Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
243s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2025, 20:39
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00269.7z
Resource
win10v2004-20250217-en
General
-
Target
RNSM00269.7z
-
Size
7.5MB
-
MD5
0c0f6046592a1d447586c0898c572f3b
-
SHA1
e818cecc31794640e06d6ec86795d7765e481c7b
-
SHA256
0675087b8e5b5712b65568224783e6b7f27a26b44dc2361ca3b1e6cd2a5cc338
-
SHA512
19784b266ed7cbde7e3a3121c3d37fd6b667b1218a36b671c3ca87f7121a51d95d10f7d7e7237d8ec3b85f592dd32109b4e09be40ae711a0e311f685c5b69336
-
SSDEEP
196608:RL6nz7HFqicmfW9dyVnlIKYHx3TzTucytZeiSAdc9or:Envlz+9Qp5YTzTbS2Ec9or
Malware Config
Extracted
C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt
cerber
http://52uo5k3t73ypjije.fr2vai.top/8577-F0C6-7F5A-006D-FF6C
http://52uo5k3t73ypjije.n41n1a.top/8577-F0C6-7F5A-006D-FF6C
http://52uo5k3t73ypjije.3odvfb.top/8577-F0C6-7F5A-006D-FF6C
http://52uo5k3t73ypjije.pap44w.top/8577-F0C6-7F5A-006D-FF6C
http://52uo5k3t73ypjije.onion.to/8577-F0C6-7F5A-006D-FF6C
http://52uo5k3t73ypjije.onion/8577-F0C6-7F5A-006D-FF6C
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber 3 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process 3996 taskkill.exe Mutant opened shell.{B97F6D40-C75B-2BB3-7FA9-5A576E37B00B} HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Mutant created shell.{B97F6D40-C75B-2BB3-7FA9-5A576E37B00B} cmdkey.exe -
Cerber family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\LABbiEhO\\OEcPJgeD.exe" Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" cmdkey.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Contacts a large (557) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4872 netsh.exe 6160 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kingoroott.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation cmdkey.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation taskmgr.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Foreign.ngmm-dfef0ef6449c8dfde93a161cda3cc821cb9d6e83910197fd828189d94b27bd02.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cmdkey.lnk HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cmdkey.lnk cmdkey.exe -
Executes dropped EXE 26 IoCs
pid Process 1388 HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 4960 cmdkey.exe 5076 taskmgr.exe 4968 cmdkey.exe 764 cmd.exe 2580 cmdkey.exe 2664 cmdkey.exe 2348 taskmgr.exe 6260 Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe 2304 Trojan-Ransom.Win32.Blocker.jkzx-d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e.exe 2836 Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe 3812 Trojan-Ransom.Win32.Foreign.hamq-686d991ce763e683ea6ee0f0202681364e8f55efb02c312a59e599b5abb547fd.exe 452 Trojan-Ransom.Win32.Foreign.ngmm-dfef0ef6449c8dfde93a161cda3cc821cb9d6e83910197fd828189d94b27bd02.exe 4868 Trojan-Ransom.Win32.Foreign.nhhn-9b2699969896d0b301ab47e2f2f7f2051534ea526d862d75f4cda83b29408348.exe 5296 Trojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exe 5432 Trojan-Ransom.Win32.Locky.hy-ddb80a24da8bec08eeac77e0a7ea13e48805a302290555d4bcb5d86d9080b13c.exe 5448 Trojan-Ransom.Win32.Purga.p-25aa2980ba724f212ca7292f968ded935760ba0a5b5562c3702e3572342089a3.exe 5460 Trojan-Ransom.Win32.Zerber.dhg-b0697ec9eeec95dc0d07b0d339bcd2577e07ef27dce3d2ac62e55ab32b5a75ff.exe 5472 Trojan-Ransom.Win32.Zerber.gre-9f39b703428343ea6f5b8f83307bc03f5914ac168aa86acd7214a85badc2ca40.exe 5488 Trojan-Ransom.Win32.Zerber.jnu-e5ba39b9b74ad9ac430c915c3fb3b93584f4ad16b03a10a2436b4ce9b66f1da5.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe 5532 Trojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exe 5584 kingoroott.exe 4196 Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe 6820 svhost.exe -
Loads dropped DLL 6 IoCs
pid Process 5448 Trojan-Ransom.Win32.Purga.p-25aa2980ba724f212ca7292f968ded935760ba0a5b5562c3702e3572342089a3.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe 5516 Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" cmdkey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHosts = "C:\\Users\\Admin\\Desktop\\00269\\Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe" Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Media SDK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDhiOVIcUC.exe" Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHosts = "C:\\ProgramData\\svhost.exe" svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmdkey = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" cmdkey.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kingoroott.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 162 ip-api.com 2231 icanhazip.com -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023db3-1491.dat autoit_exe behavioral1/memory/4208-1819-0x0000000000960000-0x0000000000A7F000-memory.dmp autoit_exe behavioral1/memory/4208-2056-0x0000000000960000-0x0000000000A7F000-memory.dmp autoit_exe behavioral1/memory/2064-2057-0x00000000009A0000-0x0000000000ABF000-memory.dmp autoit_exe behavioral1/memory/2064-2165-0x00000000009A0000-0x0000000000ABF000-memory.dmp autoit_exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4556 tasklist.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp89D2.bmp" cmdkey.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2836 set thread context of 4196 2836 Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe 202 -
resource yara_rule behavioral1/memory/5584-1488-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1489-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1684-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1714-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1713-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1723-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1730-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1754-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1704-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1703-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1699-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1695-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1694-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1487-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/memory/5584-1484-0x00000000021B0000-0x000000000231B000-memory.dmp upx behavioral1/files/0x000900000001e5bd-1812.dat upx behavioral1/memory/4208-1819-0x0000000000960000-0x0000000000A7F000-memory.dmp upx behavioral1/memory/4208-2056-0x0000000000960000-0x0000000000A7F000-memory.dmp upx behavioral1/memory/2064-2057-0x00000000009A0000-0x0000000000ABF000-memory.dmp upx behavioral1/memory/2064-2165-0x00000000009A0000-0x0000000000ABF000-memory.dmp upx -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE cmdkey.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.url cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini cmdkey.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.html cmdkey.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml cmdkey.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.html cmdkey.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.vbs cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE cmdkey.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url cmdkey.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs cmdkey.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.txt cmdkey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini cmdkey.exe File created C:\Program Files (x86)\0E5B561B.log kingoroott.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4080 3812 WerFault.exe 185 4496 5488 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdkey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Purga.p-25aa2980ba724f212ca7292f968ded935760ba0a5b5562c3702e3572342089a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdkey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.hamq-686d991ce763e683ea6ee0f0202681364e8f55efb02c312a59e599b5abb547fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.nhhn-9b2699969896d0b301ab47e2f2f7f2051534ea526d862d75f4cda83b29408348.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.gre-9f39b703428343ea6f5b8f83307bc03f5914ac168aa86acd7214a85badc2ca40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jkzx-d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.jnu-e5ba39b9b74ad9ac430c915c3fb3b93584f4ad16b03a10a2436b4ce9b66f1da5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Zerber.dhg-b0697ec9eeec95dc0d07b0d339bcd2577e07ef27dce3d2ac62e55ab32b5a75ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdkey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdkey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.ngmm-dfef0ef6449c8dfde93a161cda3cc821cb9d6e83910197fd828189d94b27bd02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Locky.hy-ddb80a24da8bec08eeac77e0a7ea13e48805a302290555d4bcb5d86d9080b13c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kingoroott.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4028 PING.EXE 2012 cmd.exe 5092 PING.EXE 3044 cmd.exe 4376 PING.EXE 2692 cmd.exe 7116 cmd.exe 6976 PING.EXE 3832 PING.EXE 5560 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kingoroott.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kingoroott.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor kingoroott.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor kingoroott.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS kingoroott.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer kingoroott.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName kingoroott.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 6404 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3444 systeminfo.exe -
Kills process with taskkill 8 IoCs
pid Process 5560 taskkill.exe 1068 taskkill.exe 3996 taskkill.exe 4064 taskkill.exe 3404 taskkill.exe 4392 taskkill.exe 1184 taskkill.exe 2004 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\Desktop cmdkey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" cmdkey.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\Desktop HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{34607000-E419-7E20-C3A7-73A5797B02CA}\\cmdkey.exe\"" HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings cmdkey.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1479699283-3000499823-2337359760-1000\{272D0DA7-239D-4E2E-9AEB-01874F7E456D} explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 280732.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\taskmgr.exe.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 5092 PING.EXE 6976 PING.EXE 3832 PING.EXE 4376 PING.EXE 4028 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4848 7zFM.exe 2708 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
pid Process 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeRestorePrivilege 4848 7zFM.exe Token: 35 4848 7zFM.exe Token: SeSecurityPrivilege 4848 7zFM.exe Token: SeDebugPrivilege 3096 taskmgr.exe Token: SeSystemProfilePrivilege 3096 taskmgr.exe Token: SeCreateGlobalPrivilege 3096 taskmgr.exe Token: SeDebugPrivilege 2708 taskmgr.exe Token: SeSystemProfilePrivilege 2708 taskmgr.exe Token: SeCreateGlobalPrivilege 2708 taskmgr.exe Token: 33 3096 taskmgr.exe Token: SeIncBasePriorityPrivilege 3096 taskmgr.exe Token: SeDebugPrivilege 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe Token: SeDebugPrivilege 3996 taskkill.exe Token: SeDebugPrivilege 1388 HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe Token: SeDebugPrivilege 4064 taskkill.exe Token: SeDebugPrivilege 5076 taskmgr.exe Token: SeSystemProfilePrivilege 5076 taskmgr.exe Token: SeCreateGlobalPrivilege 5076 taskmgr.exe Token: SeDebugPrivilege 4960 cmdkey.exe Token: SeDebugPrivilege 4968 cmdkey.exe Token: SeDebugPrivilege 4556 tasklist.exe Token: 33 7140 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 7140 AUDIODG.EXE Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 4392 taskkill.exe Token: SeDebugPrivilege 2348 taskmgr.exe Token: SeSystemProfilePrivilege 2348 taskmgr.exe Token: SeCreateGlobalPrivilege 2348 taskmgr.exe Token: SeShutdownPrivilege 5584 kingoroott.exe Token: SeCreatePagefilePrivilege 5584 kingoroott.exe Token: SeShutdownPrivilege 4728 explorer.exe Token: SeCreatePagefilePrivilege 4728 explorer.exe Token: SeShutdownPrivilege 4728 explorer.exe Token: SeCreatePagefilePrivilege 4728 explorer.exe Token: SeShutdownPrivilege 4728 explorer.exe Token: SeCreatePagefilePrivilege 4728 explorer.exe Token: SeShutdownPrivilege 4728 explorer.exe Token: SeCreatePagefilePrivilege 4728 explorer.exe Token: SeShutdownPrivilege 4728 explorer.exe Token: SeCreatePagefilePrivilege 4728 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4848 7zFM.exe 4848 7zFM.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 3096 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe 2708 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3076 cmd.exe 764 cmd.exe 5532 Trojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exe 5584 kingoroott.exe 5584 kingoroott.exe 4196 Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3096 wrote to memory of 2708 3096 taskmgr.exe 101 PID 3096 wrote to memory of 2708 3096 taskmgr.exe 101 PID 3076 wrote to memory of 1388 3076 cmd.exe 103 PID 3076 wrote to memory of 1388 3076 cmd.exe 103 PID 3076 wrote to memory of 1388 3076 cmd.exe 103 PID 3076 wrote to memory of 4652 3076 cmd.exe 104 PID 3076 wrote to memory of 4652 3076 cmd.exe 104 PID 3076 wrote to memory of 4652 3076 cmd.exe 104 PID 4652 wrote to memory of 2808 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 105 PID 4652 wrote to memory of 2808 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 105 PID 4652 wrote to memory of 2808 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 105 PID 2808 wrote to memory of 3996 2808 cmd.exe 107 PID 2808 wrote to memory of 3996 2808 cmd.exe 107 PID 2808 wrote to memory of 3996 2808 cmd.exe 107 PID 4652 wrote to memory of 2092 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 108 PID 4652 wrote to memory of 2092 4652 Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe 108 PID 2092 wrote to memory of 2400 2092 msedge.exe 109 PID 2092 wrote to memory of 2400 2092 msedge.exe 109 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 2588 2092 msedge.exe 110 PID 2092 wrote to memory of 4420 2092 msedge.exe 111 PID 2092 wrote to memory of 4420 2092 msedge.exe 111 PID 2092 wrote to memory of 4824 2092 msedge.exe 112 PID 2092 wrote to memory of 4824 2092 msedge.exe 112 PID 2092 wrote to memory of 4824 2092 msedge.exe 112 PID 2092 wrote to memory of 4824 2092 msedge.exe 112
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00269.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4848
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\Desktop\00269\HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exeHEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe2⤵
- Cerber
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe"C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe"3⤵
- Cerber
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html4⤵PID:6588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa038946f8,0x7ffa03894708,0x7ffa038947185⤵PID:6604
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt4⤵PID:6620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.fr2vai.top/8577-F0C6-7F5A-006D-FF6C?auto4⤵PID:6816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa038946f8,0x7ffa03894708,0x7ffa038947185⤵PID:6832
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"4⤵PID:6852
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "cmdkey.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe" > NUL4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2012 -
C:\Windows\system32\taskkill.exetaskkill /t /f /im "cmdkey.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00269\HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2692 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4028
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exeTrojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe4⤵
- Cerber
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/en-in/3⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa038946f8,0x7ffa03894708,0x7ffa038947184⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:24⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:34⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:84⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:14⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:14⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:14⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:84⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:84⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:14⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:14⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:14⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:14⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:14⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:14⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:14⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:14⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:14⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:14⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:14⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6084 /prefetch:84⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:14⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6788 /prefetch:84⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:84⤵PID:4276
-
-
C:\Users\Admin\Downloads\taskmgr.exe"C:\Users\Admin\Downloads\taskmgr.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:14⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:14⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 /prefetch:84⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:84⤵PID:2012
-
-
C:\Users\Admin\Downloads\cmd.exe"C:\Users\Admin\Downloads\cmd.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe"C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\system32\taskkill.exetaskkill /pid:46525⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Users\Admin\Downloads\taskmgr.exetaskmgr5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exeTrojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6260 -
C:\ProgramData\svhost.exe"C:\ProgramData\svhost.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6820
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jkzx-d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e.exeTrojan-Ransom.Win32.Blocker.jkzx-d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Roaming\Taskmgr.exe"C:\Users\Admin\AppData\Roaming\Taskmgr.exe"6⤵PID:6976
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Taskmgr.exe" "Taskmgr.exe" ENABLE7⤵
- Modifies Windows Firewall
PID:6160
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exeTrojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Users\Admin\AppData\Roaming\kingoroott.exeC:\Users\Admin\AppData\Roaming\kingoroott.exe6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5584
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe"C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jovc-a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Foreign.hamq-686d991ce763e683ea6ee0f0202681364e8f55efb02c312a59e599b5abb547fd.exeTrojan-Ransom.Win32.Foreign.hamq-686d991ce763e683ea6ee0f0202681364e8f55efb02c312a59e599b5abb547fd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 5486⤵
- Program crash
PID:4080
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Foreign.ngmm-dfef0ef6449c8dfde93a161cda3cc821cb9d6e83910197fd828189d94b27bd02.exeTrojan-Ransom.Win32.Foreign.ngmm-dfef0ef6449c8dfde93a161cda3cc821cb9d6e83910197fd828189d94b27bd02.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tut.sfx.exetut.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp7⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tut.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\tut.exe"8⤵PID:4208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k HOSTNAME9⤵PID:5176
-
C:\Windows\SysWOW64\HOSTNAME.EXEHOSTNAME10⤵PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE9⤵PID:4100
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE10⤵
- Modifies Windows Firewall
PID:4872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im chrome.exe9⤵PID:2504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\log\pass.exe all9⤵PID:5420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k systeminfo9⤵PID:6456
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo10⤵
- Gathers system information
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k ipconfig9⤵PID:6336
-
C:\Windows\SysWOW64\ipconfig.exeipconfig10⤵
- Gathers network information
PID:6404
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exeC:\Users\Admin\AppData\Roaming\Microsoft\log\securityscan.exe9⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k HOSTNAME10⤵PID:3436
-
C:\Windows\SysWOW64\HOSTNAME.EXEHOSTNAME11⤵PID:5844
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Foreign.nhhn-9b2699969896d0b301ab47e2f2f7f2051534ea526d862d75f4cda83b29408348.exeTrojan-Ransom.Win32.Foreign.nhhn-9b2699969896d0b301ab47e2f2f7f2051534ea526d862d75f4cda83b29408348.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E382\71C1.bat" "C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR3C54~1.EXE""6⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR3C54~1.EXE""7⤵PID:5588
-
C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe"C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR3C54~1.EXE"8⤵PID:2220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe9⤵PID:1508
-
-
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exeTrojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exe"C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Locky.cfh-530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d.exe"6⤵PID:6752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\42D4\216A.bat" "C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR959A~1.EXE""7⤵PID:7124
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR959A~1.EXE""8⤵PID:6280
-
C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe"C:\Users\Admin\AppData\Roaming\appmgine\ApiSmifw.exe" "C:\Users\Admin\Desktop\00269\TR959A~1.EXE"9⤵PID:3376
-
-
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Locky.hy-ddb80a24da8bec08eeac77e0a7ea13e48805a302290555d4bcb5d86d9080b13c.exeTrojan-Ransom.Win32.Locky.hy-ddb80a24da8bec08eeac77e0a7ea13e48805a302290555d4bcb5d86d9080b13c.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Purga.p-25aa2980ba724f212ca7292f968ded935760ba0a5b5562c3702e3572342089a3.exeTrojan-Ransom.Win32.Purga.p-25aa2980ba724f212ca7292f968ded935760ba0a5b5562c3702e3572342089a3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5448
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.dhg-b0697ec9eeec95dc0d07b0d339bcd2577e07ef27dce3d2ac62e55ab32b5a75ff.exeTrojan-Ransom.Win32.Zerber.dhg-b0697ec9eeec95dc0d07b0d339bcd2577e07ef27dce3d2ac62e55ab32b5a75ff.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "" > NUL & ping -n 1 127.0.0.1 > NUL & del "" > NUL6⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im ""7⤵
- Kills process with taskkill
PID:2004
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3832
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.gre-9f39b703428343ea6f5b8f83307bc03f5914ac168aa86acd7214a85badc2ca40.exeTrojan-Ransom.Win32.Zerber.gre-9f39b703428343ea6f5b8f83307bc03f5914ac168aa86acd7214a85badc2ca40.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "" > NUL & ping -n 1 127.0.0.1 > NUL & del "" > NUL6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:7116 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im ""7⤵
- Kills process with taskkill
PID:1184
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6976
-
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.jnu-e5ba39b9b74ad9ac430c915c3fb3b93584f4ad16b03a10a2436b4ce9b66f1da5.exeTrojan-Ransom.Win32.Zerber.jnu-e5ba39b9b74ad9ac430c915c3fb3b93584f4ad16b03a10a2436b4ce9b66f1da5.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 2926⤵
- Program crash
PID:4496
-
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exeTrojan-Ransom.Win32.Zerber.svc-085087c7776992c63052994a24afe8aaed428112d03f1a4e0f476e9889cd7a7a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5516
-
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exeTrojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5532 -
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exeTrojan-Ransom.Win32.Zerber.vu-f23b33e9204ea79c3dd5a54fa57f2b97709ba30a06fb01f869e1ab06919a0a9a.exe6⤵PID:6720
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "" > NUL & ping -n 1 127.0.0.1 > NUL & del "" > NUL7⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5560 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im ""8⤵
- Kills process with taskkill
PID:1068
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4376
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:14⤵PID:6684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:14⤵PID:6912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:14⤵PID:6952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:14⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:14⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5820 /prefetch:24⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:14⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,499886981819148577,18218399520563474810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:14⤵PID:6184
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/en-in/3⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa038946f8,0x7ffa03894708,0x7ffa038947184⤵PID:4552
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/en-in/3⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa038946f8,0x7ffa03894708,0x7ffa038947184⤵PID:3884
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3408
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1012
-
C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exeC:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exeC:\Users\Admin\AppData\Roaming\{34607000-E419-7E20-C3A7-73A5797B02CA}\cmdkey.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b0 0x3141⤵
- Suspicious use of AdjustPrivilegeToken
PID:7140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3812 -ip 38121⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5488 -ip 54881⤵PID:5668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:6208
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6388
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4652
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6176
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\ee6d4b586b284fea8b989c66882f5ce4 /t 5592 /p 55841⤵PID:5720
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2172
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3756
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6356
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3840
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5660
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:6104
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5308
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5400
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6492
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5524
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6528
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵PID:4788
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1384
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3320
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6272
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3292
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
10System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt
Filesize10KB
MD5cfdfcc79a21bec5b3933d98e8b510916
SHA1e7df8e4e4f8d0c86ef432db3f881bf1c92206024
SHA256c80e0ea0c6c2a138d448fd6bce92e0075a0fb352689e91dbef7fc014eebc3c33
SHA512315b2324a5fadb3b566cadf5b558eb84526a777cc435d28e63d8348d4959e0a22c44263659b0d54a13f386b549bcf787f8101a0698c67a498a06928015ac2082
-
C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url
Filesize90B
MD5361667798e3104257111c4fe3d704532
SHA1fc3cef26f78f8868458eb0fbfb0f50ce8ea66044
SHA2561d7f4725ecffd80bc34105ff6c72835fae53c6823f59ca25afbbc2e55987b996
SHA51263d14f62c34cb81b6bfcbad41aa97bcf4c97f4423a3196fe8ea4c0b403951e243b91b65a40bbf2a720abe99216852783f31cc0422f333b2d3670cce7edee92d6
-
C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs
Filesize213B
MD51c2a24505278e661eca32666d4311ce5
SHA1d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee
SHA2563f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628
SHA512ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c
-
Filesize
25B
MD54802584d684cf48646fbd3264a3a8d35
SHA170213a5335ceec0042fd8eb144a65c4698170f85
SHA2569248925017cfc66884c03c48554874f0a9ff70fda4bfcad53fc534a7cc5bf51e
SHA512e10039c09713d44d341366c5b8a76d747b9dd522fbd82e4a45c7f6ac13528ae243d48934726e4fce2ee30d7342512d763249fad5fbdfb45473b8725cc3409df2
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD522d47fde80501801656894bc91506aa6
SHA1c5550f5450eca9b24416c56d722b7a6d7d63bfb4
SHA256326410334921c9a003ca819820b2f26e6a31201d54a4b7dec0cf621756e46a94
SHA5128abc97b035bc4a660184b1fd51ef190fc620d4017821d5e9ced6aee82fdc720be05eb412b606c4dcf2edbe354c370609bfc6ea8b5e14b6a26122f37ea5ffc6d2
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD593be3a1bf9c257eaf83babf49b0b5e01
SHA1d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a
SHA2568786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348
SHA512885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52
-
Filesize
152B
MD56738f4e2490ee5070d850bf03bf3efa5
SHA1fbc49d2dd145369e8861532e6ebf0bd56a0fe67c
SHA256ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab
SHA5122939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b
-
Filesize
22KB
MD56cace5d14aa5a3672392c995525d6802
SHA1fa6f420285842d10856f667943c516f459b0fd37
SHA256cbc9e3f0a1301a55e940bc8ac38e6e6fb63765b78192a4850c2e1bb3f3238a83
SHA51209c0620428ac5491cbd1678dd3167c0c40f1366cdfd02c8b864446e78a6c90fb56e8729113c3d2771c19f4e6b2213150c275667ded14cc79230372c243a94078
-
Filesize
32KB
MD5612109e2b2700655a0020847697261fe
SHA10328b9c72982b69ea9f1c5aeb79220aeb6bf3142
SHA2566d3f599fee7c90b78295c1d632f36983034a77620d46a42f58d6a79eeae61f2a
SHA512a1768e796041db155c5b54eaf48609097f36ec579fe8c4ff740f0ca5a6448d6dba7f563d2fe7d00fb1f1a25bed3ad337148a377332f7ff9ba32fb6959948f1d7
-
Filesize
47KB
MD500cb15dd0b5a99d219dea7a7e1f58499
SHA11e4895afacff1939289e3a70ced6636fbf902542
SHA256a919b203fc48d2bd0b12c4bc594e801d522ae335470f3c172086fca1c0f05c3f
SHA51263451e3dd9784319af9ffefda5ffc1c671cdc174f5ef07ece2c85ba2416af1d6226418b142dfaa87b38aa7b298957c0fa9b3d2cb30cc2ad3b7d82b9fb264de9c
-
Filesize
28KB
MD56e75a94d5f7170a1ab532d32c2a35755
SHA19c1b6fff544089941bbeddbcf529c3f0b46d853a
SHA256d87d0a7a7fe2c36d1dc093bfe56e9b81b311988789dbd3b65abf811d551ef02f
SHA51227cdbf98a3f42510eaeb28437e3c4661734b685d63eff5e47364ac46b73de617894edcb19ddd9afd955de192cfd8bb755998ed609ec2c279e9afab3db2583175
-
Filesize
28KB
MD572095568168d6a31e051e4d531759151
SHA18ebe72ef4631721d800aac28d854c1d1b952fe24
SHA2566ba0d1a726f1887bd61727b308ed0be0e73edba17d4ad11b91ab19b632e078f6
SHA51217f1417d99d76e46601d483f8516731e18ca028221a57c53d557e00f9627234576d62eb3ab5eb5faa13ebc1d8bff047ac86b1499756bee22ffb76b998b7b19a4
-
Filesize
29KB
MD54c38c2a78502af8dfbfe0f71cc49a1ae
SHA14b8c845263b3696e28cf3f313e0214e22688a750
SHA2561232bbdbc5d205f3c5a40efa5ed92839c79e7879d5168445cc47645bb93f7d1b
SHA512e60ffea855bba4241daf68af6bd3c1967211a215ef281c7dac8311756a0781d00f529ff0ac5ce789238a4215eb1540c6c61c69d650cb2027c3c72cd475dd7b9b
-
Filesize
33KB
MD536397a3bc139c6e9f81d383f060f080a
SHA13f4f86c10920d4ed345f4858b6cde9f93e1aeb81
SHA2564f7f4afe26e71fa9ca1dac4a43b557a554a46f53251d849f07ed08a04829d74b
SHA5127fff4870e9142e6e1921f8dd78e3b049547ec1d540efe573c2938f8b855db61ba908fa9d3c8da1bb2aae6d95217a586d256b9ea2bd8a8f706b1db75bc21f2cb9
-
Filesize
26KB
MD5b7640425501065524cec27d4a55a85ed
SHA1f254c388a65efb4b271c56deb5685a77ebe09d9d
SHA256fe8a1047376498c80a157d13555e42a92ad480fcb0bcc9de51ad1930fbeb7f91
SHA5129795975f44bcae6b73979b221b1c544ac943bce0ed485b266749559ae95d39641e09c458f2ed20f4667efc80ca2c47dc6300ad4a3e5ce1d38aa94e014d61322a
-
Filesize
38KB
MD52656cafdecef63f5d299dd84c413ba1c
SHA1ff28c8d67083a02322b2937f7e76413dfd9aee93
SHA2562021f9e67f753d858cb45a4d435f44d839c2d0fc78cd517c30280b0e97886f28
SHA51263272c3be1f754f271848c65b33f7db665022883714731e807052c9e2d390ddf29b75ec1d0eaf4aac107c10377d50e670b580afbd314ccc4a0bad36cab1d9add
-
Filesize
35KB
MD5f740a7b917fdc9e82ac7e97bb0049016
SHA10578738b4ad4557445b6544bd507211c7eee141c
SHA2564820702e03f0da1379816d813470bc292e2307f74efbc118b316cebc01fb6fab
SHA512b4a8df613f3d366d33df702bca93b207d60c9f459ab01c576a73fb60dee394310d76a61ebda9c356d169d029971972deadc5a708b9d02302ff5b75b9b1e4bf57
-
Filesize
63KB
MD58f13d83c1dcc73064edc68ddead052e6
SHA136146c5fcdd107b832d8a87e372ad3d5493c1f6b
SHA256bfbe9aa8a61d57d0a61917da25681bcc78fc325d71ec0d51a3002de5c1a693b8
SHA512bee6397f5afcc435461ddeb9caab125f7f8c8901ef4cd2ec75aabed5b74bbe5b5a932fcd24997031d25f932c4526367a98d70cf23673ac05b3ad8a0d66d14a31
-
Filesize
19KB
MD510d20c5f9a21b3326205bf9bccc43896
SHA188a0838d407608ea9278c7b852fbb3675a955c21
SHA2568380545066a7b6605a18d82801ee6faa285a5edc89a6f8278a45d67dff816588
SHA512a56f5b20c465f62df0c11ca11db039dd8ed4a12f7a5e649b9eb2c9431de5f2a30e2d3803d16d240ce6efcf3e7c80a184ed65d0c2d7c32f81e2c9266a74de5875
-
Filesize
112KB
MD5d434adaa98a0378eb2fb387369790aef
SHA1a1f67b254391330c808ba980bec04e1607238abd
SHA256b5eba8f553814d48fff0d2c0df334e8cd80c263621994e3ec7767005e00c9b43
SHA512cd14874e378e82bf94e08a91c644cf3864a37cee76b453e47a2db2c51296aa78617a8fa342cd56cb820e4ac60bce7ed6e147bb81d8becde8b37ee4fadf333ab6
-
Filesize
68KB
MD58323cf59a1860afd03aaee77f146e3de
SHA1dcc30b913f5ee92780d78f71877c59fe220b141c
SHA256d901c05f3532c2bd54a7f4ad02718c18efb30af9e34b2834766cf27a835ef294
SHA5125aaac41ffff765b14018db5b79d1b545d98a363ce997fd0c1c0ac1d86f1c360e782d29e87c44c4ce313971ef2e53c4401de52cd8d0dd71aebf692ee36e184380
-
Filesize
25KB
MD5d0263dc03be4c393a90bda733c57d6db
SHA18a032b6deab53a33234c735133b48518f8643b92
SHA25622b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12
SHA5129511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3
-
Filesize
26KB
MD56868d5c6b506140f415854ddf02b9a2e
SHA10bdc58f04aabb487141eddc3fb8825eaa021d2c3
SHA2561fdabf621d252d1e0d68f2889cf8cef8edb58389f06d7bfed5beccea98449c50
SHA5121f9bda73faf08d6d9bfbca1ab056933d61395c986f7ff561bfd429cfc408aa1500018accea15367eaadb140eadf82a89a89991472ddd2e550bd254fc9cbe8ee9
-
Filesize
31KB
MD54da57ad345677d3d20cc6a06b5b873de
SHA11b3a7653fa69ca57d830138182675eb591371a12
SHA2564ed625c6bfb1193d20d5b79873ed1d52715b45b14cb3344518a2e336c21df801
SHA5129252082c58e98268247583f0a9bb259f72acfb0f0aa6b8c60be5755790e65dfb54b8fca9ee2f610ebd493405b179a5a97650de17bf7be95a0a6b4021a4b8a9af
-
Filesize
272KB
MD55f524e20ce61f542125454baf867c47b
SHA17e9834fd30dcfd27532ce79165344a438c31d78b
SHA256c688d3f2135b6b51617a306a0b1a665324402a00a6bceba475881af281503ad9
SHA512224a6e2961c75be0236140fed3606507bca49eb10cb13f7df2bcfbb3b12ebeced7107de7aa8b2b2bb3fc2aa07cd4f057739735c040ef908381be5bc86e0479b2
-
Filesize
40KB
MD5b786554392ab690a37b2fc6c5af02b05
SHA1e7347fa27240868174f080d1c5ab177feca6bd84
SHA256ebe47cc89c62447316148809bda9095bd07bd5392a99ab4b8ac8b9f6764cda51
SHA512b71cdb76464a775fca909cabd0a7435c34de3ee4e19c40f5bebba6415295f0be2f82532a2ecda043c787ea4e8c23fd4e582a4d4322923fdf603a56e3fcb8b567
-
Filesize
51KB
MD5238d677a325e264bdaa631bb7687ee61
SHA175f19a5eececd9fcaa15487eb1e6395d121a7da6
SHA256eeac2189f5eaac434001c24cc412fb547f9173ed8be3e9fdf05f041615594672
SHA5122859088daa8140e14ed31c8f197ee50d6b415176e13aaaf7e2a309de52869c126c7f0607158d10a8c2f1a67a8e7091b746b7111c78d3294177f673e2bb400f0f
-
Filesize
21KB
MD5942e2ba31d132bbe2486ff1e36883a86
SHA1bcf42c590a69f66c3a2dfad64842e44913b69778
SHA256c592232c7a1dc346f52af20881107d4f337fc6ebb50cf671c03a3fd01f64da83
SHA5125f52f31e1882e074500897243b4ba1413758fdcf535f47fe9ecafa15436c68195477f51cd3469dad4d8ffc391c30e6e966280c088d4b7a5c50736ce85b157caf
-
Filesize
23KB
MD5f5805e8a21853c153c11cb39cf2a8bd9
SHA19ef22003d0b12ea372b8745ebcfa3ef8c2679aff
SHA256a4023b4d1d4a62eae18aefe9d69b60f04fde7defd5cf9d4aca08d4d8c5fa2876
SHA51246bedd03055cb82bfb42e71eaef086fa13d2e4f271395ea7d227c257c9b216b4f661bde196121b32e545a5ee4f62afd749b3453bdd5d7e484f4135eb629e659a
-
Filesize
31KB
MD57e61b81d224f6405bf3627ef89edbe9f
SHA1bda4404ac1e59abb848668236e7300efbd824e52
SHA2560df8f825e0c9dc4f2b26e453850346698aba3628a00e5388248f79b0867252b7
SHA5127fb9f50d6808cf2d8a0ef4e7a7e4dedf228fb848442f02e3853749b5e5aea026c733d2c1f1608197b4db4a1a4ce04119442c29148e2ce70c980adb2c040029c0
-
Filesize
118KB
MD5b545221e8f2f154ee6907ff5e689721d
SHA1e44887c94231bd08d4390f21ea0f50fd31f11685
SHA2561a340880d20c9fd7de77eb0ac25ce7f6e50d7d64ab5eea248208705bd39d7ca4
SHA512d05c1d16c755b389d9e41c279221ca1a15391940e5cefd3eb27f918c10711b60a58cf0e03c4231a8e8d015daaafc5b1856432a431a8e7b02887d17d2b4abf97a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize744B
MD5326db504423f9c87e0a7f608edd8ecb4
SHA162abd26bc716a3f32b3006d766d7391f440eb9fd
SHA256b2581e480234374267a591f68d754f6a5350d98499038306fb4cbdee5d2ae7c4
SHA512b12a9ee93f52b96e34c6ab537cbfb27afcbf77b6d30f14e51e4300afdbe63b5e7415bd0946ccc5387213997473abfe0e205d0ea252806db9bfb991af22ac22e9
-
Filesize
1024B
MD5f6da39498c839436e91e049a29269cea
SHA15d7755b49d929b7475688f53f78b820c8480355d
SHA2562b796348b8ab39e05279fa3a797a4ae964be0f1639dc4872a9b20efff49aed93
SHA512388a9d3e5a3aa61847a5fd5c764d96c300a96061e1c37af0ab0c2afc580510d402cfe13c09ad699bb40e3a422cd6573eceff3547cb856b0e8e347c02d81e7ff8
-
Filesize
958B
MD5b11a0a61b1674cec71cfa5cdbd5f8363
SHA1c878b17d20fb4ea8e417d4a2cd7eb59ff8dc896c
SHA256984b0d3e5d22e5553fbc8af644ce27745b017f3ccd624e28d3f36e5251e2fde0
SHA512e51efb30b0f69a2ec8a2b04185980027bd542b04525964bdad2d7bb4fdcd4341890ebfa082add41f5927e0c42395669546fe19ea79a7253a9e26cb605186cf27
-
Filesize
7KB
MD5b7fdbd7e3633568b54035fe8f320b769
SHA16767cc5781d31b0c2257df22b8cfa445de1b8d7b
SHA256204d4d8f015871e979e39d6aa8b1d59e1b17e51aea778f8afb6bce6b105b3036
SHA512ee1b8aaae84a41bb727b7f89e89b1bd3303f15780fb64165c92d6a09b20766fe8fed8f0734f5b0998902764dd462f8ed1c04b23bacffc6710fb4c873c5d15219
-
Filesize
7KB
MD556ca12144b753494f62639d3cf0022a0
SHA1bebf2277dcf6472041088e100c58ff47449e1188
SHA2560e8445c53ca5b520536ff947a8a8a8d0ead624e544d63e699c929fe8c5e23cb0
SHA512bfe489021a37b3a87b3f56fba069d51edfdc537ce1ae4516bd1fbcaf66658a4808263ab9441bf3b3dce07394682117737829819fe4320dbe8aec56ffecc76d55
-
Filesize
6KB
MD5abd1faf11a1c65a30eca95ff1620fdea
SHA12e688e7b6ef7bfc6227a95c1720ff1bb81eff7ca
SHA256779f3438dfd008bad87aa94f4a2f27a0bd552b26df881d2c61e24f75bbfdeb5f
SHA512b8c58f87a59b94ab9085c4a258271db51d4e116e016c252107bdc1cdecbd9ca1942fa10449003cecdcdcd2363e30ee94bed39b01caa3e17494bc8abc53fc546e
-
Filesize
7KB
MD53196f483814c44dd279e78c412956d8d
SHA132aa680e0e51a5f4686c852eb26e424a22b95810
SHA25622688d716a6ad5e5a9fda77f99cf7bbe53c6f7bc793f1eb7af5e97ad7a207d61
SHA5123db99bb583ae97b52f51903e2dece9b15106a422db43e8bf8510740a2810cf4430c1682161ae67569b57b71b80ce373d2ac63091706b92e88c2fabf35661e39c
-
Filesize
7KB
MD5cf7a8c74b1db41c1c76c2f7644e7c821
SHA1c7d8fb270d2ad140e4cf85ccbf835880edaef95b
SHA256e1bfd719a220ad76011f469695cc4640fed04ecf8e0cd6d9cb9be86c344a699f
SHA512b6eb36d700210d5acacc623cb81537726c95a1bb4957be9c15e0082974d15d2d799793224f2307fd9af981e274a2915e308ade9428394e01bb3a18f0766f439d
-
Filesize
7KB
MD50a39343a24f8869363ec485d79507a65
SHA1a09f33eb237c16a1a1432be9c9e75566989f795c
SHA2561461e20b743fdb085693de22b266fa28c1cf447b6d3b2f5122e6de06d407b880
SHA51272667246fe526a7cabf586ce2ce1d0dc4fad908d3dcc079a0ddec0e9741c0e4b04db42c34c0384405abe6b85059fb4bda1b0ffba8401bd6773d2bb445239dd91
-
Filesize
7KB
MD5153a23f3cb64ddddbb16db5e5bb05008
SHA1849eff26a282e3031ed8c5888b76634c5d042700
SHA256eecf230e5b57daea8787e9a71e4a7dd49828e484df96a25842db8c5e87d039c7
SHA5121dd620f1ef237c5359f67be01aad6347cb97fcbbeb45b34efe6c41577a15a02fdde1457c7d6d0ebd2c10a37d26d833ef1ddadfc3bd2405d352a723b7fbe87a33
-
Filesize
7KB
MD52b1bb7a594bb828bf7785934980d076d
SHA10895005a18ce2f37a696c88b20a24405ba6d4ae8
SHA2562bb1fd590810148b3527dd63285b763e1a91cf28d603cbab215c1a6823697ca1
SHA512c94e533ee98c62fe8a13cd02b0190697adb56a6d3240a68d353a81a3faa75df03dec6710611bba1fb2bba04540723c89702c2984c9768365c1c8c93780c8745c
-
Filesize
7KB
MD5455cd5046917141832dba972ff5e2958
SHA10e1b389324b8bd6f45b7babb53f9e0a58a3f8d65
SHA256f2dc4ef1432051cc6092f8cbec5dea270b1bf6aea48bc5132353fb4f771512ca
SHA512a94d825cab57d1692aae307322a1cb911067ae9f185eea9ecfc680f90a47a6167ee01c075c6be0e8042edaaf97555f58e20168f6da4fe5163d8ac53ea8554ff6
-
Filesize
1KB
MD5ae988d84696316679f27f37cc0915014
SHA12aa88632abfddb8b1f9ae3e0dc5c5ef4826c8a34
SHA256e1f8b97471284de07fe916bb04028925ec89dbf8c7f45ee874a84f27e3cb76a9
SHA51279cd56b86e85680cda8557da6974ba31246ada7375d634bf00562b9d1cf6eec5cc7f681b0b382bd1887d3e3d7dc1ebb9f93c2627076f8698d4079ecc484903d2
-
Filesize
1KB
MD5287bece7b36cbe8eb520533c6f06b79f
SHA163ff0f5cc128e81b17430aecaea007addd9d4e65
SHA2563d9956897afd6f65c47f558f356c3d75de31c8d79486e53087a9fb87e17cb59d
SHA51277912ae4d65c8e90f6d1bc79bdbdc6c2429e7021fe00b06297e038cd422a670ce5c7f7bbf293ffbc81330e5294b1b39c667ba3207aba57b2a1be1a4591a95003
-
Filesize
1KB
MD51208e890eac3454d730307e44620c77d
SHA1eaa4d3753d4144a73bf932c596349379346f0819
SHA256c31f25c05ec1761e7436205d422d86d284fa965a91c8407b0fd316f93eda39c9
SHA512b926a28eed4148ca0dbd2c39837c60859de837bacd5c5ece60e908ee8d804c3f51ddfb2c123ff14935149d29c143353debaa2db6f38964a6bace3e78dab2ef97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c3de0da4-bd85-4b7f-ba4c-5690cb54a6e7.tmp
Filesize1KB
MD5e57f2e2f7babac47a8dc01fc41513667
SHA1c0d77e1246b9d456f4a78a0d8615af527219540f
SHA256ec02c140ac20d7146745ce6d88836b10001ce69fc086d40fc8d230033ec43781
SHA51207015319a0840c2a7aad917f6e057d03aa1c4aba1492c3ffd745b08e2e6bfe54aef448d5b8cd6046e0ae2c311ee25bc1be8b35fadd13dc085288392889d53e3b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
14KB
MD5988b0cc85cbccc47056b2d13becd6ad2
SHA11649ab5895b89a9a28fe30c40f1e096e1ef8536d
SHA256b31d452b9307f2e113c9bf9a0ba0c3768b05ed637df0fef6cd6eb2db145fbebc
SHA512675b36762e8095ba4bd146348a028152fa14f3ce18334c9d060dcad61a95d6f9b9a9090b404c9273eba548a9bb66cc6682881c596fb9239e2320433fb7c0f73e
-
Filesize
11KB
MD561375d6d623f2033d97524c27a5aebb4
SHA1b99e577b5003ea6a00921ed9bbda9f775e1f8df6
SHA25696179ac7dd140c758dd5173742553e9d73e1d7beaa0125b722b18fa8cb93a9d2
SHA51275f5d23f726c671e7572366f75242ca98e037258eb454e8602e2c682100dfe8e689bb7af30f616c070567565dc0b52ae0b9e634bd672602168a948eac96a5836
-
Filesize
14KB
MD54a590266119ac8432d0482f5c1196a2f
SHA1a2dd6e40945293ffcabb92d5fb356daeeebfae3e
SHA256c04bc0098a85f9f78c0220eed272ff8b00e8768e35bc715a12c1138b17493e32
SHA5129eec3268001ce756e742792a140d40608cd6b2c888aa537f2f071e9e90d11806c38b078c96892a31e49761467c505b4294f3fe887112da02b4977740bc74de79
-
Filesize
14KB
MD522a3aa44f2e2d99d77f62b5df814e644
SHA1118f545058bb02be6c6e6d6227efd347d2f98aa0
SHA25683cd5f485725a8fc67a1af2b416b24d066fbdfe815bef3c379fb97cf4440255c
SHA512bd385a36afd6052d2016acd2ab9b4b5d25abe5a84a161179eae607fd9a82c9813a5380aecebcb05412d5b3ebcb6bf9cd4b7c10904396ccdf5f17a13ce399b469
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5018NUY7\microsoft.windows[1].xml
Filesize97B
MD5e3c88c5e43419a9341daaf3ce9d842ca
SHA135b177cc342d7694793ce3e4a2b09534389ee1a5
SHA25689c375db3fb0fc28facc892ec859010d6b9e0209b53e0960335e84ea59e42095
SHA5123946bbb05f31d9a5881a541787d8a72b0290496d38cc1970210a86a3cbd79accda669dde84f3ffbe9023e7f5a5577ba33425f39510a47e1202302abb074f6e8e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133849034479041563.txt
Filesize75KB
MD5be0526a81e1b02069cf0702af28a7613
SHA14f283918dc54c210470560ae65140d67633efac5
SHA2562c59df51a07714c115254ec45c3be2b855ae825ee8735041afeec2d8be990f76
SHA5120b086d8e80f5343f565869a67ac58ae6f4cce8eb2ce87d2a7a908e5638e47888013d8a379c662256b5eb1a5db04ed7c9d4140bd4a47c87660c32a4e159fb686d
-
Filesize
14KB
MD5b0ab1dea9b0f968618bae9c9db013ff4
SHA19a32a48ff06a47733c517099be25c328eb481e61
SHA2561325a298955026c4478d7044b0218b17d82f628eb5098a9a017edd70f3b6272a
SHA5125e6a76f3223969e801e9c6f6c24e85c49ad5c31e92311971a262bd93342a5de756a674aa8081437e3e5feac20774dedb2232cec85051b12d451fe1fba07b527a
-
Filesize
2.7MB
MD581cda088cb79f851e63a2fe0a689c526
SHA130aca12985427d200ec3a9a2326905e56420e95a
SHA256a900b335b9ad0363630d9517d99d4f636b84a538f40acfd6dff9391702d30c9f
SHA5127a493f83e1590fc8f264e80a8e3425f002b0fb7b0adf42c402809fad81a463b3aa53d7a1f1921168595dfa6fe2aaf25fe14a527bbeb76a0a0827611b6454a23f
-
Filesize
705KB
MD54b7a31cb77852c4cb74ca95d211b59b9
SHA12099431d1eaae3f3201155978e9b9be32e87a7f6
SHA256decc6aaa47e3638274d36ddba487668100573e3726d31de9c0fb3cf6db52c635
SHA5128f27d35a0fd5d5706bba24be346f845faaa542662d4f902f54e11c4b2885b7f236aa7a57a5a5dc4d3e995ae0a238c1cda2a67e1f73332f1fe16dca1c19c7e512
-
Filesize
476KB
MD5e228dee6ac4f93bbcb8decf510366eba
SHA1045bd9fb34213ba828fab91e13886c358ada4733
SHA2567bc781400b97b7cf3db9c75676293611943213e31ee613cd5df678a2146e531e
SHA512a5a7cd20926355ae3c49f06cef12b7e2a5d8fdeca1e2fc7c3c9faf9a5f04b99486c72c30b55f08c3e48c2336f1ea58a1982d2701064160d03fbc0e7856532a95
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
6KB
MD52a05cbe58bdf3ec425d2a6570d4cc94e
SHA10584c7c0aa4ab366d372f2209e11c1d2059344ef
SHA2569ea590935f274f7fa2d5bc4bb7f6c49df28029bd1770ae821ba003eabe422d74
SHA512159b15aa42203a817c4e4a377693542abfa6adb3702315376fe5c5dc93753dc38a153e49c7a57d3833f3b992fa11c8d97ed716207ea97eb79e4008b9c9b64309
-
Filesize
506B
MD55335f1c12201b5f7cf5f8b4f5692e3d1
SHA113807a10369f7ff9ab3f9aba18135bccb98bec2d
SHA256974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda
SHA5120d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df
-
Filesize
29KB
MD5f1fafe62ce42fe8d8a017cc6c32a967f
SHA17c822973ce0aba5ea5432e2ca53d5ca33a85b595
SHA25687488e0a7e27d0f46e61bb7d1b5302f1c02ebefa15105ae42daaf9c9573f41b1
SHA512376c50e552e141d6bce3cc5fad7d9d7bd84dacffaf4ebcf1b52d91f1c01dcf9446a83a1513b95147ff85ea081ae2e17a4d0a1f56c87a6f2a1be61742370f1837
-
Filesize
14KB
MD5a03e33899b59d68d748aa83ed057218c
SHA196aba0923ec32b0f38e0f5db69d1af89182125ae
SHA25637044c9bb7002b22ab671cc5e5f1c605c8bdbedeb1e76c0199dd08960eba6989
SHA51260b734ebcc9dddfc0b7155dba90848a1f31b07b47a6fa4cc5adc1b6c48ff0ee0228553560464b87a3800d8a8ae31809ca15d561f78476764962b30a23801c5dd
-
Filesize
617B
MD5b9939289baf40d3c517865f25284beab
SHA1e2bd82c8c9984621f3cb7c6b2eccb36ca31ac1b5
SHA25618b9457accd6eae454ef5a1722e453c5cecb634eb3d31e7726b35ca38ad0602a
SHA5129262052702c235bec1e6c52a2283a7b109e76e80a2abde303b1f478269d99212b3d0f5e6ed51ceb3fa520731f4c1f28773b8856b116e07f853788fe92ec89f39
-
Filesize
330B
MD5ccf0f5b76f9bfde3a0a3f135631309b2
SHA1079b1bb6e15ccc6f7db5ed85fa538a4b376e570b
SHA256ed7f434e52910bef93f040dba887a0acaa670cc71473899b7a18080f34f2dd78
SHA51262abc106db0e9abf533dc39c936ebf5e182dc1c75eebc8bc607f34bac6c70e9656cb711f48b5697b873de4570cb62d87b9eefbbdf77e9a1c567faf90ae039713
-
Filesize
16KB
MD5d9441b065d9b0993d621e5dc5d710b61
SHA16edd6737cf0ec53f284b0f082be7320dade56485
SHA256c47e4864d1bfcd4b6dea8d7c8986edf9a01e8b17ed2bc9a64c051ad6080f170c
SHA5121ce4a8bb396fff94c1337dafb7962c0bd7773bb4430638d5709d9263050f6de9d235bcaccb922d7152efd0821e2f351a904cc22987885aff5f9a1dab7f756563
-
Filesize
331B
MD51bcf608232da7626775c4aa9df58e77d
SHA1fa5b6adabd3803dec06602243c2a3d5a6cb55d6f
SHA2561f51a0e776031a689733ffc64dc744855ecf334b40f1591edfdb866febb9f74d
SHA512f07bfd1052ca51bf42c934a802a00a876787cf6ab4bf6ff42ce16952245b7b790a17036947a7d0979978c434d0073840e8055734950e9f37b38c7fc4c177c676
-
Filesize
15KB
MD59cbfe21598e22b7e292489d01f29da38
SHA1f5c706a973d9acada9e181f2d7e7404cadad66c7
SHA2560cd05b6abd82fa0e127817630d9ef21aa1ddc1e96ca5949ce171b03059bb8594
SHA512493dc343883dee2800cf0f409c5c2f87cc2a70daee19544c0361e6f9ed3577d33c67069cee0c05b7dc0f0ee91f75b5b70af90609d22d5dd86b6f892d9f43f167
-
Filesize
9KB
MD5afc685139a108e33bd945d5a3ff64122
SHA10a8010919ce9b60896e23d0db54fc7473b350ecc
SHA2564d70f45a9c69d8ce2e630214c1b2871454d631ccf9d88976470170d0e106acbc
SHA51262cf2171cc4a8e0a2e19608571c465ec3c038dcbe0f9a054a3c14a809a434b89868fb080bc15f94a5e4caebf987eabec966cce12cab14d4ce05858a65058534f
-
Filesize
160B
MD5043c0216d54611ad90d2375463332679
SHA12ecf7f437ab576377578362fbdca3d4a87be0fcf
SHA25673e025fcd36fe9e1688aa3be0bbc654372e69e65426aae076323a091641640d9
SHA5129f199073456db9e012cdef7473cd92be3eaeced6d0e27a2f7d2da506b94b6ae20b5ce58d560b89e2db3cd2ae50dd7bb09cfbc77deff585cec05db4189bcc2995
-
Filesize
946B
MD53afc187f68a37975b9dd49b5988a11ed
SHA1bd4ad670558604a428028f48ff339b409e8c13e9
SHA256867d3788800f55a14d1bfeb3f10f7b12ab1ba47329a98e2a89546e822a64fc82
SHA512ac31f118646b6221d3cd181eadf712b64d4905c936c1687d37bb9118a1ef908c76f6c832adb0ba772a8b705e63ce9a6986c0622df5e1113ce9473ea34f76ff3b
-
Filesize
2KB
MD5e3758d529f93fee4807f5ea95fbc1a6c
SHA13a9a1ba234e613e5f808c3ffeda05a10a5dafe00
SHA2568d46eb0c60043dcb7d79ab3d0525148fc901764620c02e4b9c5dd8b0e9026303
SHA512e891552bee3aa10247cad1fcc510331077016a6e71d46827be2dd46017f943c5acc2c1506b41217880d35d52a94989923ad0a345f8791da4bb379eceefe3c407
-
Filesize
38KB
MD55e468b1bc6e76ea6171abc12a1878e0e
SHA1e7c44921b8efd0ae866f5d8c28e225ee18cfb746
SHA2562b5ec022a7116f72171e69279d749f2030b0eb337c2da9d7a4fc142da365ab3a
SHA512b238ae9ab704cff72b1eb0b21ce1e7730373e0606cf20efc95f2384776102bb401487e119c77e5afffbcd2ee6fb6371c900745f560db0837d294f63abd4b9cbe
-
Filesize
15KB
MD5f8d9d9418e6e1827ed2b53dd930e48fb
SHA1c78b0e5b274dbbfd032a0f3ed795d82d5ea617c8
SHA2562a2878b54550178144665d4c5f67309f71f1089679ae0f84fa419b8a309a88e4
SHA512510ac31f9e330ec2e6133c1cbe775a955b79b94dc5a84d94b2c59d9b513c35f3786ff8a7f706d04ec2503a4ffc16535624a34e0dcc53e91eedd2321691b617fc
-
Filesize
11KB
MD53e6bf00b3ac976122f982ae2aadb1c51
SHA1caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA2564ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA5121286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706
-
Filesize
1KB
MD582e4f5a9a47ada08e219c2c75f5258f7
SHA12db6b81f7344c3c8c186ba1e014f17fc7dddc95c
SHA25644acf49abe95745d87d38f4650b7d96d61762b7055b2f7434a05d737dfc0a397
SHA512487fed84ed839ae2e905ea0ef53d31519d4719cff94acc4c0de1dd7db61cd76a5c8575b8abc8d507e7304195e727f7454d7d65fbbc9081572c16126de60f8a8e
-
Filesize
638KB
MD5ac5181029e7cd72244cce8df1953845d
SHA13541bcf50d39573c15f87efd544d72bb5028e2d1
SHA2569b2699969896d0b301ab47e2f2f7f2051534ea526d862d75f4cda83b29408348
SHA51210ad163317bc0aab11c86f67e5cce92c3f38cc6e0b941f41c7844bf4a3e8859ac777dd7a452db85a52b18dc7565bf31384b31d9e683705d0b899b1299b25b1c1
-
Filesize
539KB
MD5cd862b423b01c908ad9a7a6a479ed642
SHA157cbff6535f018b2d5a62c30aba7cf6387ad025b
SHA256530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d
SHA5122d0ff8cedae6f4e6e55feee8b4ff2c75033516a3f2e584da23cf848e3ece54ff549b432e6df8f90c4003832dc30eea5bcee46c2028893b0fc351afd86ad18148
-
C:\Users\Admin\Desktop\00269\HEUR-Trojan-Ransom.Win32.Zerber.gen-98c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a.exe
Filesize296KB
MD543195c18da026cb407ca885e8c6859d1
SHA10a8da444102be058a8df1f2d36ce17d39f987ff7
SHA25698c411c2132a1b75e6a597bde86b9006260585dcde632cdaf60f33886519dd4a
SHA51221346561088351738c548ed8a860d45653128cde69c04dabd9be2a82e8681e7baa48b043b0fab43777712dcd2bbc7311885bb0743861e8d6e4186504854d9fc9
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.MSIL.Agent.ghg-27182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3.exe
Filesize532KB
MD55b40982769552e5767f95b72a9d33899
SHA1942fbe4cc7fd4fe18b5bcd04031acb25e6e29d55
SHA25627182f0ac7425531461affe696f276a11dd5562e2fad18905831e94f5b0ae6a3
SHA5123efdb237b7f6fc839cdec573c70b7f2eb2cb4eb3690e063de7436e5dc5c3b9b4c7edab045756a6eafd9303160bf01fe786ff70d09008d8923ee45a9607d02ff3
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Bitman.joz-b6fc8ad904ca0c3028f8f84365637d812fe906dfe8d8c150f80e27a8d78c095d.exe
Filesize191KB
MD5bd301a3f2a3c419209676b280837cd78
SHA19cb7d5951b9d2f45815cdf9f292ab848d26a1e40
SHA256b6fc8ad904ca0c3028f8f84365637d812fe906dfe8d8c150f80e27a8d78c095d
SHA512f8b12915d8da73eb2b484f417329b43019f771b9e13de282539e5c615b96b12cda1a06fde7e75f53468d25ce30fa68c4beb83d6b14160f0c1899f33325769c8c
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jhsj-ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f.exe
Filesize3.0MB
MD5d31a3b9124c0df5216b71e7a95738972
SHA124e58c69ad4295b43fd56562ffb6ce3d8b057289
SHA256ef5b7665ea1dcc16816547e032d82132832403e6daac70cc5768f26e99ac174f
SHA5126764c8dd52ff7e4e20fc4332eedb41fde22ab9ab878578caa5f6ad5eb47e88622259dd4167c4b74cb8eceb7b2c79e7744ce849fe74a8bee6eaf7f10274c2f8d3
-
C:\Users\Admin\Desktop\00269\Trojan-Ransom.Win32.Blocker.jkzx-d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e.exe
Filesize234KB
MD5486eb99f837e78d3f3ffbc4f3bfe1e7d
SHA12a0990da8380dfed3cf50d41ff9b850afdfa3978
SHA256d124c89b0a5a9b1f56f9176c2c412aa1ed2dda64566df4f499105705ea75da4e
SHA5120106511e81978f3559e4878ae29b0548b0734a574917f9f83994ac008a756c2a09700eb8872af56e7e7fd95814a5383dbfc4bb99298584f527f65c8f8eb234ab
-
Filesize
19KB
MD5838c718096f81bd77e0210f2bef8c175
SHA1f6a7e2839261d862e13ab50e065999c6fbaa451f
SHA2560bc5524bfdcf9fa829554ea057980d92ed923b7643ce8623533b40a72c2cca63
SHA512309985ea9a0aee68389939b05fca16662090bfdae2d4f827963413d370b44a39b73c308a85cda9d37310e38b1c93d08f4bc4e8a4c1f0c72c1a3906b489f6b313
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
1.2MB
MD558d5bc7895f7f32ee308e34f06f25dd5
SHA17a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4
SHA2564e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478
SHA512872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9