Malware Analysis Report

2025-01-02 14:56

Sample ID 241122-vc4l5azpfp
Target RNSM00279.7z
SHA256 a15b04019cc88bc0035e8808c951ad06177d55fa11488131caac90ce1346b6b6
Tags
cerber locky locky_osiris luminosity defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a15b04019cc88bc0035e8808c951ad06177d55fa11488131caac90ce1346b6b6

Threat Level: Known bad

The file RNSM00279.7z was found to be: Known bad.

Malicious Activity Summary

cerber locky locky_osiris luminosity defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan

Cerber

Locky family

Luminosity family

Locky_osiris family

Locky (Osiris variant)

Locky

Luminosity

Modifies WinLogon for persistence

Cerber family

Deletes shadow copies

Contacts a large (522) amount of remote hosts

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Indicator Removal: File Deletion

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

System Network Configuration Discovery: Internet Connection Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs ping.exe

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 16:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 16:51

Reported

2024-11-22 16:54

Platform

win7-20240903-en

Max time kernel

143s

Max time network

141s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00279.7z"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Locky

ransomware locky

Locky (Osiris variant)

ransomware locky_osiris

Locky family

locky

Locky_osiris family

locky_osiris

Luminosity

rat luminosity
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\14.0\Common C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Luminosity family

luminosity

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\cache.dat" C:\Windows\syswow64\svchost.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Contacts a large (522) amount of remote hosts

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\File.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
N/A N/A C:\Windows\iadpmsccojgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" C:\Windows\SysWOW64\REG.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\FxsTmp\fxs9DA6.tmp C:\Windows\splwow64.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3228.bmp" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 4492 N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2344 set thread context of 4920 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
PID 2836 set thread context of 5096 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
PID 2024 set thread context of 3924 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
PID 2332 set thread context of 4236 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe C:\Users\Admin\AppData\Local\Temp\notepad.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\BasicServe\basicserve.dll C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
File created C:\Program Files (x86)\BasicServe\basicserve.exe C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
File created C:\Program Files (x86)\BasicServe\uninstall.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File opened for modification C:\Program Files (x86)\BasicServe\basicserve.dll C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\@[email protected] C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\@[email protected] C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\@[email protected] C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\iadpmsccojgu.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
File opened for modification C:\Windows\iadpmsccojgu.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\BasicServe\basicserve.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\BasicServe\basicserve.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iadpmsccojgu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d0957ddf8b1c3bbbbafaafc9bbb9c9a41e3516713f14af01adcd983c8a0e1b8c000000000e800000000200002000000011f3c39dfd603b846052b6101d33d9a4964785ed45493355c00fd4f775cba62c20000000e7a1a2160842fa25d9326b03ea4776e87558413c63a00916df85842823ea4e6640000000539fecca5d89c20aa3b05f8d1556ea5523573dc6ce162dc48f0f0b93302449e2611da64758fc2d15840acdbe22538bc92809189989ce070ea5aa4009e458c956 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000c895c099a3db77a02bc1efcf10c87a5a3259d15a8430bd0b9b10f399ee85364e000000000e8000000002000020000000d424c7f539e582df09bfdc4747540fc44199ec4104e0a58d404ce6807fbb532a900000002d6b9c34b575dddf4dc66c046b3bbe77b8fee2375cc51a95f13834b7bd987da59feeb2a16014280ce908e5cb4a167c8ee9001d9e51fc604a950c939204b47b9e7abc5f2522eff89344c3ba6114e2c6a0e9f7ed6761bb3cb5e7f6e5abe5b008a98b96883265d9377c74afd86e1e262cfa7d3396c0ef8810b07b8c44787ab0d72e6b7af4ad6f7bb6d0a8673665037d860f40000000353487a446b3a1c40c5fc8ec2a1f198dcc91ee449fe66bb7d391f9427d8c10b0b4535a8397fdab13a5b76a46295ce94a563fee3b0062d1a75a6666047c41eadc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30B7CA71-A8F2-11EF-85C5-7E918DD97D05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback.Save = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR" C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701dcef4fe3cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.basicserve.com/?tmp=redir_bho_bing&dist=0&prt=bscsrvgup&sp=bing&keywords={searchTerms}" C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF}\DisplayName = "BasicServe" C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438456231" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43D65271-A8F2-11EF-85C5-7E918DD97D05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF}\TopResultURLFallback = "http://www.basicserve.com/?tmp=redir_bho_bing&dist=0&prt=bscsrvgup&sp=bing&keywords={searchTerms}" C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF} C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\BasicServe\basicserve.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2648 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2648 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2648 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2648 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
PID 2648 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
PID 2648 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
PID 2648 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe
PID 2648 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
PID 2648 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
PID 2648 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
PID 2648 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
PID 2648 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe
PID 2648 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
PID 2648 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
PID 2648 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
PID 2648 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe
PID 2648 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
PID 2648 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
PID 2648 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
PID 2648 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe
PID 2648 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
PID 2648 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
PID 2648 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
PID 2648 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe
PID 2648 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
PID 2648 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
PID 2648 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
PID 2648 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe
PID 2648 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
PID 2648 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
PID 2648 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
PID 2648 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe
PID 2648 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
PID 2648 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
PID 2648 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
PID 2648 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe
PID 2648 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
PID 2648 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
PID 2648 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
PID 2648 wrote to memory of 2968 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe
PID 632 wrote to memory of 4268 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe C:\Windows\splwow64.exe
PID 632 wrote to memory of 4268 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe C:\Windows\splwow64.exe
PID 632 wrote to memory of 4268 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe C:\Windows\splwow64.exe
PID 632 wrote to memory of 4268 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe C:\Windows\splwow64.exe
PID 2968 wrote to memory of 4352 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 4352 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 4352 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 4352 N/A C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe C:\Windows\system32\cmd.exe
PID 4352 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4352 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4352 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2652 wrote to memory of 4492 N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe
PID 2652 wrote to memory of 4492 N/A C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00279.7z"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe

Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe

Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe

Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe

Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe

Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe

Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe

Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe

Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe

Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe

Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe

Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe shadowcopy delete

C:\Windows\syswow64\svchost.exe

"C:\Windows\syswow64\svchost.exe"

C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe

"C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe" "C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.dll" "dejumifit" " -p bscsrvgup -i b2a7fcfc9e7e4b7bb1489aec1ad94faa" "mifitiwiqiy"

C:\Program Files (x86)\BasicServe\basicserve.exe

"C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" uzowesoweh zowanude

C:\Program Files (x86)\BasicServe\basicserve.exe

"C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" cinatayoh apohonecin

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe

Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe

Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC33F.tmp"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:406536 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysCC73.tmp"

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe

Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe

C:\Windows\iadpmsccojgu.exe

C:\Windows\iadpmsccojgu.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00279\TROJAN~2.EXE

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tskmgr.exe.lnk " /f

C:\Users\Admin\AppData\Local\Temp\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\notepad.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 324

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 336

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 360

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\@[email protected]

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe"

C:\Windows\system32\PING.EXE

ping -n 1 127.0.0.1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64

Network

Country Destination Domain Proto
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
RU 109.248.59.100:80 tcp
RU 93.170.123.185:80 93.170.123.185 tcp
US 8.8.8.8:53 patch.checksquarespot.com udp
TR 194.31.59.5:80 194.31.59.5 tcp
TR 194.31.59.5:80 194.31.59.5 tcp
RU 93.170.123.185:80 93.170.123.185 tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
RU 88.214.236.36:80 tcp
FR 154.16.201.75:3141 tcp
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
FR 154.16.201.75:3141 tcp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
US 8.8.8.8:53 4kqd3hmqgptupi3p.w3r6a4.bid udp
US 8.8.8.8:53 4kqd3hmqgptupi3p.w3r6a4.bid udp
US 8.8.8.8:53 btc.blockr.io udp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FR 154.16.201.75:3141 tcp
FR 154.16.201.75:3141 tcp

Files

memory/2796-24-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2796-25-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2796-26-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\Desktop\00279\HEUR-Trojan-Ransom.Win32.Agent.gen-14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf.exe

MD5 3a93542ef653c9211885999f6be603df
SHA1 35d36643555790d859653c60fd6712035a1ec806
SHA256 14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf
SHA512 2039bed38fd2586898af38d5bcba3549cf58e3e3e71ae6256d191a60ee80d8cd448fc242d3ae9b939d5531288b680fcb21b045568c624073f5d8243c30a01b3a

C:\Users\Admin\Desktop\00279\Trojan-Ransom.NSIS.Xamyh.iop-154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01.exe

MD5 21c1d06c5e5a3c2a4234d4cbf729ccfd
SHA1 49c3464b8e863dcbe571dca4d3872f16012f32fd
SHA256 154fefcc43ac75f06c1a0b35a292531e41e5977d38b8b23feda15f6ac7410b01
SHA512 6708dda48790a45a55dc2eba485cdfc3d65d5606059a86010002dcc66698621d08ca85f87770e69225c0c3cc947729cac287429c93efbad686c609aa03f5e064

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Blocker.dvjn-8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75.exe

MD5 4cccaa5cfb192851d364230d184a0472
SHA1 6453801f53aabd336417b5b2d3d9bad1a5df4527
SHA256 8c561bd369af161f42dc9e98346ee039fced680e82666887f6dcd7ffaf84ab75
SHA512 fc01eb8dbceecc31a7ea193ec44417e5648b4efc3d5583d851a6c7e3bb814acac6d82be922cb1e5775429cc07d4c20768a539312539c9bf5f50605ff71c8ad65

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.GenericCryptor.iax-f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51.exe

MD5 82f0133b4c752cf1ff4c4be7aad4e7fc
SHA1 d9a5aba99d0e5a253ed8d31fc703097348723d02
SHA256 f274c20ab5d564b45c6fd923728fb109c1eff9b6522504f3540e2232b1c4fb51
SHA512 3132794da90f0e7542a87119a11a73ba405020c09db9eb06f25e6f1fc93e6b87ec51b4d4ca243f247686b1cfe7af30de3c2a992ffda9a11b4151e66ab64ae5f9

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.dma-f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e.exe

MD5 273c23e73735fd3d0db438edafe52287
SHA1 0c660ed417994b1630edc3a73599e30ce69a5d65
SHA256 f22703a8d709be91614e6f71a0bfc683f13b44b8dcb8c5b6cabff70b59fda39e
SHA512 980f30ceca8d4b729f3d85726935ffabbdea2149970fb677f92ca6e6eb0edc64389358aab729318c5d99d6da9009728c6b5d203efe08a2e14c36ed367680c99d

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.cio-284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355.exe

MD5 6cdd9d7e0300fdf9ec878d83f8b064d9
SHA1 0ddb718c9c49339f37090976604e21d263f7f242
SHA256 284fc767e7ee38c1c0c01c56be0448fb83cdcf4b32098429735ff04ff08b4355
SHA512 ad2ac4671c807144ba9db2831b5beeb6fa5e0e231420e8c4d6b3cdc209f6f35dbe8927351d6659687c260907b0f3735dc04cac6b149b304f17c1f7d34f6c6ef6

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xgw-49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6.exe

MD5 dff0940a39675fe15fdf0dfbf6fa1549
SHA1 e85713e8074d02a21cfa9b8ace7723e9540774cb
SHA256 49ffc90ff02fb02e0d9401bcee07583533aef33f84eb028a8ff0e996f1a1e1a6
SHA512 d9b7307f0ea3abbb5bbd2e01e55060c5623ff279a33746e79d98606163dc5172912c2718d6aec0aadd61e75712116f06ba65c80b70f1f97574d442765205da39

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.xhg-47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0.exe

MD5 4a2592bc635987fa01678a5eff79cdde
SHA1 f7554f1f50e31080f6dd6946fc3755984ab4993e
SHA256 47f9ce6bbefff2abe7311f6d02196722c95ae080cfb352aea478600a144204e0
SHA512 807fbeb38bf285780a1cdb4dee569a077123fbeb28861738f001334171d6d89b7d30e53546f878cd3eff2e8e0763b92ed0331e59397a013150df13860e7e9d52

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Locky.bil-2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453.exe

MD5 bd5f6a6a82a3bbb0004a0f3a312dde96
SHA1 8e4c593bd985dab4777d4a6b0c40a1b2a45c5db7
SHA256 2cdd1b0c3cc727315663a07761e2919c4a114f79c3cd9db6e541c44e5afa1453
SHA512 083a0b1c664ac99686bbc8143dae1972ceedddb97fa0fe732fc94252270674cc997c9634c99e160100be17eb519ee96d333f5b418fd677d54e3109b425ebb129

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Foreign.gxrd-811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24.exe

MD5 fed3dbb724d8364ef12976526447f8aa
SHA1 9c92a66492675ff7c593eae74813e6e53b73c881
SHA256 811539a46838f499beaebb935d3c771e4e31201530fd455cba97da656e16cc24
SHA512 986a5011d7a298016e9f78cc40d4837ba2e9123e05e15b8b630c63a0e5cb136ac822885c15ec16d1d3ad6b0d36c7887bf0e4d17e6a61f4dc810f53c60d40d407

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Bitman.jyv-63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157.exe

MD5 f5002d397908a598439660b936f713b9
SHA1 372ac77e8fd7ed0919b0b66a55514d6437093a43
SHA256 63cc0459c04c6da01fea3e947ae7356ed23469ff4fc082705a6547b7b0c9a157
SHA512 b4f1ab6d3614c02869b67c4181e981d40690bd3ebc39b5b1036f8ad8918139083b17d9fc5b93033cb1872e8b42a6d4d4288b36cf7acc5d5497bd5abed4da6010

C:\Users\Admin\Desktop\00279\Trojan-Ransom.Win32.Zerber.ohr-612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de.exe

MD5 a0edcf1f6d3dac996ca1eb09bd7a0d87
SHA1 a436b32c9218281767a291a5b0fab164b49b24e6
SHA256 612a87e3d0a3009decaea23c246d86fa6f6f9fc116595ea09636be24728362de
SHA512 a26f9ec662feb6d033e69b897d2112078fd00b9a474ab68fa5746c64d89874b3ce572f78eedf5f326db70ef550f6bd48a0430dc683aa3ed7319d447a9622b114

\Users\Admin\AppData\Local\Temp\nst72E1.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

\Users\Admin\AppData\Local\Temp\nse73AC.tmp\System.dll

MD5 fe24766ba314f620d57d0cf7339103c0
SHA1 8641545f03f03ff07485d6ec4d7b41cbb898c269
SHA256 802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd
SHA512 60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

memory/2344-664-0x0000000000520000-0x000000000053B000-memory.dmp

memory/1472-666-0x0000000001290000-0x00000000012CF000-memory.dmp

memory/2968-667-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2492-670-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2492-669-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/4416-671-0x0000000000080000-0x0000000000088000-memory.dmp

memory/4492-682-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4492-681-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4492-677-0x0000000010000000-0x0000000010016000-memory.dmp

memory/4492-676-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4492-675-0x00000000001C0000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\basicserve.exe

MD5 74a5404b477ff0328829aa9d8889c3a3
SHA1 dad102f34d74e614668f91c2de287cf4f63b1aac
SHA256 49c095451a1203a82004c294fcd418621fd0649ec3eaa6f8a6a96c193cd4e270
SHA512 f953401617e0c5560297d72f3bba24c74d6c5d1ec500226e198799c56fb0aa38642246e0cb0d111dee9be31b7c771d13e59e16b590c98d290eb230fd4d5559d8

memory/4604-696-0x0000000000410000-0x00000000004E2000-memory.dmp

memory/4672-703-0x00000000002E0000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz73DC.tmp\uninstall.exe

MD5 2e1c0769beff93993d98eaa6c537acdf
SHA1 459f3a41027bb6d74023d4f4f094a7165301e4a6
SHA256 f3479f5877dec3810598bb3b707660bfcd0cbe4791cee939a305b8261ba972ac
SHA512 6d61a5286964874b8e36ef713808bfc363d7d05560270a3d1616b15c547755e87f5e174ee1dca8a1248c89a58667221a5bf22ba91b6e2614c6b29b0926931295

memory/4804-727-0x00000000005B0000-0x0000000000682000-memory.dmp

memory/4920-746-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-745-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-744-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/4920-742-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-740-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-738-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-736-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4920-734-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1820-747-0x0000000002EB0000-0x0000000002F82000-memory.dmp

memory/4920-752-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5096-757-0x0000000000400000-0x0000000000427000-memory.dmp

memory/5096-756-0x0000000000400000-0x0000000000427000-memory.dmp

memory/5096-755-0x0000000000400000-0x0000000000427000-memory.dmp

memory/632-758-0x0000000003500000-0x00000000035D2000-memory.dmp

memory/3028-763-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3028-772-0x00000000047B0000-0x00000000047D7000-memory.dmp

memory/3028-771-0x00000000047B0000-0x00000000047D7000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-6c03.htm

MD5 0159493b49b920c1a2c92b6649df6d33
SHA1 18c312701414914005d7f7866d5ea9a194841daf
SHA256 81cd42c8ae46602849c543457e3ac282dd5c4fb3000d09f265e1a4f19829e40a
SHA512 acf2d454251fa4c1ff73e4f5ed6e6f1b5e4d74a0c69ac5c40400c4b102357c17927de88e25d43d2d23b9c59e1b65d3db08e07741bb3b3bac813057760a487124

C:\Users\Admin\AppData\Local\Temp\File.exe

MD5 bc6529f2a93dd5eb328963e0b41a855a
SHA1 0d3fe448baa8a886fd33541f17e893a8a550640f
SHA256 b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528
SHA512 4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-d06f.htm

MD5 71bab7344150d3686aa13c969c34475e
SHA1 361373b35d3f971eb410dc5956b854e920dc84e4
SHA256 5e6331ade91b98726127c67e8c229ef3f0d93c507900847d2b2738223b41896a
SHA512 c8ab8e9591d60ff2bfb561e5cc0b550fc5ba5dff96e91eacd96e205ec359e98d3c0f581dd02e4a447765a9dc9674c2c501f113b6f337f543916e31f5a7b84805

C:\Users\Admin\AppData\Local\Temp\CabD902.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD9F1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64b4c98bf4cc873ca590f43c6f49afb5
SHA1 13f1adee31d56dbf7bdb0554964d364729409d61
SHA256 fcb01b05c74b7553ceae54583b51aace81d9ad415d88ee584c0bf752fa2457b7
SHA512 5af85f6ded4ce077e83f812880e1b11bc19b693b5505d065afc9d4a7a4d56c55cd84e5dad108f4eaf5fd4cf317fe3915ce20cf84eebb1b1c8db9cabec1e4c7e5

C:\Users\Admin\AppData\Local\Temp\~DF659A64974EA1F815.TMP

MD5 fc2a3b136df9ed2642e3366f94f5ee48
SHA1 ae124ba9b05fb8aa3144697286675c674d9f9b34
SHA256 0995f0a43be3425f3fd3bae770a9cf0c6ebb33b9cab54e868e50553d4dce9575
SHA512 5222c59878963f41c92e1d399f16e54ee77f1771da358090d822e1a15b9211ff48d79f320b139ccf3666446fdc5b1aa254460a9401e107578fbb2ae8846bad4a

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]

MD5 bc1bb4b1ee1df9946f6bc7e849aff5e1
SHA1 8ab20e0068bf05aa4d72d764a5aef578005e6ad7
SHA256 82d2415b9de91ce3abb20ee114ad129eab06882270ffd9f33d79898811914676
SHA512 29c4ca0c4bee8eccd7fe592f10a5f028a9e54354c7fa8a1a9e314d188a245c1cc4f32860f5c86a5d5d294d3c21b8a8745414183f4d18fd3c73b6652e36b0a830

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]

MD5 292dfaf6e70809046cb3f21e1fb6c8aa
SHA1 4da7be42a5fd0dddde68b246f26dbece2de9ec78
SHA256 d54479ba731bc66ccf5f0317bab3c93e041642b9802c0c590829df674ac26433
SHA512 dbc46772c1940ea8eb16cfe92b1844b5e146b656e10df1866ad6efc665b0e4e4461408ca7638b5876889549a66bc790d4d16cc1408749f480929bd2abe8e3e93

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\@[email protected]

MD5 8ebc0e807a744b926c88591b48dad8c3
SHA1 cae1fbaa33efe2b960b2a874191861e29485e597
SHA256 9db7be0b55732fff9e0766245cd7c96b7ec9c395367fc16f336b73b189c997f5
SHA512 63f7c9c888aac2ceb2dac49d0d4dc7270b4c6f93f591a2073c72777e3556edf6b771e666ce01d19546897b231e9fae09eb31a71c8ffe882b391e51e3a1c42432

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_574FCEB3833242FBAF079F7169BF5F0D.dat

MD5 764b285dff272a359649a6f186fb5564
SHA1 cce9eedfac5b0b33587787ee3e3a88d49059fb10
SHA256 aae9d778d4f1aab839bd6db3ac3a732f3a3496d91127f667f8177a0d9f1c36de
SHA512 56773b067b831850aa056c9c185047cc62e19062c5b9ffb55c985876ee57793108bdb5faef513b8e3d6d51ed34b765a3f826c821155c138ba919f67ac56caa1c

memory/2796-1930-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2796-1931-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2796-1951-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2796-1952-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 625a85f01081e5216362d60d5f815327
SHA1 df7d47abaaa31ac949f4b6962e7af965a15e0d33
SHA256 bb5b0dd9c0df904ea12af3dcf56b4e41d765a5e575e5eb092d7bc2a153dd5ef7
SHA512 f45479693c43929bddcbdc156303e55641413807b5aed717603f20465fa38e971446194eb552ec886174ee42736b7a95fa36eea73e1752241298b4e8508cd47d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6d1b2c3276117e1ee0faa3446a58840
SHA1 f6d4fef2858a222575dcc4b9b0dad62650a9d22a
SHA256 754c804091438e082801c1d29bfb4dd8fa97ef636bf7ceb30d345b2fdd5ad2f5
SHA512 998b902137fe6df4ad02dd384084dd0d5935735cfb9254dd8e0ee654fe5974fe430c029e854b816d4afee825c1944a681753a84e8c93c4f88f48222b451e7870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 376d88b7657129784c083079c040688b
SHA1 6c725bf66e637e36a6658ce413d9a07e0a514f4f
SHA256 175e5a21a61df4e543893fef92979240e7691e95c4ca6a46da2b6050f8215139
SHA512 930980a50efebc0c9a32594bd1b8fb6bceb825c6a751b9ced1f997ff00f71d9fd7dca3ea8c220126227957d4aff4760768e4c6f19469b33f71882c96fc8537b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e64e4154850bf9753e0861f05010c1ff
SHA1 2e34846cd94b826cb99d1908b03b6a37ecb4f296
SHA256 771fb07fdb50d42f1a102d51646cefcd47c9e5137d918629ac49bab19c5b3b2c
SHA512 a147fc94df893c3e18cebe8fcd9d130ee00a6630ac2b8c4272d3ad19d30f7e4bc5cdab56f853bd9e0a1835aa176c0a638f4483e1dce44bd773bb05bf91e1e7ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e006aa40d0b9c745b799a07ff004ed4
SHA1 df216246b54a8957e2014ccb325eb53b27b5b967
SHA256 b47be15909c4389d762e85d0ea0d88ea5ea74c85bdc0d6bdbe48eb7e32919a60
SHA512 0189b288bea9259e16a40e04b40f963da24075d4db4bc90c57538b02454d81261d8d7a57ce5e1c93db19e71392c05fbbe10eb5dbb5eaf41390956922f2b972b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9ecc31a42705fffa4d3ff701cf997da
SHA1 432e9548fa4d70d68dc12f69b40e0661eafeca19
SHA256 35a2329e7c236f68e6cb84543a670f31acfe3b4148c42003f36a34fa9175bd04
SHA512 c2a41318fb4ea179abfa079e27bc1e24e009daff8549cdbf3033f1d3beb3cb676f289a52f897793d2b9747cb33a1ebec2b490b6d550b7d1d84b59aca80bf7e30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ceea0a10c21eb6aa6a981e875052830
SHA1 c82982299a262404a93447202afaa35e53cd1a85
SHA256 bb5c2ff806af619ddf91121f9ad45988b60bc171328e61ea97ea13438ae7a3f0
SHA512 57452dcf6965c67d09d72781866ab3ea16f0a805aeed03a87d2e6658132f572d9dc8caff6b544f849a81880f6d50b612919caf4ae5d0e52186d7b727762e5daa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d8221213925416d5dec5f6cb6d181a8
SHA1 c6271ca21c43d09ca646b6403a629d62dde93af6
SHA256 bb9b79b042d890c1dcccc9d36820b448723cc593ba30041f4e61854b6ff6e93c
SHA512 1bbff8b63700adf78daf32e4828b51050c9c9a270cfff41fea8d9f303882284bac026d3eb484c0abb2d17d53feb6b60953b9c1550e111bfe221583fe26f43ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6bbd49f3752c7856cf9bab52f44224a
SHA1 aa74824543bf9a455605ed848dc97e11c52ace71
SHA256 6486dd0d6f9be0e116dfc4ce08b22e5eec090dd7d67ba0feb8f59c02f650f996
SHA512 e5ff280293a25f55d064782ed1bc7756fcad37939306bbdc3ff07bc205f09a210e3aff6a3397b6a57727d66a1e220cb2a993429b4d12387b0bee1590978719a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18146d8b3c72522e3be208cad8a13116
SHA1 75f4fd34d08ac33915b342de6c9eb937e28c70d3
SHA256 7ae034ed0f284b8a3a0920be67aa826f0eef4236cb22fde92652dbc63fcd013b
SHA512 c30cdcaa86c826cca8ba40047450df4f71d1484d37e027d5be43cc00b04cc4c981ac6bb5df5aea65faca337839b53ae8f5b3418296bc6c64a9433bedade71479