General Info

File name

ment.exe

Full analysis
https://app.any.run/tasks/7407e9d8-8f5c-4908-82c3-2e5eb1db8533
Verdict
Malicious activity
Analysis date
9/10/2019, 23:39:58
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

sodinokibi

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

0bb803ea960f1f2c88f4e0cd808c196e

SHA1

590053863146f758fcb7a876c02f5d4459aa6a43

SHA256

a91948ce235c8a43e0d5f3915dd6dd7482ecd50aaaa423849ae4857d8504bc60

SSDEEP

6144:viYY7HL6OXYevtqsuJ40gxBekUNYkdOGINJcHC7KAU93Jobv:vdYjeOXX1lFTve53v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Sodinokibi keys found
  • ment.exe (PID: 2868)
Dropped file may contain instructions of ransomware
  • ment.exe (PID: 2868)
Deletes shadow copies
  • cmd.exe (PID: 2452)
Renames files like Ransomware
  • ment.exe (PID: 2868)
Starts BCDEDIT.EXE to disable recovery
  • cmd.exe (PID: 2452)
Sodinokibi ransom note found
  • ment.exe (PID: 2868)
Executed as Windows Service
  • vssvc.exe (PID: 2060)
Starts CMD.EXE for commands execution
  • ment.exe (PID: 2868)
Creates files like Ransomware instruction
  • ment.exe (PID: 2868)
Dropped object may contain TOR URL's
  • ment.exe (PID: 2868)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:04:03 20:09:32+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
111104
InitializedDataSize:
812544
UninitializedDataSize:
null
EntryPoint:
0x8556
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
2.0.0.0
ProductVersionNumber:
2.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (British)
CharacterSet:
Unicode
InternalName:
noxinikiru.exe
LegalCopyright:
Copyright (C) 2019, ghxgfgk
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
03-Apr-2018 18:09:32
Detected languages
English - United Kingdom
InternalName:
noxinikiru.exe
LegalCopyright:
Copyright (C) 2019, ghxgfgk
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
03-Apr-2018 18:09:32
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001B0C4 0x0001B200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.78152
.rdata 0x0001D000 0x00006C30 0x00006E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.86566
.data 0x00024000 0x000B4C90 0x00022200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.92071
.rsrc 0x000D9000 0x00008DD0 0x00008E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.3317
.reloc 0x000E2000 0x00002880 0x00002A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 4.55273
Resources
1

2

3

4

5

6

7

8

10

11

12

13

14

120

553

554

Imports
    KERNEL32.dll

    USER32.dll

    ADVAPI32.dll

    MSIMG32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
40
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start #SODINOKIBI ment.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2868
CMD
"C:\Users\admin\AppData\Local\Temp\ment.exe"
Path
C:\Users\admin\AppData\Local\Temp\ment.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ment.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mpr.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll

PID
2452
CMD
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
ment.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
2972
CMD
vssadmin.exe Delete Shadows /All /Quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll

PID
2060
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

PID
2068
CMD
bcdedit /set {default} recoveryenabled No
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3672
CMD
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Registry activity

Total events
121
Read events
100
Write events
21
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2868
ment.exe
write
HKEY_CURRENT_USER\Software\recfg
pk_key
36E470F5EEA27FCD61DDA2FC417418E6A587A9FABAD1E1BA400D63614E45813A
2868
ment.exe
write
HKEY_CURRENT_USER\Software\recfg
sk_key
F7EDA701D72858AE91E82D73A95AF804CE35DA646175D3E56571A242FBABB7053AA264514720F724B502845E83C002FFDFB2BE5D4BECD9E1F2F894F597F475EBE9B04B77F32C9E863E422EB54FCADB295263610A3FB61EEE
2868
ment.exe
write
HKEY_CURRENT_USER\Software\recfg
0_key
97F84990984F8653B6A8C8AB2A18BF5449BD2D0A38990FF986290696BD89AFE7F8FB151D449CD63003552DBB1B40A1441A6AFDDA3576B6C373AA570F5F95383197082A7061D1F219E57D8FAD11E28CAAA5A7ADF06326B391
2868
ment.exe
write
HKEY_CURRENT_USER\Software\recfg
rnd_ext
.hd6968
2868
ment.exe
write
HKEY_CURRENT_USER\Software\recfg
stat
F7B3CB4BE820B1B423855483619360EC0DB22DB9E2BA1FCEEDA67F75C4461BBD6F7A5EA1F0AC09B3E7E164249E81BCABA65776F07AAC8A811EF2FA2D0D40617AFCF2D3EE6A36D94E898DA10E8E2214008FBA5E7B3A15DD6DC1ADC6E50451721EFEF04A55A1887E2F126A2100010B6D8E3E29FE280BB3DF5B22D8D27212262F861212EBD724082BB8E66D60B038451B6902FD850538E9464D654FEB0CD7F5F91DF9E313FFE754F724F2B133ABF05743E617FE99C935F805A7969E2EECE238DB893222E68348143545FD8A3CB9244C5291AB29F743D596966C6420281893682247E283DBA6300FA819A20C9ABCEF3D371A61817FE5A7D800DC18D6354FF30B5F46D686C3BD893560DC42B7CED0EC00DC2CC7A13D3DF4A3BBD6E9CDA8C375AE291DB287EE56366FEB3833D0BD4E3117C6393EBFD55207D4DFD63787447CCE6B976FCCD32F5C8D97F79D7A48CAA7510D5A59A485AC8C3EF0292F7CC19BAC4DFCB6B64342E6471728CF43B6FBF52E23195306B1F270A639686947DD944D09ECA3AB4B95D724FC6DB97C6221CDD3E0A1A8CA03CA5A0CC7A95D1655B13FBE2AA7E5C8556270CA0D80474BE221A2FB39C60822FA700F62C7E3431DF8BA27F3A4655CF7F466A0EE82D767FBB0CA3EE676D39C4110DE4D15FCBCFBAE5146B6FE99A3B94F4C53F6E396A607A2C8FD5622F125838FF48F2D5A8AB863A3719D051D6FD014D85B04AADDADEE686ACC8F58C4CEC433AA2ADC094B733C675A1691AEFDEDE4A66670C4E542C56DACD197C7C2086FCDDB53076763073079214906D3E2A214C065FA16E15B8009FDBA1EB9C0605A66FF873FAFAD546D8808ABCEAC8953892EEB62EFA3FD7C5A9DFAE669FB48BFD53C8164F6A02BFB7AC380D53BD6F550DEE909A164C4136350AE57CD02C41B830FD0C393C5ECD124BB98AD31C04FD2CE09F187DBF7BD7164AA476D4E61625C66D798013CFDB25F5D217B55A1F2EDFDE7E01798D06328AB7752DFE1ED3EE663514B54AF0F9DC58BF9325FD614F267AEDA566540E6DAC29F2FAD93188D9DBA0A07CE8DDC9E39D9972CF3D72CB8DD0B94F4458376AF7B7AE0C76514A670A4DA48FEB27A39E170DA4A603BB32F4AB51D16B4F553BF6E923E505BCD2B80D45D1FCBB138C162494D0BBD4A54E6C1DB8053D4E4804927C66AF33802D1F9
2868
ment.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2868
ment.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2868
ment.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2068
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Element
00
3672
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0
Element
0100000000000000

Files activity

Executable files
0
Suspicious files
96
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.hd6968
binary
MD5: 9da4d59821e305da7adcb9ecd1bd369b
SHA256: 0fccfb8fa58c34f1508857e5ff078c8c7f8f7c1499d4bb0e0916c3916dd41e26
2868
ment.exe
C:\Users\Public\Music\Sample Music\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.hd6968
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.hd6968
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.hd6968
binary
MD5: e03edd0dce767d74fe4f47e7fbd49722
SHA256: 2d7e1ab635f062ce4c0bdd03cd545a5eb84dcdf14fc6c0ddea9706683815a277
2868
ment.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.hd6968
binary
MD5: 2a93dbf3bae5192748ced925896f2bb8
SHA256: 060af00d9698f9feb0de4fd6dec78dfa327ec1e3ff08ff2682cd15767c44ff04
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.hd6968
binary
MD5: 392430dde2ba2155bc54a281aec113cb
SHA256: 08414449abb4872c0a25a1e1cb3c32c0fd45deb10738493a6d75d4c0c618ae60
2868
ment.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.hd6968
binary
MD5: 368fdf56b49cbc1fba0e421b680a7ce1
SHA256: d16eac69d38a5b82bf445473473ce10e4e7e02874e3e705a61e35df74a269e78
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.hd6968
binary
MD5: 91fd5148d50528ccea49210b8ea75cb2
SHA256: e62e46396b6e624ae64d5d1a49e977b5ee37a39619e9da71338edbf7b7be5b77
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.hd6968
binary
MD5: b79767e2a0d7a23680e518a37f889844
SHA256: 38f6c5f8b8b3dfd671a0f8f2a2ee10da4f32aa9497ea4193a29f24e673495c67
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.hd6968
binary
MD5: 18907bf1635fa2e70aaaacb959503009
SHA256: 3db005668bf2b638b3fbfc04a7b2745fc0f4596bdaf2e7c29e3c2fb915f5109b
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.hd6968
binary
MD5: 0f4dfd30f1db0b4119c08f427f44279b
SHA256: 9c761c1e6abd36ab7ab7ab8ce138537b34802a6fcac31a00aeb88611c741d505
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.hd6968
binary
MD5: 20f0d2fbfc97322e55606bf753b3ca9b
SHA256: 9c6f15a104fcbd5943265c4d9de91bd3c52ef2b36b54f6cdb35d84830e2ecc17
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.hd6968
binary
MD5: b0e62639289333c76e9c8a752e7a462d
SHA256: 8a9b79f5001d0ccd458d9a74bcc5d4de6a2f4a33b642d6c9eadef71f74df410b
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.hd6968
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.hd6968
binary
MD5: bb4d288038d4f8d806b6284583c20606
SHA256: 5a41e623680450e49db39723eee29ab122cce513ade81e7249ff82502f4f515d
2868
ment.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.hd6968
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.hd6968
binary
MD5: 61f77e33121de1bb4020289ffeade66b
SHA256: 3e063c3c874d2c204f796aa0260ca2b2fffd8356c8f2ef580b614e5ae003b92b
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.hd6968
ini
MD5: ba2e69a9d0b49193cdfd239d5c8b10fd
SHA256: c1debd4276d40c52fa08b443e0e51fcb655bc4a23a8bfda346c55127d7140f90
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.hd6968
binary
MD5: 64b7c075da18d6d7fafc65b13ad2d5a8
SHA256: 68fe65e74412c2a94363ca57df388de43e25d93658835a958ac70cc816348f7b
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.hd6968
binary
MD5: 391366158a62ebce0146d4644f5d9a2d
SHA256: 13e38d18c81d7850383a702911c59f5191f1c8716465659841a1dc1fdf1f4642
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.hd6968
binary
MD5: 9b2156daf102ade01921deada3fa8fa8
SHA256: 616b337d587a747eda4f9cb325445260dec5ab8baae5903b6e40c4b019fbcd41
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.hd6968
binary
MD5: a2209e18c77c6da014e9901f24cd2047
SHA256: a1d69ae4286d2672e607e79a04ed4738bbb6b01c14da92aff06b5e29632c3d20
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.hd6968
binary
MD5: 286fecfff8926a77feba06fda7504286
SHA256: 2bc3e0f97d44b8db27e8492ce3f85cfde5a40db65757d5e1b24bbe52064a3d23
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.hd6968
binary
MD5: b85f37eafb939a8de59f6306117410f2
SHA256: ddcd69f05b68bd1bb97e3851423b225a6ccdcae8f9973a7905ad00cdc7808ecb
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.hd6968
binary
MD5: b7c6f086b21a49e93634e63748987d73
SHA256: 7322172fecf0cdf75f46a4923eec74a954afad79600ad06bb674d8cc7be1340f
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.hd6968
binary
MD5: b7726a74fd49eb86f16c63b2664f09b3
SHA256: edae47eb62fbe26965115eaf2ed8ec9424805724cce0e9bc5908fad6549e6109
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.hd6968
binary
MD5: 5ba19a2890cf8a900d3b75d68d809528
SHA256: 7796cb18e3f2ddddd4a5033ee81d0fb0b6b56acb482a1fb035845a0026bf1da1
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.hd6968
binary
MD5: 90a25a2f3075527407833df2e081cfec
SHA256: 30ac1839a3e372ff6c471d39a14a5ec691dff84c26049e04008c3b933193bbda
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.hd6968
binary
MD5: 1ddb8541b5071ff7d00ca8f48532e61e
SHA256: 2461a083fb20675196d0cde738263b7b26291fd07fd445c291bfaec14f16ee56
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.hd6968
binary
MD5: bddf10f376c5eb5b302396f6d4b52341
SHA256: 7eabf4039cd409ba3b7376915ed5018a4e8a2f4cd05a56805d11cb6a8d2d3e5f
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.hd6968
binary
MD5: 324c0078a98ce96cd237bfae43086974
SHA256: 4de942ad3eeaeca386e366655c14aceb5ad95275e6f51713d47e942e8b2f1b1c
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.hd6968
binary
MD5: 139727def299db44f2d653e8a6442405
SHA256: 497919ad483a5c3e02fd3b816584a868e0037bea7d9e90297184bf7977d476f1
2868
ment.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.hd6968
binary
MD5: 5039f025ea84d4c6ed3f859ad44dc729
SHA256: 0d659949bbd769e43703c7913ca1b44263b7333b4af24e5718d7352c0211a492
2868
ment.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.hd6968
binary
MD5: be6efb8f5168ac9f2ac8e953c0af2ee0
SHA256: 0502ff241544ecd8d828e14d104a3e8600b803b00d04fa22b491960bc7b32495
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.hd6968
binary
MD5: 249d98e0bbf8c138d2ad3a65e7c3f152
SHA256: 885c36bd1a670fac1e2b13e6664d7e745943ef0a33bb9465cd4e842b6585b714
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.hd6968
binary
MD5: 42e16890a9c1c826e491600cbbace3d7
SHA256: effd431929c321d39bfdb5acf5b7670757f76e8f2ca2c0aaccedf30182e69ef1
2868
ment.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.hd6968
binary
MD5: 04cc86ac5f52c5f26c40e8ccc9abd1b8
SHA256: 0e52beb15ada7442aa18e54d73a6d059680811a3a3802a15d259349d7226bff9
2868
ment.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.hd6968
vc
MD5: fd923ff58c931a6c279f9b38cc88f0bc
SHA256: f93fa3808629e64aea7aa6816c4d8ba0c25b15b1feae5e19e68f8c9d8f3704f0
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.hd6968
binary
MD5: 359233f675999dfd22f5774ec5ac6343
SHA256: 2e4a5d2a25e4f296b2a117f2ad1bed14e331b3d1a5605a52b0c5f4007ef52713
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: 62dd7fdca41ca910ce799185d995f45f
SHA256: 48bc8960dde784929f0a03ee0c705aed17a4a775bd238628322d9fe3614fbd18
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Videos\Sample Videos\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Recorded TV\Sample Media\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.hd6968
binary
MD5: 2fb63337232da57fb7b75a620ad8cf36
SHA256: 8dbb692de66709368e6a56e25dd607b2831b4c58e0f23144c5fadb434ce64d66
2868
ment.exe
C:\Users\Public\Pictures\Sample Pictures\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\AppData\Local\Temp\rtwivna.bmp
image
MD5: ab7fd5616fb351c415d80a8840923182
SHA256: 88355a06b17d9f1ce6fdf5cf318da31d47bdbfec36995017862ea45d81474b0d
2868
ment.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.hd6968
binary
MD5: 031f800de10bd8aa53bd1f29d430b811
SHA256: 15328fb169179f826b6fa884dfc7aa0f4c02668e2c9f63acacb7e49dd39fb170
2868
ment.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.hd6968
binary
MD5: 191eee28305b42fc363e34b5276e73cc
SHA256: 5ec78021b5c168882555bf9d144bddef2b9010b3f57d6df556a64322f10856ed
2868
ment.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Pictures\restthanks.jpg.hd6968
binary
MD5: ad1b29000763380e037a25ad0e79beec
SHA256: 2936ff45cc015177766e739d98744f98af0977a55becd380038b32e29a3d53af
2868
ment.exe
C:\Users\admin\Pictures\proteinarmy.jpg.hd6968
binary
MD5: 8dcbef07865b56ed1e14b7547486ca67
SHA256: 758143ac8d615e8313e14e116a6eec1c7a36e4995aaa8847728d565dd5c6c36e
2868
ment.exe
C:\Users\admin\Pictures\restthanks.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Pictures\bluecities.png.hd6968
binary
MD5: 52ab66ae97e4ea5459eac85a88225820
SHA256: 67c675c653056ece07c959a30a07eb298d21bf18cff99b3ad672bc1974cf3fad
2868
ment.exe
C:\Users\admin\Pictures\bluecities.png
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Favorites\Windows Live\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Favorites\MSN Websites\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Favorites\Microsoft Websites\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Favorites\Links for United States\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Downloads\lakehit.png.hd6968
binary
MD5: a2438b9094d1bad25510165a09189f1e
SHA256: b67ba7bca4c38ff2853a7eded12af5d13e88c99c642e13454210060195f7f18b
2868
ment.exe
C:\Users\admin\Favorites\Links\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Downloads\lakehit.png
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Downloads\historicalbad.png.hd6968
binary
MD5: eb9ce87e1f4abacb1c54d727137166ae
SHA256: 699c2887986de781e9d3853b92d6647ead8923c74e50a0ac0c478403d775e172
2868
ment.exe
C:\Users\admin\Downloads\functionalthanks.png.hd6968
binary
MD5: 8a79a3955c1cb5f75c151af8ef1b8009
SHA256: 9781f7bc7c39423c5bf772ae4ce26464396a045b7917b71744a4ebb93cfaf739
2868
ment.exe
C:\Users\admin\Downloads\historicalbad.png
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Downloads\functionalthanks.png
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\speciesfunds.rtf.hd6968
binary
MD5: 96cc2a861fbd5212de3386de47bd2ce2
SHA256: 3ff63ac79025134cb6e45a569f29452516934304770eabff257b2e9d6b86185c
2868
ment.exe
C:\Users\admin\Documents\speciesfunds.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\shipsmark.rtf.hd6968
binary
MD5: 0342e9a7b4a887f211ca5686c7732ad8
SHA256: d2bfff8455db9fc7ecba134263f3278890faf64f9b876d38a9e6e28bedd3c1b4
2868
ment.exe
C:\Users\admin\Documents\shipsmark.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\providehp.rtf.hd6968
binary
MD5: df49af2ad033712aeaa9831b5cbca8dc
SHA256: b817f476a4fa8a0847b296e3c18eb0c4767b072d241393bd9b2c580764b1c718
2868
ment.exe
C:\Users\admin\Documents\providehp.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\hpsetting.rtf.hd6968
binary
MD5: c2891a53bdbca20555252d2d5635811c
SHA256: cd91fb206ac25636d46eb7099b3e069a8a3588dfbec16dc25b444d35b7ca9d2a
2868
ment.exe
C:\Users\admin\Documents\Outlook Files\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Documents\OneNote Notebooks\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Documents\hpsetting.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\evaluationeffort.rtf.hd6968
bs
MD5: f69069ed53b4a89485f53b1e79720e78
SHA256: 8c4728998e5095c94075806a5541c5491d0bb0f3682a12b1ad7d63baabdb9e73
2868
ment.exe
C:\Users\admin\Documents\evaluationeffort.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\contentselling.rtf.hd6968
binary
MD5: d4fbd8a496a068b581eb60ba1ca0fbdb
SHA256: d6ff58d2c48673833dd3d4b40d6bdb033396c5b1eef2bef87a0aa096dd891ae5
2868
ment.exe
C:\Users\admin\Documents\communitytrade.rtf.hd6968
binary
MD5: 1d49de17416cc73c7b7be5f68ce20eeb
SHA256: 6ec7cf6dd76b5d2a692d42d3f30acde72a3940b1925b624d3258f06b12a2d99c
2868
ment.exe
C:\Users\admin\Documents\contentselling.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Documents\communitytrade.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\windowfish.jpg.hd6968
binary
MD5: a781bdc9d0d5d2b34c15a826b1b6c570
SHA256: bdfed89e2802d2f57db3df54bb0c76cdc1bfdc59d7f7df532691b03b3821642a
2868
ment.exe
C:\Users\admin\Desktop\thinglarge.png.hd6968
binary
MD5: f962b4f5dc511caf778d32fcc006c2b9
SHA256: 17379c090be0769976b7854879b2fe2bd8d4a33bc8f4077c7f235b4431723f41
2868
ment.exe
C:\Users\admin\Desktop\trytool.rtf.hd6968
binary
MD5: 64b24e219321b9a5757bc1440c868da9
SHA256: 5bb50fb6ff85722cb1009fe255d0a9d7fbb9121d001124d2873a8eb420997fe4
2868
ment.exe
C:\Users\admin\Desktop\termsacross.jpg.hd6968
binary
MD5: ff265c8b7b05b6b7d68cf7985e1b1a4e
SHA256: d96932664d19a0c97f29f6c439d570497f6c9c939c5922c9fa7cbfcda8353ea6
2868
ment.exe
C:\Users\admin\Desktop\songsapproach.rtf.hd6968
binary
MD5: 1d0e623929f0a2a803a7d2c6b38b128e
SHA256: f1008e56c026c8b7037d8d7da2bb0787212898381b625fa85971c364349f5cf0
2868
ment.exe
C:\Users\admin\Desktop\songsapproach.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\providedcorporate.jpg.hd6968
binary
MD5: 73d32d2ea975527ca9ede5bb6ed9d7e3
SHA256: a9f47bc7049b6bba00a827d30fb26d71e8788459067a47890a7bf8a89a3a5e21
2868
ment.exe
C:\Users\admin\Desktop\providedcorporate.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\iraqtrue.rtf.hd6968
binary
MD5: b6843bdb8668d383097bcb202b4c0fa4
SHA256: d8842d6aab99f654130ba6540af21be864c2298b6fa536bcb6e40593ed60d1f6
2868
ment.exe
C:\Users\admin\Desktop\intfantasy.rtf.hd6968
binary
MD5: bb27e1fcad6decc93ec0c74cc78e938a
SHA256: 2a5789c4cbe1ed6c4f28ae6c64251237c5a7c427ef8a91453bc3a92ebe78ae34
2868
ment.exe
C:\Users\admin\Desktop\intfantasy.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\friservices.png.hd6968
binary
MD5: 0b9531e41fcc025ff481f09186e46f0e
SHA256: 49e3af4191ea8ddad0f4c140a5067a6b2638701e8fa2ee85458865ba588353eb
2868
ment.exe
C:\Users\admin\Desktop\friservices.png
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\decembercopyright.rtf.hd6968
binary
MD5: 6fe3719b406a4d47fc34404fb1e499a7
SHA256: ee226683a82df92be34889d78bd9c909bab7e45f9975e8853bdc947db382185c
2868
ment.exe
C:\Users\admin\Desktop\decembercopyright.rtf
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Desktop\categoriesmarket.jpg.hd6968
binary
MD5: 7fbb4256f5d8c552d55dfe0fa207294d
SHA256: c05ba1b23d1c29570d1a3f682c6c430298a12a1245605bf9405e41fcc3f0c816
2868
ment.exe
C:\Users\admin\Desktop\categoriesmarket.jpg
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\Contacts\admin.contact.hd6968
binary
MD5: dbcaf73659ebbe369169f48378173840
SHA256: 0ca1afac39957eac13eae429286a7c0d5766cd6a3c17c953fadb7f64bae90c98
2868
ment.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.hd6968
binary
MD5: 8b046af5e606ba16d77ca56a0fd99180
SHA256: 2f91326a17ecb19e525cfd9be1b1bbabf50e6173ef706e490293791a6363e542
2868
ment.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
2868
ment.exe
C:\Users\Public\Videos\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Recorded TV\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Pictures\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Music\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Libraries\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Favorites\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Downloads\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\Documents\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Videos\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Pictures\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Searches\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Saved Games\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Music\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Links\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Downloads\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Favorites\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Desktop\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Documents\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\Contacts\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\.oracle_jre_usage\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\Public\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908
2868
ment.exe
C:\Users\admin\hd6968-HOW-TO-DECRYPT.txt
binary
MD5: ed624c763c43cd3916d86a007cbef564
SHA256: 54645afc6a72e1ae4aab02bde119b3fe1075990d66aef4edc626c795fe802908

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
50
DNS requests
33
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2868 ment.exe 31.217.192.232:443 Equinix (Finland) Oy FI unknown
2868 ment.exe 104.31.149.10:443 Cloudflare Inc US unknown
2868 ment.exe 31.217.192.177:443 Equinix (Finland) Oy FI unknown
2868 ment.exe 188.246.227.29:443 Kassir, Ltd. RU unknown
2868 ment.exe 104.31.88.124:443 Cloudflare Inc US unknown
2868 ment.exe 45.76.45.105:443 Choopa, LLC FR unknown
2868 ment.exe 198.46.81.196:443 InMotion Hosting, Inc. US malicious
2868 ment.exe 185.197.130.219:443 SoftLayer Technologies Inc. IT unknown
2868 ment.exe 162.242.255.84:443 Rackspace Ltd. US unknown
2868 ment.exe 68.66.245.103:443 A2 Hosting, Inc. US unknown
2868 ment.exe 88.99.61.233:443 Hetzner Online GmbH DE unknown
2868 ment.exe 178.128.155.196:443 Forthnet GR unknown
2868 ment.exe 195.201.175.85:443 Awanti Ltd. RU unknown
2868 ment.exe 77.104.183.21:443 US unknown
2868 ment.exe 185.181.124.65:443 iomart Cloud Services Limited. GB unknown
2868 ment.exe 212.71.236.110:443 Linode, LLC GB unknown
2868 ment.exe 146.66.65.192:443 US unknown
2868 ment.exe 173.254.0.57:443 Unified Layer US unknown
2868 ment.exe 23.236.62.147:443 Google Inc. US whitelisted
2868 ment.exe 145.239.95.118:443 OVH SAS PL unknown
2868 ment.exe 104.18.40.31:443 Cloudflare Inc US unknown
2868 ment.exe 37.97.209.126:443 Transip B.V. NL unknown
2868 ment.exe 67.225.188.83:443 Liquid Web, L.L.C US unknown
2868 ment.exe 185.27.141.176:443 LeaseWeb Netherlands B.V. NL unknown
2868 ment.exe 104.28.31.249:443 Cloudflare Inc US unknown
2868 ment.exe 166.62.106.104:443 GoDaddy.com, LLC US unknown
2868 ment.exe 198.199.78.20:443 Digital Ocean, Inc. US unknown
2868 ment.exe 192.0.78.245:443 Automattic, Inc US unknown
2868 ment.exe 91.184.0.30:443 Hostnet B.V. NL unknown
2868 ment.exe 94.231.103.138:443 Zitcom A/S DK unknown
2868 ment.exe 185.232.187.133:443 –– unknown
2868 ment.exe 185.197.62.81:443 UKfastnet Ltd GB unknown
2868 ment.exe 141.138.169.208:443 Antagonist B.V. NL malicious

DNS requests

Domain IP Reputation
deduktia.fi 31.217.192.232
unknown
otpusk.zp.ua 104.31.149.10
104.31.148.10
unknown
smartworkplaza.com 31.217.192.177
unknown
abulanov.com 188.246.227.29
unknown
reputation-medical.online 104.31.88.124
104.31.89.124
unknown
triplettagaite.fr 45.76.45.105
unknown
motocrosshideout.com 198.46.81.196
malicious
gosouldeep.com 185.197.130.219
unknown
kausette.com 162.242.255.84
unknown
furland.ru 68.66.245.103
unknown
katherinealy.com 88.99.61.233
unknown
floweringsun.org 178.128.155.196
unknown
professionetata.com 195.201.175.85
unknown
grancanariaregional.com 77.104.183.21
unknown
hawthornsretirement.co.uk 185.181.124.65
unknown
leadforensics.com 212.71.236.110
whitelisted
web865.com 146.66.65.192
unknown
mariamalmahdi.com 173.254.0.57
unknown
mslp.org 23.236.62.147
malicious
zaczytana.com 145.239.95.118
unknown
finsahome.co.uk 104.18.40.31
104.18.41.31
unknown
kosten-vochtbestrijding.be 37.97.209.126
unknown
lassocrm.com 67.225.188.83
unknown
verbouwingsdouche.nl 185.27.141.176
unknown
bumbipdeco.site 104.28.31.249
104.28.30.249
suspicious
lashandbrowenvy.com 166.62.106.104
unknown
sharonalbrightdds.com 198.199.78.20
unknown
onesynergyinternational.com 192.0.78.245
192.0.78.151
unknown
jax-interim-and-projectmanagement.com 91.184.0.30
unknown
kristianboennelykke.dk 94.231.103.138
unknown
ncn.nl 185.232.187.133
unknown
hospitalitytrainingsolutions.co.uk 185.197.62.81
unknown
sytzedevries.com 141.138.169.208
unknown

Threats

No threats detected.

Debug output strings

No debug info.