gozi | e1c89f5b482e75e1fc766986357e478c670ab87a415fe25a80bf8b1852f2c367

Analysis

max time kernel
50s
max time network
199s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00275.7z
Size

7.0MB
MD5

8656d8583cbacf028910947a2d80b3fa
SHA1

d83fffb694eb27f434eae8f29e7f495a3c3a5c59
SHA256

e1c89f5b482e75e1fc766986357e478c670ab87a415fe25a80bf8b1852f2c367
SHA512

8fb1b81484bb5c20fec83073761b12165c4ade7d716f522f1d0a73d0ece3e7b458e85ce54ae7c33f1861a5126554aa0988e4523a5163378cad140f3f72d60bb2
SSDEEP

196608:57RdJrgtIAwwmEz46Hyp0248n43vmnVJl4s2v:VRdFSLYp3Cvmn7+sU

Score

10^/10

gozi banker defense_evasion discovery execution impact isfb persistence ransomware trojan upx

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hvkav.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1 If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/38762F6F846837E1 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1 Your personal pages TOR Browser xlowfznrg4wf7dli. onion/38762F6F846837E1

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/38762F6F846837E1

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/38762F6F846837E1

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/38762F6F846837E1

http://xlowfznrg4wf7dli.onion/38762F6F846837E1

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvkav.txt

Ransom Note

----- NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E 2. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E 3. http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/19231476997B99E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/19231476997B99E

URLs

http://ytrest84y5i456hghadefdsd.pontogrot.com/19231476997B99E

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/19231476997B99E

http://5rport45vcdef345adfkksawe.bematvocal.at/19231476997B99E

http://xlowfznrg4wf7dli.onion/19231476997B99E

http://xlowfznrg4wf7dli.ONION/19231476997B99E

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1964	mshta.exe	74

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Contacts a large (669) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 24 IoCs

pid	Process
2028	HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
1884	HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
980	HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
2668	HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe
2336	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
1680	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
1292	Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
2436	HEUR-Trojan-Ransom.Win32.Blocker.gen-92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
1332	HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
1732	Trojan-Ransom.Win32.Blocker.drxt-d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac.exe
956	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
1588	Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
2388	Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe
2192	Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe
3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
940	Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe
2204	Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe
2276	ulngypmxrybc.exe
2244	Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
2252	Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
1944	otrkywdjvngx.exe
2980	pyudy.exe

Loads dropped DLL 9 IoCs

pid	Process
2028	HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
1588	Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
2244	Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
1884	HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
1332	HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
980	HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
1292	Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
1292	Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
2252	Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSetup = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSetup.exe"	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcjvmdw = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\ulngypmxrybc.exe"	ulngypmxrybc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\kvxsmeqdaciy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\otrkywdjvngx.exe\""	otrkywdjvngx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Apph32gt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\C_G1ring\\catsclnt.exe"	Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3116	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2176	1680	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe	52

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2692-247-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2692-246-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2692-245-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2692-243-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2728-413-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2692-392-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2728-523-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2692-5199-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\otrkywdjvngx.exe	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
File opened for modification	C:\Windows\otrkywdjvngx.exe	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
File created	C:\Windows\ulngypmxrybc.exe	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
File opened for modification	C:\Windows\ulngypmxrybc.exe	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulngypmxrybc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyudy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otrkywdjvngx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1572	SCHTASKS.exe
2064	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 21 IoCs

pid	Process
2028	HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
980	HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
1884	HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
2436	HEUR-Trojan-Ransom.Win32.Blocker.gen-92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
2668	HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe
1332	HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
2336	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
1732	Trojan-Ransom.Win32.Blocker.drxt-d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac.exe
1680	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
956	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
1292	Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
2388	Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe
1588	Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
2192	Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe
940	Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe
3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
2204	Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe
2244	Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2252	Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2516	taskmgr.exe
2516	taskmgr.exe
2276	ulngypmxrybc.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2176	explorer.exe
2176	explorer.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2516	taskmgr.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
1944	otrkywdjvngx.exe
2516	taskmgr.exe
3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
1944	otrkywdjvngx.exe
1944	otrkywdjvngx.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2276	ulngypmxrybc.exe
2276	ulngypmxrybc.exe
1944	otrkywdjvngx.exe
1944	otrkywdjvngx.exe
2276	ulngypmxrybc.exe
2276	ulngypmxrybc.exe
1944	otrkywdjvngx.exe
1944	otrkywdjvngx.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2276	ulngypmxrybc.exe
2276	ulngypmxrybc.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
1944	otrkywdjvngx.exe
1944	otrkywdjvngx.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
2276	ulngypmxrybc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1680	Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeRestorePrivilege	2060	7zFM.exe
Token: 35	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeDebugPrivilege	2516	taskmgr.exe
Token: SeDebugPrivilege	2336	Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
Token: SeDebugPrivilege	956	Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
Token: SeDebugPrivilege	2276	ulngypmxrybc.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeBackupPrivilege	1012	Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
Token: SeDebugPrivilege	2376	Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
Token: SeDebugPrivilege	2176	explorer.exe
Token: SeBackupPrivilege	3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
Token: SeDebugPrivilege	1944	otrkywdjvngx.exe
Token: SeSecurityPrivilege	3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
Token: SeSecurityPrivilege	3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
Token: SeSecurityPrivilege	3036	Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe
2516	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2028	1184	cmd.exe	33
PID 1184 wrote to memory of 2028	1184	cmd.exe	33
PID 1184 wrote to memory of 2028	1184	cmd.exe	33
PID 1184 wrote to memory of 2028	1184	cmd.exe	33
PID 1184 wrote to memory of 980	1184	cmd.exe	34
PID 1184 wrote to memory of 980	1184	cmd.exe	34
PID 1184 wrote to memory of 980	1184	cmd.exe	34
PID 1184 wrote to memory of 980	1184	cmd.exe	34
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 1884	1184	cmd.exe	35
PID 1184 wrote to memory of 2436	1184	cmd.exe	36
PID 1184 wrote to memory of 2436	1184	cmd.exe	36
PID 1184 wrote to memory of 2436	1184	cmd.exe	36
PID 1184 wrote to memory of 2436	1184	cmd.exe	36
PID 1184 wrote to memory of 2668	1184	cmd.exe	37
PID 1184 wrote to memory of 2668	1184	cmd.exe	37
PID 1184 wrote to memory of 2668	1184	cmd.exe	37
PID 1184 wrote to memory of 2668	1184	cmd.exe	37
PID 1184 wrote to memory of 1332	1184	cmd.exe	38
PID 1184 wrote to memory of 1332	1184	cmd.exe	38
PID 1184 wrote to memory of 1332	1184	cmd.exe	38
PID 1184 wrote to memory of 1332	1184	cmd.exe	38
PID 1184 wrote to memory of 2336	1184	cmd.exe	39
PID 1184 wrote to memory of 2336	1184	cmd.exe	39
PID 1184 wrote to memory of 2336	1184	cmd.exe	39
PID 1184 wrote to memory of 2336	1184	cmd.exe	39
PID 1184 wrote to memory of 1732	1184	cmd.exe	40
PID 1184 wrote to memory of 1732	1184	cmd.exe	40
PID 1184 wrote to memory of 1732	1184	cmd.exe	40
PID 1184 wrote to memory of 1732	1184	cmd.exe	40
PID 1184 wrote to memory of 1680	1184	cmd.exe	41
PID 1184 wrote to memory of 1680	1184	cmd.exe	41
PID 1184 wrote to memory of 1680	1184	cmd.exe	41
PID 1184 wrote to memory of 1680	1184	cmd.exe	41
PID 1184 wrote to memory of 956	1184	cmd.exe	42
PID 1184 wrote to memory of 956	1184	cmd.exe	42
PID 1184 wrote to memory of 956	1184	cmd.exe	42
PID 1184 wrote to memory of 956	1184	cmd.exe	42
PID 1184 wrote to memory of 1292	1184	cmd.exe	43
PID 1184 wrote to memory of 1292	1184	cmd.exe	43
PID 1184 wrote to memory of 1292	1184	cmd.exe	43
PID 1184 wrote to memory of 1292	1184	cmd.exe	43
PID 1184 wrote to memory of 2388	1184	cmd.exe	44
PID 1184 wrote to memory of 2388	1184	cmd.exe	44
PID 1184 wrote to memory of 2388	1184	cmd.exe	44
PID 1184 wrote to memory of 2388	1184	cmd.exe	44
PID 1184 wrote to memory of 1588	1184	cmd.exe	45
PID 1184 wrote to memory of 1588	1184	cmd.exe	45
PID 1184 wrote to memory of 1588	1184	cmd.exe	45
PID 1184 wrote to memory of 1588	1184	cmd.exe	45
PID 1184 wrote to memory of 1012	1184	cmd.exe	46
PID 1184 wrote to memory of 1012	1184	cmd.exe	46
PID 1184 wrote to memory of 1012	1184	cmd.exe	46
PID 1184 wrote to memory of 1012	1184	cmd.exe	46
PID 1184 wrote to memory of 2192	1184	cmd.exe	47
PID 1184 wrote to memory of 2192	1184	cmd.exe	47
PID 1184 wrote to memory of 2192	1184	cmd.exe	47
PID 1184 wrote to memory of 2192	1184	cmd.exe	47
PID 1184 wrote to memory of 940	1184	cmd.exe	48

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	otrkywdjvngx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ulngypmxrybc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ulngypmxrybc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	otrkywdjvngx.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00275.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
  HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2028
- - C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_A4QK_README_.hta"
      4⤵
      PID:3500
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:5528
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
  HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:980
- - C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe
    3⤵
    PID:3188
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
  HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1884
- - C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
    3⤵
    PID:2728
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Blocker.gen-92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2436
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1572
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:948
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:2688
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:1076
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:2632
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:288
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      PID:2628
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe
  HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\6c237ee1-e4eb-4fe1-87dc-1ad2e4fca485" /F
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\6c237ee1-e4eb-4fe1-87dc-1ad2e4fca485" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1490157530.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\WipeShadow.exe"
    3⤵
    PID:3772
- C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
  HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1332
- - C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
    HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe
    3⤵
    PID:2792
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
  Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- - C:\Windows\ulngypmxrybc.exe
    C:\Windows\ulngypmxrybc.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2276
  - - C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
      4⤵
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00275\TROJAN~1.EXE
    3⤵
    PID:2036
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Blocker.drxt-d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac.exe
  Trojan-Ransom.Win32.Blocker.drxt-d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1732
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
  Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:1680
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
  Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- - C:\Windows\otrkywdjvngx.exe
    C:\Windows\otrkywdjvngx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1944
  - - C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00275\TROJAN~4.EXE
    3⤵
    PID:1244
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
  Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1292
- - C:\Users\Admin\AppData\Roaming\Kyajyq\pyudy.exe
    "C:\Users\Admin\AppData\Roaming\Kyajyq\pyudy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\SWZC655.bat"
    3⤵
    PID:2112
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe
  Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FCC\2FE6.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\C_G1ring\catsclnt.exe" "C:\Users\Admin\Desktop\00275\TR88B2~1.EXE""
    3⤵
    PID:1800
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:900
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
  Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1588
- - C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
    Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe
    3⤵
    PID:1724
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
  Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe
  Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2192
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe
  Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:940
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
  Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
    3⤵
    PID:6640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6640 CREDAT:275458 /prefetch:2
      4⤵
      PID:7024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysD2BA.tmp"
    3⤵
    PID:4500
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe
  Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2204
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
    3⤵
    PID:6820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6820 CREDAT:275457 /prefetch:2
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysD22E.tmp"
    3⤵
    PID:4432
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
  Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2244
- - C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
    Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe
    3⤵
    PID:1592
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
  Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
  Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2252
- - C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
    Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe
    3⤵
    PID:2732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2776

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:1792

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:sL7mr6Q="ACm";fT10=new%20ActiveXObject("WScript.Shell");MKT5cp9F="ZrGE0";G4I1sx=fT10.RegRead("HKLM\\software\\Wow6432Node\\R2DCySjdzC\\CZojT4aZA");Em7XDx2="mT14e1O";eval(G4I1sx);TMIEUb2L="t4PdVf";
1⤵
- Process spawned unexpected child process
PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:rbvmmwp
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3116
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      PID:5780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3352

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:3860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:3364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0
1⤵
PID:3776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3848

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:6712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:6304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\OSIRIS-aea2.htm

Filesize
8KB

MD5
e685d42869b73cfef79971069c1e9710

SHA1
172507d67cfe3ff31edbe0c63975627894241dfe

SHA256
bea3c79b52f4c869269112489a548a265a32b6332a2770bd78fff8ae3cd1cdfd

SHA512
dc44be08e01910e1496991c1a7484623e4fdba82bbbf934a12761e733ca8c9af0dd48adc95dc73b3a8003d041540257d987acfdc1a7e6cf60a69632804a11ebe

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvkav.html

Filesize
7KB

MD5
e69885a2c79b9b25cc60484245c329c6

SHA1
305c38cec0af8977ac921f570c9169b137fca569

SHA256
c2f567a66bfe9ac6f8bd9647cd49e3e57492b1b7a6e14b871f1e54f8eab55128

SHA512
15c77964c67ac990c3392e731600499bf66818a4d6d3c6096be0490d098d49f2e1845694a8bc3ec6ac49a02d38e5bf46906ddd43282b8884e9ce0fcbc36c11f4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvkav.png

Filesize
64KB

MD5
039b3306803aa47140808ab5db7b75bb

SHA1
520a587bbb2906486a590842414be822be128f6b

SHA256
527245d11fd14313ec3e2ce687485c815882dcaeb8cc09cce4c63a5c69ac53ff

SHA512
7990a409aac2a836be903ffe009f421f2303298274d03d7bb3bdb553ea2110e53fcc1f3f2442700dd6482c344f0d2ab4a95f530fc3d0c9aeddbfa364f3240f15

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+hvkav.txt

Filesize
1KB

MD5
4786445f0ddccc0ffed87b1b31e9c144

SHA1
1bbbdb2cdf7fd69dbe978b3993279857f39b5a52

SHA256
00f7059d134a0c41e40bd9cd51f7bd0723c0a09f552b8d8028073a0ba25a3592

SHA512
113c166deee2e04383e82c2622f80c74f33e0eaa8b198228df13d8950821ea713d9d6e0c11a36febaa3a30958945466be2d62f407dba274294287db8e8ce392b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hvkav.html

Filesize
12KB

MD5
fb1a211ce85c49ba2203e01cc6e09712

SHA1
bf2377ae24c2bf8d4061efaf6304de9cbe3bf69b

SHA256
067b16c460ebde4d147bb940e8e7be4636abb528061b8395e6f60c5589b93aa2

SHA512
54ea5ed6f7e1e9b27746a31b1bf48e9da108ee014c90fe2c4c67905481235e0e78ad967b9e0f034a38c4bc023d01d50ca7427ce6d62c38f9d9427a74d9c4e2ee

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hvkav.png

Filesize
63KB

MD5
d75fddbf64a38e6b1c84815eac31bff9

SHA1
5dfe8e77692c2bfb50eb15082cfa93000fa9ec9c

SHA256
04ddb6581c1d0f1714d7b44ed2c3c4de6dd6240e05fa4887dfa36b128085ad4e

SHA512
82f33b22d73df3f190778d3e7104de50d568834c635c6f437b4f0a388925f678ddfb102b9be7408bad4265601f47105bdd12e2ffdd9e04595d06f3bec8e4f555

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hvkav.txt

Filesize
1KB

MD5
326e922797f70f8b75291a21d8a9066a

SHA1
ca0cd354811b253fee32dcd905c804a1b03b54a0

SHA256
f623783bbe879575dd431035dfaaa35b06bad2adefae0d386022803a399f4102

SHA512
b20fb61d0918734f9faa6b889b1d580f717d0f763a7862908e81b445851b354b8f1dfcd573e284c2ed38ef0f595df4b33fe123981709ce1e0bd29e87a4c1d547

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e4823cebf789f990c92b06a8a9715732

SHA1
c5d8afbd55fc351295deff55ac837b2a7fca730d

SHA256
51a176e6851725211de36a6931404817468d07bf913e567544f98431e10c7d57

SHA512
9b5d0bb95356e6caf8737e6f95aa810808c8c44fe2e4ecaba430e2fc5446084005c8364fe5e86bdef347851147302144e55478ffcac8a86b58cfcdda95ed1e3b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
8482b09dacb34b1632f7cfa8f20e16af

SHA1
87a7ff4da58086487665d5167eadfae96388f16f

SHA256
2a03429fe0411d3254fc8291d08ebb1224001c87ea57cc9e3dcaae70bd38eca5

SHA512
f823c4e8b0b484d412d0187ab7ceeef00f208fdaa6e09e06f791e5866cf0019b0ce213f9939be552c31dec5ca0287f986b4a203ec7f39534bbf8bdcf5c28de20

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.mp3

Filesize
173KB

MD5
b413e0a2b3479c35aff2c8dca4186681

SHA1
ae17f18fbdfa3bd6f5eaf8492599dfcfc0397206

SHA256
a90e77a271671b3c02eb93d7dea809177709eee2ad515355127abba358ecd3fc

SHA512
c2ae0d4255f5d7a7996dd4d5f97eae1fda06f7c11b53e7e6a8e6812a660b257603cd18293c9a7e302cc3505463d019f2dbfebb48520cd58b46c5a449e3efc556

Download Submit
C:\ProgramData\Adobe\Updater6\OSIRIS-c08c.htm

Filesize
8KB

MD5
f3de7ec98551e8227b8cdd142997260a

SHA1
2771451e3d90b1d8afff70478d466ee6e5d84438

SHA256
0b8972fd8992aa2b8bc31ffdd36202d0a395c99658642e7bf652cecc922c4fad

SHA512
0bdb4f7cf2002f81d0e69b47e10374f968e05665f983db6b6723ab44279b48866c28835b297812a93babecfa23fd773700f8988b4e93f1c9486b37f311cd0dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f37f8d38f7c30154d4a62b050c4c402e

SHA1
2c18a453cde915710282e6bb411666a7e0d170b8

SHA256
4345912a5ee1bd0ffaa349106dc96cc0cd4763d704e15b332ab56f088aa5aaad

SHA512
980220862747ab5586cda94aecc8949ebec2082ce9bf833b58dc7f9bb9c6ad823d1a9696f7e0426dca13469e62adefb9cb5f9c2086445aad5aecd62fd378a5f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9f1b9cbaaf96604dde926fe40e9e384

SHA1
571e7e6f3f655a262c7e0ae2cfa62cf9bfad9ff5

SHA256
1f38c6581ae718eba8550d9387585e2c8f5d322b704e952b5278e1af1e9a87f5

SHA512
87da4265baa38b59ff2d99f98bd154c3c9eb48962dc2ac270b226675bb7654812af394b80e486bd5593a06b36d9c1432776e8176d5eb1bcb929ada5fcf34468a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a705757c7e4a0c7299137763f9a50508

SHA1
adc3b4030dd1b26a53fefa6a0a2203f905e5690e

SHA256
f49264c905b2680e242801b87cfa72c253d3658642312ed77f94f446cd7b036b

SHA512
66bbe119dcfeb395ab1ed52a1d2588186657a74d19f0fc7c38a6a1832e7afb7025ecaec96eb42370ac0002e9f94cc1cfd6d4ca852aa5188509952d8261ce4758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ceea4a6a931ecfb4987b728be010c06

SHA1
35af69d5579bcf51a1af167f55d5ca94b4255e32

SHA256
39a78abe0211a28dbab28f3d8e85f39aa4a98a2bfe91874cfbcf136216e25ecb

SHA512
43fc60fea4304c84363b3e0a9a2a0331082678bb08827b2b491b5a1537eabcfdb25a12265060933a9e4a31c0c47713ef249f759ce25a74d0e25bfc3c6fc8c3e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa8ef07a63554e2b118ccb37b1335bb5

SHA1
ab613b618a0359e4c9fb6e820899bca57ef00f2e

SHA256
976e721f65ae0316b23df7bf004f7f435fb76557ba6ea3642f733ec9f25ec32f

SHA512
c428b363235e03c4d7ceb08930d06a9880bc49abb8956b8666dc3e0a4d70c0260d146651a49ffa1d969de26fc34551b4049f5ab2a9f1884ee4e98423f183a184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91b1f80c740722ddf0ec01a3bcbef4e3

SHA1
b6f0d13dfd4c276acff5c743735eed883c5eb118

SHA256
fb0a795378ad61e9c05f291ba5b827326e42ed5ee1c0c4efaab5345ec13f44ab

SHA512
b646095b165bea2888370f1ea95a27ccfc2532c127acfae56a82e7902eacb476ef05b7d927cff9bc798b77616a6eb53d513dc3b2c8a2735e667a8792b307136e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6102aaa1bb48695f75968c4058baa8bb

SHA1
a36d4519fa6935dd409c844bae3331acea5cf6f0

SHA256
1ef4ab06b7f7f9b829e8e3a0f87838f253dfcb0cbe0dfec86aad2893a4b3ccd7

SHA512
3fa0b7740b357baf184b36d8adaa2f86147ad67441d0e502f2577fa70d71a71c1cc434f6a8031acea5c3783a819815c0dc74fc100f7c196b4d8e0ba6ecbc6e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14d3f2e398fa95040526e98b676c5d6e

SHA1
cdd84aaeeae57f228b6a74afe16106863e6d66ff

SHA256
ace341f3e6fb44a7a2953ae4eafd8d5b5acbda571bab825896708fb523b3d724

SHA512
9d1b4fe2367e081db4b643c3523095f1c4cd205720e8c050b3867637d7724ee5f0e3f9d5276d1bd5cfe880fb72ebe3dc2150cd5ff26aa9033e7609f1d5a3ef1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a113514863a08de14738ac54e5d1e5a

SHA1
3de2724713c4760277fcc7ddb29f441d15b11ab7

SHA256
72299d481ed4dc2ddf8a767daa5a5d6ba1039c744ecca64deb0df5a377b89559

SHA512
8229675a47b4af40bd4f193232896c20e81a7c2769b4f1b96f9fc8090b0551ea01ec05f8d657ceaafc7176659b3a8c3094d5fcde3240ee96eb2f2a46c3334f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9646c9b6227e053af56040dd6597e04

SHA1
b260989df391a5463b3919c63c613654cdffc4e3

SHA256
b25ecc0af3e2d5c3875d9aeca4e6f19a3960a322fbd749ca1f246db004de5675

SHA512
8ea317cd2a18cc952681a3df6c8872d9aa17e7cbacf7b0cedf3086ee740daaec3c28c56161ffff4601fd46d223817908d9ecfd63997d99a701e377200fd2f3af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ab8b0508b3b2469cfc41f66664d7d7bb

SHA1
af094af3b42919f7f029550b17a140b20f79176c

SHA256
f46702cc2d0aae1366dad7367c3296524bf02532e1c79a28c95cef2fea53963b

SHA512
2bc3f8766fb4f44823c3cf793d3076e024dfb0ddead3c837c1fa25e2f4a9f5cdb14abbc6b64e79cd45f215667a71c36413342cdbbb8c7b8501e3ecb2a2fc8213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
426e0843a457ea2d7c338a497f62b24f

SHA1
ebb351de77820f60e67e25703e6dcabb418762fc

SHA256
8009c3b6b376a5532a44f577135263f1041ca2769cb4c8b9211230950e0a6ef0

SHA512
b839576fbc2d500767d7ed02e1fc31493589ce27708a545a6a28f4bb79529560ebd5341144c810f5a187aa65ae91d29f08e24f0ce8c3542c03da2e78e09ffc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
985d0a50af86c67900db5912712125ab

SHA1
2f6135abb148a7b09c85c590ea8893c0f7681496

SHA256
a7925faf4746092ae136c610859c8babe8035895561db6f78a8f2af085b7b5a1

SHA512
a42e291e06d9098dcde54b3cac8006bf58082ee24372ee13bc415165f0d1f763ff2ab04b6c37d922735c5932fd47069f603d6318bccc8d6decb636bd2d2edc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
6aa5baa89267018974f26f306031cb92

SHA1
589687a767ee140b75ea74e43927ebaec563c264

SHA256
dab75cdbe5f967be898fff071ef2536058bbf74d5d6a6950e744d7146c2cd7c6

SHA512
16de35588903d3243f9230e5348806b6294f43f9f52b80e82714bd56601acb993550160aa6cf89737e64597fff262e97679b06b89a1a846c08cb35e0dba87270

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FCC\2FE6.bat

Filesize
112B

MD5
9d4f8271cf008f7cebe2f6f609b35c74

SHA1
3105fcd7324ae8d76a0cf9139460ed337229fe63

SHA256
be374d20c9a72e6d38999ef7f792c6aa62da7543e77dabb7ae2c0cf2e68d4676

SHA512
f9bdfff248fbba54cd6e090325bb375940a40a37c4487a6a555167639aad36e8918685afac52def81a8436259bed3b077cd2eb3b8b2df995f07c013dd1e3612f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6110149a\442a.tmp

Filesize
344B

MD5
3df3aef73cef3fad74a02e6ab270544c

SHA1
4ad7027c231603b3beef1d16e51d9d74a84c4b87

SHA256
7a6e37bf64dd3a104c47a8be5035c10628e6db74a10825731e7fc0135d34e30d

SHA512
3960dfcbd08268442faa39dffafabc38b3a1d779f6bb7f4ffb17445a1828be3207695609b4485d1ad2cb371b8fd40ea823ab06ded445d6e9b7f879672e64c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar458.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\feed

Filesize
707B

MD5
f08784b01f10e5e081a39dde42a9a108

SHA1
8af0854ba8735a49c53b74a0959406696ba8cf03

SHA256
f6a53634450f584cfe2d6f01156dcdf91f09f83c81479c3e3b966d84ac79016e

SHA512
aed1d371c4c513cf649c9d96b20ee2bac7bf76950a4e5d6b57194cbacaf94e5a56e89a7bbcc8fab68e52baae44cfbe0fda0e4ece16af6bd5ce36a68e62e138e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1190.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC0F0986D2C4E8527.TMP

Filesize
16KB

MD5
67ca3880ca189200147f1fd7bc622c72

SHA1
81a5f8de5b502a4a515181018b5d76c9e5bba746

SHA256
526a87bc711dea2fbc10943f750169b48730e3ccdea610f48f30cc8eb768f456

SHA512
8c5ad75c369e92cdf5fce3244164575eff527cda54df79d20c881bf2e516ba6e2f760225ed109cd0585d19a08bba8120982b19f9b8ac4be830b1b29119a692a2

Download Submit
C:\Users\Admin\AppData\Local\b8cbea\8fa4c6.fbfb99f

Filesize
11KB

MD5
0673194556a94d59ad7ff7c2de17b328

SHA1
572a322e77b364d4550ff26a329ea3c314e44b0e

SHA256
b7550a65d9e8916bfc6aa37e8ecbfa10ab187d9679017697ee7ced6d87a57fec

SHA512
91e0ca587ee4a00a8258e03bf8b14d61c239272a7e5aa1004e6e67f4eb3b04d9660a8d0ecbb94b95b8817f9452520533814d53df9844f3ad5c0c58dd2d9916a0

Download Submit
C:\Users\Admin\AppData\Local\b8cbea\bab445.bat

Filesize
61B

MD5
bc3f473e49daa90e9b97f28176fa7f9b

SHA1
3ebfa725afc563327a8b6fd92b00c86090108805

SHA256
8da47a250e1002d4227e4205504ffb3019cb7bd0828007e726162f641aaa65d2

SHA512
ceb8bdb4f3db8ceed1a6c80824a998bd47b9cf49d7437e362cb489592a5466ecc8a95e8a871c85e9c8a3a1b1ad4c5bdccd985bc6542c1fa25bbedbbb288d3ed4

Download Submit
C:\Users\Admin\AppData\Local\b8cbea\f3f5e8.lnk

Filesize
877B

MD5
34073f834f60afb31ef02f0cec4d50c7

SHA1
c903dba3a817e84986661329db3ce3473fbd90ad

SHA256
379fde9e5adb015125d554b6dbfcbda507ce3060c6638797f64cebff7ca14b85

SHA512
46b76c482f6fa6811e663b1656ae3bec640afd654a7a4a9ecf7fa2734220ff41a63072e7d8030f46c8a5235518d2ec9764ed202143afe6d518e2a8043934f416

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
4e038675c3bf14d0ccfb04a70788a848

SHA1
1a8c5083da89c09fbae3ddeda93cf06a258c849e

SHA256
2e5532802da47e2e58f35bf0ed6a19dd02897ee3167dd2be0a91b8d05eb8ee7c

SHA512
6dfc3fd1ebe8deadc4ec446481a9dc3f694faf56acfa3007a0344ce8920fa3d3d9156e11d084acf7d5e159bf75f2dd1f2d96415fb7e9ba6654abaff20f762ebc

Download Submit
C:\Users\Admin\AppData\Roaming\WipeShadow.exe

Filesize
720KB

MD5
3e1050e1fd69a19b9d0505cca823668e

SHA1
61fee51de33081af6b6c33e3176b90c3c7a7a78a

SHA256
bd89d7854a176e7240f637989a5ca3eec4a257bde7ea0a78c4b2aca9ff5fc661

SHA512
fb4513a2ae7da79d00d8c87a8b8533dcaf307a22ecd3591013eb86d756cafae620c12f68130dfac2ab0dc4b7f66ccef34510ed93012811e67acec2b41ec8aaba

Download Submit
C:\Users\Admin\AppData\Roaming\d734ec\a03172.fbfb99f

Filesize
41KB

MD5
6b10047e7b75b63084fda3c043f0f2a8

SHA1
871ccb9313e76d873b2d6509c207e43d7ff054c4

SHA256
fdb1470bbfb0f61b4d6958da4cfd610ced92976ac0971018ecedb75adfc7988a

SHA512
2b05b056fd3d0fdfd5c4cb881f09cd4aa0308e8b1f44d39008ff26c1c5a3154fa60471b7f8a07e5b925304e3c90d03bc1c88fa13c147e2238a3f36600c662983

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767.exe

Filesize
275KB

MD5
794a556c1a98f70673a5ba3ed791382f

SHA1
586712b64964d9be1aef27f01e5aa7e545012e3f

SHA256
0c652a4108820f8b448d92cd5881ae30d85267e5a3c139881c89cc1735cd9767

SHA512
01098fe90d60b4f1a0e7c4c057f2645b979107e0e50bf33296df35910fe42cd998133e012e05eb9023dd402791d3a5d988c695a6fa741eb2c84d8e837753bcdd

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23.exe

Filesize
277KB

MD5
ef419cf15311411266129f20f6b5a613

SHA1
ee94b1aa2578519c13d40101895d72054e048930

SHA256
2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23

SHA512
e06fdd69e99ceb9691e7b3f7d5f827adf95e56a7272c75ce3eb4bcb50832bcd598df2e1ee6f55f1290df2fce0517f6a90ff8b8dd3192d57284efc1d092ec98d9

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe

Filesize
902KB

MD5
c44e3c2a4b78303640f92023ba726212

SHA1
d956e7910e0ad8eb3ff126397b063b06ab03ac77

SHA256
9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316

SHA512
fb1a91ecd2141aa24c2b5be5bb6b7d16e4b84706db40d3216de386a5676495e46f6a9552c9931ef21eba6f94a4130b63f8334dc27b23237caf500b8eb76c7336

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Blocker.gen-92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe

Filesize
315KB

MD5
8434eea972e516a35f4ac59a7f868453

SHA1
39eff0a248b7f23ee728396968e9279b241d2378

SHA256
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b

SHA512
308160a34f7074f9a8178ce8ba37f155ba096c7448bc5cd0e9861788e158d2eacdbb329f716bc1b6935db9b26c0bcb9aca23966c73e4114c8ea92e6f53d77348

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Generic-ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad.exe

Filesize
720KB

MD5
a2646cc12e1d563eef14bfe63ca1c405

SHA1
dbbcc35cec959a26ccaa94db23edbdd16b95f297

SHA256
ee44be57270954cc60c1d2bb3cd678019e20aa43e84c8e457a4803519e8528ad

SHA512
ee0b3bd29c43ca8bacba897b70b0ac3bc4b32917e9c640a20a5e9c2e7aa5619325125f800bdf2fc5c49488682f382b1c181aeb1df22de59b17c72586c075a203

Download Submit
C:\Users\Admin\Desktop\00275\HEUR-Trojan-Ransom.Win32.Zerber.gen-2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d.exe

Filesize
224KB

MD5
c1f3c283a3831372839505b1ae8be1c0

SHA1
dcd4fe7084e1eee57b224c2f5c521bd0800a2e1a

SHA256
2aa775cfaf4a849779153df2ea1d7e513a60e629a38f43487491fa3d5d29773d

SHA512
cdd009ced6f2d82af3d484354fb304f620f34b33e03905cd80350e0641adb1976926a21f0fdf456d77f0b75992efd4172c5e9cb1f2b6bd8b25917e30a02b74c3

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Bitman.qmf-88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f.exe

Filesize
392KB

MD5
24bd225cabc59a5b95ffac6b730831f1

SHA1
5e5c99c5d76b0c5cb1825e36270c28c5282b7801

SHA256
88491874dceb0139df6807591535dbfb39807af6a35b834288a3864164ec128f

SHA512
591027c23f24013ab660c04f02a6ff8cd7ac9e6371cd39028b28eede0f4aeb21e9fb55971a51c685e96a57f502ba1fc0ef4ec23c2c440e5e7fd46a40b554e433

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Blocker.drxt-d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac.exe

Filesize
96KB

MD5
44e3ba7a05be9a34603caac43a69beba

SHA1
159cead7f4ec7ba60d1d06e0a51c62acddc2f295

SHA256
d083c4fa5a88432fc013db0ac1f22a01c0ec0b4725c27bf5cfb7b8d3099fd9ac

SHA512
fb87a7e9e9905c01200437579f590262cb9823f94cc2d496a30c70694c8be0f25fef6dae5cd1345bd5d52261090efc3999be1fccd15c0e5b58c7ab8e60ff1329

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Blocker.meia-f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0.exe

Filesize
63KB

MD5
80f2c45c6c63723490d056745311af48

SHA1
dd9aaf917bb8a6a55d711f83c628f83b1332f441

SHA256
f2ec1dfc582bd19a59866f0c7d3f8d965d90330a12ea526069739b5ae85a4ad0

SHA512
b223da8dca41e365b588e88a86fc0f70cd0cbf7a68b59e471cb0ccbebd2968483fd1dde60894c64b0e9358da5b565e9169e545d632d40d79149d405a6a47236e

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Crypmod.xbb-315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac.exe

Filesize
328KB

MD5
c0873e0209c7aafbbeb0bedee7f06fe0

SHA1
f17f0cd0bf92f5b5fb9f23db44495f0ee65d45c8

SHA256
315f369efc70c440c9e128dceedb0390270f2e9be18bfee589bedf7b00bd2cac

SHA512
ef85aeda5cb7460cb9603498f88b8e3099abe2120b75679cf7754cfb0ac04da14069e1c33f718cddec51969ae237e4136dc051904dcb907d7e98e7c39676c2bc

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Foreign.gxos-e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8.exe

Filesize
306KB

MD5
5d15839404b06e18b939bf2a8bd05dba

SHA1
446a47fc55e2eb128c5ab36c9e32e9adf2dfc9d8

SHA256
e1331443022e01a46ecea061403318ec84dd1747430e2cc98accb67fe44b58e8

SHA512
11526ad5ff56fbbd7b70a1297dfae3856b57f9e7c8ca9670222993c6f4ac11f98606328b98038030240b98c798068526d49435c1af8dca1c99556184857f5114

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Foreign.njhp-b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011.exe

Filesize
436KB

MD5
ce9a6403172efff38e0ed802e48a4650

SHA1
3ff957e51cd573b4855e35db832e0d2c2d1a5463

SHA256
b2925170efd2cc372b8e3b5c64938b49362c4d325d2e511031ab070e264e8011

SHA512
be165ed3d59222b2642d8370146e7e3cdcd7724071f9f27321a878f51fc4a0b86ca08944fc238c85d5d3c1cc34bf928eb5347e9231a27101cdbd61f773012839

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.GenericCryptor.ilm-130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724.exe

Filesize
226KB

MD5
9c73dfc02bf01fc1da8efc349d23646b

SHA1
5807a387860f7a93e848fa121efed2707cf011f9

SHA256
130901fab52c6cd7fee0a2e1776aa9938874cad922aa431ea9e2f21b9f0b3724

SHA512
ec51d28567cfdbbd7f712d3063ec856f36ffdc12314ca7aba819086d17a447a2e6900f8e71bfb2b0255e4497458d3220e83138d76dae322b7da3c704bdeaf8a7

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.dlx-5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22.exe

Filesize
336KB

MD5
65823444bcf0839e39ba456dcf8ddd3f

SHA1
5dcac05646046371ba507a1cae9eec6c653b22ee

SHA256
5da789e775061401f4044aab9818d7094f2e3f95256b540840a85e2842b15f22

SHA512
56d90f07a8ef3711e64738eed80886196b4b34c3ab5168ec69db8d84a4f75ddb85f27ef5352274a2dc749800e6a05c577f3706f11205885cf8ce36097d611ba0

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.gn-7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d.exe

Filesize
209KB

MD5
197a98dd6fc4b06da146fdc83fece4a3

SHA1
8c37f9890755e441bdb14bb3d7e6ab327d44ebce

SHA256
7bb2e629f366f938cc2d6778804f413a372ddd3ce9637e17205e0961e4e1ec8d

SHA512
7fa13d1ceba08b08b91611882b5409b16d02a5bfc7e9eadfd93253e8f49cd395972e04ca58a06c6191f257abcd1714bbb7cf6bea1de531455c1c7babff3c1281

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.wyc-1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea.exe

Filesize
408KB

MD5
8559c06a20d5a65d0f026e800496e88c

SHA1
52d2db5d99acd2dcb07026fb6fc3a7b517371f88

SHA256
1fc261dabeba15e8e5f5495fbb519847e7783e15501cf6e802eaa9ac7c19c3ea

SHA512
c9e199b41b3b6c3182242af5918227b20f514d9c7eaeddca3093e5a2a8b7e2b05f30dfa45a2e76b4497a589a07e80e640a71897b9368b9afcb85e96b7c0ba42a

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.wze-5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5.exe

Filesize
443KB

MD5
e01381bb15a041edf46d58cf4e8dd528

SHA1
d426a2f1797f2de21d9e93bd734403b9b37c2b97

SHA256
5c6f7b9de14d59d19d62dc147dab0337d5b19d77fd31abe47f7fcae17d3a3fc5

SHA512
3204bd1c2fdf0ea15cdd3e29a27eea6d91644ffb16e4dba183ea984c5cce84d330d18921f7d68e61fb1bee793022cbd541a97cc0567cd7efba48ad049bcd27dc

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Locky.xaj-92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f.exe

Filesize
425KB

MD5
480a9fb7a41ebe01de3e2dd1761e275d

SHA1
e31952a06f821b846ff03a442e81834f01877c6d

SHA256
92863e45537aa9c1eee65bb71e9709342d35aa5d27e1a0632a07267235bd1c8f

SHA512
a7824154688a3eb27bd24c08c58d97cd0d824bdb3d26f86786e24901489f4ecc9fdea47903447892d1072dd7b5d6a2ca023880f92e061e890289f3688d15d10a

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Purga.p-f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b.exe

Filesize
268KB

MD5
3e93fe3e8b7e102d64751f0ca48b3b17

SHA1
b96e0d7cc0663d1de029195a91fad58eae4787ad

SHA256
f057cdee05e945771df9d7d9499a9172e0ee59175c9306ac2250ca751a5fc66b

SHA512
7b0346233d87024dc5fcea18e2f204d9a45c838f303d384678df52fe9a02730f2a5a7d2e75815a1cc1cfa43e8768a8a5396bb1dd9017543d1f229ee454d20990

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Rack.gvy-a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488.exe

Filesize
2.7MB

MD5
fcbf90c72794f64d5fe87ab4b824f9c5

SHA1
416330ab9b587bafa01f213d200791837659995c

SHA256
a1f0617c44fcd4794a06b1b8bad5a133b0c9bcc177dd11546ca38016c8bb6488

SHA512
f2c8d3de44a0410ce95fc90cd2c96b365d19aaaa2b5a2bbfe4bcf9ee9c409cb864114dc7e2e6b58d6547500fc526d21a5687d9c5dc1da7145fd46c61450fbf3d

Download Submit
C:\Users\Admin\Desktop\00275\Trojan-Ransom.Win32.Zerber.ewgz-6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc.exe

Filesize
290KB

MD5
dc78f318817ac2c51bd35b2294ccb168

SHA1
4b62f6cb787f126d2f9b3d436cbda694c9edced7

SHA256
6612323db1ef26c1813c35d4c1d8f6983c7aac7a6acc160c33f27e5f670288fc

SHA512
39753fadb8edc9d1402bcd47b0c2a886b446f98618da49f08c12ca309c5cdab0ae81a715b3b26a0661499d958f106b16f2f7b5c36ac28ff27c36c7ac1852e603

Download Submit
\Users\Admin\AppData\Local\Temp\nse195B.tmp\System.dll

Filesize
11KB

MD5
fc3772787eb239ef4d0399680dcc4343

SHA1
db2fa99ec967178cd8057a14a428a8439a961a73

SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

Download Submit
\Users\Admin\AppData\Roaming\Kyajyq\pyudy.exe

Filesize
306KB

MD5
5a9ca8f91478f67def47e7832b0554b8

SHA1
4af261ef2d59b9cbc8e0fc90b5477ce938a04b5a

SHA256
4871aba979d8633f2704310631269e361500e5774c6da5898966c09cd0591296

SHA512
c973501e43842b7fa400ecb72e77f21aff35f191bd35c40bbe7819504509c8f5a3d43c73a17b09c5260b2a3fc431b3f67183a776f19287237973fe8501ab8e9d

Download Submit
memory/956-268-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/956-253-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/956-134-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1088-275-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1088-277-0x0000000001B40000-0x0000000001B89000-memory.dmp

Filesize
292KB

Download
memory/1292-218-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1292-254-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1680-164-0x0000000000210000-0x0000000000223000-memory.dmp

Filesize
76KB

Download
memory/1724-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1724-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-252-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2176-141-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/2192-257-0x00000000013D0000-0x0000000001408000-memory.dmp

Filesize
224KB

Download
memory/2192-259-0x00000000013D0000-0x0000000001408000-memory.dmp

Filesize
224KB

Download
memory/2276-260-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2336-256-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2336-251-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2376-204-0x00000000008E0000-0x0000000000E3C000-memory.dmp

Filesize
5.4MB

Download
memory/2376-196-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2376-203-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2376-201-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2376-174-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2376-176-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2376-178-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2376-179-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2376-181-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2376-198-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2376-183-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2376-186-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2376-188-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2376-191-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2376-193-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2388-255-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2516-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2516-43-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2516-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-5199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-245-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-523-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2728-413-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2732-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-314-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2776-315-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2980-274-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download