504c557f0a8aebac0bba9716c8092fde6cc11be0d8366 |
C:\Users\Admin\Desktop\00274\Trojan-Ransom.Win32.Blocker.dvjn-6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8.exe
| MD5 | 2265683f75834da25862068cae6aa71a |
| SHA1 | 36ba88ee12bc9038488c0dc12d9d9bf806250fc3 |
| SHA256 | 6b8a26e7aa11204cf98ce438b6f49ea6cf201317335541ba2ac6af694154c3f8 |
| SHA512 | f38e43739228ccdbeaae30008fde2bf68beb207d7b874cd9587bfeb7cdcbaef135ac5f7aae80b61dcd7cc71eb65d6aa18832858acf090f80bb79ad82254af379 |
memory/1784-100-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-104-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-102-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-115-0x0000000000400000-0x0000000000427000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst393A.tmp\System.dll
| MD5 | fc3772787eb239ef4d0399680dcc4343 |
| SHA1 | db2fa99ec967178cd8057a14a428a8439a961a73 |
| SHA256 | 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed |
| SHA512 | 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89 |
memory/1784-113-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1784-110-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-108-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1784-106-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2172-134-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2572-129-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2572-136-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2860-156-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2860-157-0x0000000000400000-0x000000000042C000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj3A83.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1784-159-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2068-201-0x0000000001C90000-0x0000000001CAC000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuning.dll
| MD5 | 3ba723c0e62d907e3026f9beb33bbdf6 |
| SHA1 | 4c2a399eda56fce6e0f19b6e8eaeac3693ef9d15 |
| SHA256 | 41926648a91428b45b1e9f669476287f6cf05bdb74a773646c8fddb3de153b91 |
| SHA512 | 1a735ef2aac15f3bd75b501462cdfd13a4d717e3a532ab288a7c475f505c9819f71a53c57e8fcc72fb42092a00dede745b99764e1b5ff3c54f790957d57e3802 |
memory/2572-204-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2572-203-0x0000000000400000-0x00000000005DE000-memory.dmp
\Users\Admin\AppData\Local\Temp\nse4423.tmp\System.dll
| MD5 | 883eff06ac96966270731e4e22817e11 |
| SHA1 | 523c87c98236cbc04430e87ec19b977595092ac8 |
| SHA256 | 44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82 |
| SHA512 | 60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390 |
memory/2036-208-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier
| MD5 | bc949ea893a9384070c31f083ccefd26 |
| SHA1 | cbb8391cb65c20e2c05a2f29211e55c49939c3db |
| SHA256 | 6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61 |
| SHA512 | e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287 |
memory/1724-212-0x0000000001300000-0x000000000133F000-memory.dmp
memory/2016-227-0x00000000008C0000-0x00000000009B3000-memory.dmp
memory/2448-237-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2036-239-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2036-238-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2856-240-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2448-236-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2448-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2448-230-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1796-248-0x0000000000A30000-0x0000000000B5A000-memory.dmp
memory/2856-247-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2088-246-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2860-245-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1796-244-0x0000000000A30000-0x0000000000B5A000-memory.dmp
memory/2016-243-0x00000000008C0000-0x00000000009B3000-memory.dmp
memory/2448-228-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2572-252-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2236-256-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2236-254-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2572-251-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1856-253-0x0000000000080000-0x0000000000088000-memory.dmp
memory/2016-276-0x00000000008C0000-0x00000000009B3000-memory.dmp
memory/1796-277-0x0000000000A30000-0x0000000000B5A000-memory.dmp
memory/2496-281-0x0000000000400000-0x0000000000476000-memory.dmp
memory/2592-287-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2592-288-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2592-285-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2572-290-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2236-294-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f9da27c9\c625.tmp
| MD5 | 44329131e9aa268cdb267566cd7f4d10 |
| SHA1 | 3bcee735d90bf8d7cce2f0f4a1595a573af37fca |
| SHA256 | 8e8808b03939d2b012829de26fda8e7765a5cde3a6713b84b80814f6457407ab |
| SHA512 | e55d0a4c8859290d72549627505100c3d27244c371b236a8737267ca48533cb8659b5826266295ccee5515aa64798efd42d12f0d876972297bc6cd5df0f44331 |
C:\Users\Admin\AppData\Local\Temp\f9da27c9\43c3.tmp
| MD5 | 63245217712b0838f01cf5cb8ecdd22f |
| SHA1 | a020e319581a75fe0f2f29a7b02918a2a31454da |
| SHA256 | 8a70ae07d90458a176a03d8a93141b2b1abf8e86319989a12c5fbbe0d5375308 |
| SHA512 | eac97caf4db43ca46ef844a2211950517f5b401d2caac660400cad4a149da4d22b5bd4d39f517bd46df28ba6ce55660134ad67a9d472790a5c8a07ff54658ad7 |
memory/2172-329-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2424-345-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2172-361-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1796-383-0x0000000003560000-0x000000000368A000-memory.dmp
memory/1796-384-0x0000000003560000-0x000000000368A000-memory.dmp
memory/2172-385-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2052-386-0x0000000001240000-0x000000000136A000-memory.dmp
memory/1796-389-0x0000000000A30000-0x0000000000B5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqbwsun
| MD5 | 6c639ef4071d1f57ac5e61fb37b8da47 |
| SHA1 | 90c81420ee02e0138568c0ebda50dab1bd77b6b7 |
| SHA256 | 50aa3d61d8cd51460f18fec6787952a84acee24ca2eccf9bb56aff26dec473b7 |
| SHA512 | 672819e1745ebfcf23148d7555a791487f62dfa96a6badd7de4a40140e83b1b386f7a8bfe0ced86847272c486a97e0bbbaf569324bffcbc76563f2bcf80db7b3 |
memory/2424-407-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2172-408-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2052-424-0x0000000001240000-0x000000000136A000-memory.dmp
memory/204-423-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OSIRIS-6fdd.htm
| MD5 | 9fdb8323fb01c409ef5b7db050213d1f |
| SHA1 | 216b94003e6d3a48851e86a35c5bd5218cacc9fe |
| SHA256 | 1caf5761e6f587a6aa3b9d69b3dc50d8740d7fcc02c35b8f26564759a4e604f7 |
| SHA512 | 20bc6edb0a41f74472a22ac406ba8567a35e7afe4fcc6b16cac7201a41fb26bc5390f52d73e2f4af67ef3a2ca2a3c9d9c547dcfabdcd290bd7a0c395cef59aa5 |
C:\Users\Admin\AppData\Local\Temp\Cab3334.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar33C3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04a4e87f92af3103e8eb10b12ce61fc9 |
| SHA1 | 4d6b185c5e145ac68f4b637b0249cffb623a563e |
| SHA256 | 538b67e07601ea8293b878851055673bfbe27546d744e13c0adbb9b9177130a5 |
| SHA512 | 1fd07516070fb0ebd0bde01742d1864d943b95eab2a3ebdea75062caef88ac89680ebdf6bf52209e452669776c33e27adc06b090fc90fcde9bfd96d65b771b5b |
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-5dac.htm
| MD5 | 9bd39e1201d7d9c98f2f367a01205025 |
| SHA1 | 759fc27d0489d42b9f372e0712e92bcb877d160c |
| SHA256 | f3c08c262038f7bd8e8468da960b74ed8c5065cc1d972ed863e3c9bf5a094d22 |
| SHA512 | d5ab554572a6ba2b943390883cf2b3454f2e27b253d7d9d94d6e788c945cb01870fbdc6b1866e252f6d4328db3ba0fd8da83282b299fa89a22b80e024e310a94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 537c469cbff9fc83395b1f352d8168ee |
| SHA1 | 12f1f2697c5b2f0634830c9e988b30ba070ef168 |
| SHA256 | df8657f5fb3ccd692b5523b232d7664afaee0bc9b5dde717eed3e7db9256df65 |
| SHA512 | 82ee5362db5d23c4cb2b65c69f0f3b0241eccc28c195e73584813925f266a9652a113641fd5ebab66a2b512c59d16d085db3e5f3f113ef8fa1a2cec4dad76ce5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95da3105cc6f80cb5c7f30d8cfd5328c |
| SHA1 | 755a9b8e3f0f802e31cbc57c878aeae67b5a6405 |
| SHA256 | ba6bca5643543d6d97eea2a9d415b31ddbdf68e6362c831e10f93f7e826993aa |
| SHA512 | 6c41106750d17b44018140ae5f56763ea3fd0b265b1652a31dfdf211b545d37b9c1e5bc55b2568c9b25e38979cac4da9c2d98c02fef4e458b3e136e3efcf2d37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24732160053e5b5deacb1422a1a92028 |
| SHA1 | 4dfae016d81974d5f0424234b811a7a022ce8a11 |
| SHA256 | a1f3357cd0a01ff2a2c3486cd793e5db4724ef1a0816343cfac6b7ac5430073e |
| SHA512 | 6e68d66ffa7b2f53e71999a9627e8714cfb6c9b3421bab509961023a4cca204e952ef15d31824755f204c594667d5d81f9d4c9d41e4dec4c54e838daa33c0ea5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b62084f60577ea5ed2dd4ede83597bb2 |
| SHA1 | fadf66b47ccf862019aa1d12b6647537bbbd11e5 |
| SHA256 | f73862ce95c5484e9865d27ae519a80fcc9513cb9de432d60a843cf826317b33 |
| SHA512 | cafa5e3784194572217ffcb2d363cad9bcc8521faba61f3a7337f9ca7f044f78227d78e281f4239d75155e4a5fc8f3366c9de7a79eb8d01c4073ac190237f0bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf5f52deadb1f48b1555f24bc1ba11a9 |
| SHA1 | facfff2f2ae4793cbac8a547bd91b3718b026f99 |
| SHA256 | 5f025c7660900798b120f5acecbc569a1a0b04323bad2483f7a21aeba1dc2c96 |
| SHA512 | 06259c97cf290f4b330387a120ef6c1f5447a88944a9493b537904bc6a43646e55a0d2fb82dc9e902b2d873f2d1f8e50c6539963d8b65936ad0bf030ab2027ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74e6373d989f4f9c6581cac4dccee233 |
| SHA1 | 3a8db964dbc5a61e9224117631ef62ac5aea9438 |
| SHA256 | ae8ed2ae996d2e27f04228513ea9a05679220c81fb088eba003d488430ab0cc5 |
| SHA512 | e8dab4c0d455037ef24598ccc9403cd1d697a0779169456c8d6e3dbe4f61520397d1c3f8fdfe4f1f157b0ae203addf52601a7da9d1049c38e77713e71aa77b05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e8fb128dc026695d5107d3c29c41525 |
| SHA1 | 72c0577662f81ffd19433a2011974001b33b17ea |
| SHA256 | 1072676b46414b8a50740170c3d6a2b0afe04633e3f7d0ce0473325951d0f793 |
| SHA512 | 8bad24197895497c55df23f15c88342fd54026c9ed482f1efc14a37c637147e81e30aa3512043f1412b935e1a928f643bac42c10c0a80b97bd49b7af961b15e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f18aa8b96f31a79c2ee9b1eef1904396 |
| SHA1 | 5a14458e8305e1c9d0671ab87f4c35c90bf2fe2d |
| SHA256 | b11c9b13f5eaa7ceebd29155d2a057d8de0e8239dcbcebe344320ae22c1fcd2a |
| SHA512 | 692a9b25892292997d4b03f83638869b3290a3aa977e56cfde309b8584dec9c8f7f3cc6aa80c7f48253ef8cb22df8874b9cdfdef559bf182dceed21eef114934 |
C:\Users\Admin\AppData\Local\Temp\~DF6E693A394BF0ABC1.TMP
| MD5 | b525a721c3add3a6940c26b589435af2 |
| SHA1 | da74c26a04dc62e98bd7aebf236f23f6bc33d708 |
| SHA256 | 0cb52d8574f0e43b58b7de4c8d93a9201239f0787b875e4521b03afe99dd099e |
| SHA512 | b0ddb88a2e4faa6ffbf30d4650876cf180a2a252ea7c68622af78321d421907b1f26bcc3535acf0e71a9b6d8a2540b296a0f1812f33433632cc526326cb261e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49e49a670d8ed39f0922dfd8caf6c02c |
| SHA1 | c52ea43e44d50186972ed59180da4d204f12ddc3 |
| SHA256 | a7a48784f8f0ebd2ebdc80d9ce16ef8635035e266fb289186357824119c0c4a5 |
| SHA512 | 657b7f45ed593989ba22be7d6b488f6d4ae898d463fdc54dd20111e4d84e387d5ad88f5422a403c6bd7e517a3245f6fd1374d77ac8bc9e3cb58788e14bc4aabe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acf78ed93645cdac2d5238da4e38584b |
| SHA1 | 822cc0f4251237dcfe3d0b1af20dba06de91b0a6 |
| SHA256 | b78a47bf12370678ae2672579c2dd54e006af3e83f039f4265fa91adad3342a4 |
| SHA512 | 6bbd9a5250cf6ba908c42ee05f573f100a3f93587883956141d490f4452844e94e0fdaff729561c6a74352c073c2de7b29fdb07fcc2eeb5dd6df2a300d7c6674 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37ec287debf7e79446aea65605c962e2 |
| SHA1 | c88e4cd909688c383174aae2a9efb40565eee008 |
| SHA256 | 1f63dd768172707c1b5951fdcab89467d0a54d1493ec155d9d89bb957f6928e5 |
| SHA512 | 816ef5f4823cf6f0d2d363230a1e35aa39d15e6908d647bf991429725f4df59679e9998571302d4358eba46e505b7d042b1b654c4a5b6bcbb93710e12d6cbfc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38f286a0e2c5f5ab17b23f84b313cc7f |
| SHA1 | aaec81ade9be77eb1c0b79bd5446526479c2b8e4 |
| SHA256 | a5f64a6551d288f6a4a42728a712ce818038ed9fbc123fd04d117caa4cee7090 |
| SHA512 | 7826475abc4d010b39020718e590ae5685070c37234f1ea58e8a4b629b6965961648d6e0a250d9d1c53140b4b42845329c84c2f7ac2cc1cf7b18af2538b10c69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 070b48d054c150886ac38323fcaa991e |
| SHA1 | 8074cfada4e55050e2f8d05309cc2d7114ab1693 |
| SHA256 | 9ae1c89a3997f8698b87825302fedaea4ad7e4a2e5a20a613539385e5c04a4e8 |
| SHA512 | d0572ca9b054a1dc7b211f7eaa74305e0515dba83318eb9640f37af94ae72d9a660a26d851c7cbebd66d2929a7bd27793cc03644469b15b322592c0725d3b0a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7966c35d05b4432c744f64c748c1f6e0 |
| SHA1 | c82fd63e4f3bd42dc26ae7a11131fe1aa7cd257a |
| SHA256 | b2b69894c6fe136e37b4006efac89857d2412eaaa0cb9ebedf9c844fd222ec6c |
| SHA512 | 75c921aacf708a07bf4b10dc45a0507ef5829bdf857075d945e101c24d457c2386743ec22e557df1ef156a6834d90353677d6dd5eeaf5a908bb68c1031d81536 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f2d4e08fcc50d34a1821b1fcdfc657c7 |
| SHA1 | 497c7b0fcb3b46f02e38988db145d37ceaee25af |
| SHA256 | dad8481b2555fda6e87f7a5353b52b3e1b969c0969c39bf4d8ed6ff690385449 |
| SHA512 | 99ecad986d5284cabbe9ab28f6c388921647de46ed37c384fa725a241a13addba2491194aabbed8a4a663dd85d00bed57bef64d63abb1cab4924c4707d4e3643 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a083170ed32ce6b4f12f57552a4cc4e |
| SHA1 | 71de3d314711397e8f6776d401925fa9d81faca0 |
| SHA256 | a376d3c5436954d4d56ddb21f088f2f6799aec102fef8d04055eac9681076016 |
| SHA512 | cd5b409a353becf20277d27dc0f679e49881762be8762f47777bda500fd06cc0653b79b0dc6bb6b0f62ca5f4bb9c3360d08c58777f7399618e30a6a374a52963 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b73dd0dbbb86a43096990548b8291bad |
| SHA1 | f07f98d4d1f52418324b98358ba3efb6a8776be4 |
| SHA256 | 1b0ec38800b558aefd7acfaeb46010766006ec014a10e0dbf06d65fae9782285 |
| SHA512 | f68d56b6edc42268453a1a06e8538b8106163d04978b29cb344d77b76140d37c2345f2a5b6172750e31330652bcfef6b23c8c3f760ac23a99051385d8c59d707 |
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-9b64.htm
| MD5 | 301efddfccfcf1e166a4935fee40c1df |
| SHA1 | a798bc331b8e5a3e15816b3f6c2b74de1c65ce2f |
| SHA256 | 92cb54d9be6a94afce6cbb14434491b5917fee25dfa5f64b549be0a908eaad8a |
| SHA512 | 8764b92971dc40cf5c9055dcec039b52e88adb716ad455249455e3bdebfd17cff2a9ae16c360db539d8dcb86e99a80c279114a76cb46cf03826e5baf9511e24a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | caf966d56b2c664ae23009406b40b423 |
| SHA1 | f414b3770d10b22376635129e05666575bf7ae1f |
| SHA256 | 3c54971eede36c5896ffa3fa39c8b9eed961e43a1cae013d818617cc530dfdd6 |
| SHA512 | be82f3e65d722ff8bbbdb62f88e63f897fc60846582a25e19a415e7b08ee27018db63366f64dcb57f42a696f68b00d9fddfb25a723695cf959fb25779401b215 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec11e83461f278603defed958dec2f64 |
| SHA1 | 79d6cd80f317b6c8c9aace8f723ed8b6f0cb16f2 |
| SHA256 | aed93f8271546ea75f96e6ef2edaa3a574e24b16ecbcc26e84d082bb07e7c3dd |
| SHA512 | f1d1ad95a7fd8467f667178e5a7b6dc40faa055870c1307946afab2605bf22fbf98bba3f27bc88811cd078a60cb7e873409a4fcc9da793ff4dec6e398887ac93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d6402640c1191c3db3a0c29ccad2c05 |
| SHA1 | 1285e427b24d3073e5f15b7be8760f46e4c03bb4 |
| SHA256 | 8d43c8f53b06ff59f679d018fe882860d4ccee08fce913648afb758c9e7faccb |
| SHA512 | 7e3936eaa82c68c249357d592a713cd548db5a1097632d80e289ba75d0b18c4966aa1f06e9b3a16061db6e159cf06a475d017d2767b16f2401c5d98338ad8481 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b083c6315accd291bb77cb200ac07579 |
| SHA1 | cd8183319294c11ae25e095288a9f21d65c43518 |
| SHA256 | c52eee26747aa209970476208af5b770dade182023e1339126fe38d832561f8f |
| SHA512 | 2608de1bc7d75248b7178133986fd67f94f0d6b6180d84d8645c36ab3a505dbf966c116f0bf44649da3bf8bbaf9749a6da3aa3b36c1288a4ec320673ba556fef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c3aaa18e4b1c037b0332a5163f628ff |
| SHA1 | 38f34d851e6780a28ca9c772c4b2a6396adf2830 |
| SHA256 | 6ec7d465f2c79c28a07a5a85eb82d77c719ec80efaecf0eb988387b2be0fabcb |
| SHA512 | e56f185907dff3a90b187750822f82f7277aa092fb6c669da12da7e4e3051487bc7f95209907d7ad6de52026eb5db3f736643b2ce5ff164a9f108ed2584cb01b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 271e43778151049e0850780e5e2e134c |
| SHA1 | 8e17f915d1b31b783076d5f6537e1384d371b7b3 |
| SHA256 | 6b8226849c1bc165e529355180c509bcb3e1c74aa604eb9200f37eaf66c3ea44 |
| SHA512 | 13efcca2a4c5afc57eaa47067ec29d11d6a3ba15212ba7d6b5deef506cb8b07168605ef2e9a8417cd14fcff1512a0d95c6c477ee48857969dd3eb8bcef4fd575 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e1ac8aa3d2cec3464ef3ca67968a365 |
| SHA1 | 175afb5e13025c79f293e2357b24031582e479b8 |
| SHA256 | adaf3a31229ddd0e21d1fc3555890b3978ca8209d6c6303d9977a34f72bb2d72 |
| SHA512 | 5bfaebe3412d0de00a58751b9b2ffc3ce4290827c952e1dbc61572d2b3512222986b22d8557a1afd1ddb7752c0dfb66c29498b6b34c4b42737feb0e71a884a3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ed35fb6672c8d6dbf336f129bb3246f |
| SHA1 | b9fa06e92cf90e3dc7d2c82d5063fdb54b9d02eb |
| SHA256 | f52b110da899e06e9d3b9d3fcaea7dd25ee94c6cd66d7bcf0e3788c2cff51ab2 |
| SHA512 | 5cb288018852c9541adb0c00e5579c917fae11f54ff346e5e064d90c1d22e3f069c469765f30d4bd087e8d475ff068d309e24b8e3efe224ef0d2f7e92ba72e9d |
C:\Users\Admin\DesktopOSIRIS.bmp
| MD5 | 08b150551ff447d17cab0dbf36f90824 |
| SHA1 | 2387a5b74eb7e09b1e676b84767c2670d9f8ac70 |
| SHA256 | 09d17655721df6cc8a4c316892adaad14d3734a5ea420e77e8d235d4a375e7a9 |
| SHA512 | c2a8f96bfa204de01d68e8272c8b38b71da57c6f224ae6384abf57b2d4841bf0d9a96790e19515b389c84fd386d8e455751835c901009e26f6e29a0205057911 |