Overview

overview

10

Static

static

1

RNSM00485.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    306s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00485.7z

  • Size

    87.6MB

  • MD5

    5b1da65dd7ed7e9e5d312a026df4885b

  • SHA1

    3344a7e253171021810ff7ce811e2af145fc2597

  • SHA256

    f3170231517827449a742bdc83b583fbb5edf9d8e76a34cbd84d272e3ff459ac

  • SHA512

    2b3209e47f1885456ac15445623d28b5813f04b44dda739a245163c27405a0badda80bda15b2bbd5b1a6f7efb3031e97972c2c587ea1b2d5b67d5fc7620080ed

  • SSDEEP

    1572864:b82AMynfhxPbX8X0g0mSwDdhufaECb6zAsHg/8GGZdTiVcoHAdjBNq2emRR+ey:b82+fhxPbYtSwXuX9EygEGoiHAdjDj0

Score
10/10
asyncratdarkcometdjvuphobossnakekeyloggertofseedefaultpipiagilenetaspackv2credential_accessdefense_evasiondiscoveryevasionexecutionimpactkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

djvu

C2

http://rlrz.org/fhsgtsspen6/get.php

http://securebiz.org/fhsgtsspen6/get.php

http://rlrz.org/lancer/get.php
Attributes
  • extension

    .nqsq

  • offline_id

    OGykROpbgxJhrG1qc9yB9PwnsSv1Eo04vOCP0rt1

  • payload_url

    http://znpst.top/dl/build2.exe

    http://rlrz.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-O1iz3esfm2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0337gSd743d

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Extracted

Family

darkcomet

Botnet

Pipi

C2

marcdalore.no-ip.org:1604

88.183.228.159:1604
Mutex

DC_MUTEX-0BMFXWE

Attributes
  • gencode

    FeC9DbbRqtxp

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

185.219.176.155:6089

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>D5838490-3216</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendMessage?chat_id=1063661839

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Detected Djvu ransomware 17 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (549) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 5 IoCs
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 14 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 21 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Looks up external IP address via web service 14 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00485.7z
    1⤵
    • Modifies registry class
    PID:1860
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5028
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1488
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00485.7z"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-50b584cc4677a24af400fb4682919ce3c2e3be14a9820681141acd6c44e7729d.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-50b584cc4677a24af400fb4682919ce3c2e3be14a9820681141acd6c44e7729d.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3100
        • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4720
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda.exe" "C:\Users\Admin\AppData\Local\655.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:304
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\655.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2548
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              5⤵
                PID:6820
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-72d0b083aa7fe84ab302b5a1efa6351f891f1e3d2cc164627e9a89f989df3cb3.exe
            HEUR-Trojan-Ransom.MSIL.Blocker.gen-72d0b083aa7fe84ab302b5a1efa6351f891f1e3d2cc164627e9a89f989df3cb3.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3704
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c72106b6cff6e8607dfe9a443c17d8b1ca178323f527f072d4b63c71ada0e811.exe
            HEUR-Trojan-Ransom.MSIL.Blocker.gen-c72106b6cff6e8607dfe9a443c17d8b1ca178323f527f072d4b63c71ada0e811.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3940
            • C:\Users\Admin\AppData\Roaming\Mais Arquivos.exe
              "C:\Users\Admin\AppData\Roaming\Mais Arquivos.exe" C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c72106b6cff6e8607dfe9a443c17d8b1ca178323f527f072d4b63c71ada0e811.exe
              4⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1440
              • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1892
                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:940
                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:452
                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
                      8⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1964
                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
                      8⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4668
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e5986334029c7e764b566c306e942190f39231cfae586bf674f453e9b5d867bc.exe
            HEUR-Trojan-Ransom.MSIL.Blocker.gen-e5986334029c7e764b566c306e942190f39231cfae586bf674f453e9b5d867bc.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:4744
            • C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe
              "C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Modifies registry class
              PID:4888
              • C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe
                "C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6176
              • C:\Users\Admin\AppData\Roaming\Winlogon\csrss.exe
                "C:\Users\Admin\AppData\Roaming\Winlogon\csrss.exe" -keyhide -prochide 6176 -reg C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe -proc 6176 C:\Users\Admin\AppData\Roaming\Winlogon\winlogon.exe
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:5456
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Gen.gen-53810db15c47cf14cdf4f2b205594ce54a69bad4b15ec57800f2bd4f391d34d3.exe
            HEUR-Trojan-Ransom.MSIL.Gen.gen-53810db15c47cf14cdf4f2b205594ce54a69bad4b15ec57800f2bd4f391d34d3.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2852
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.pef-04cd6162181c33c5e5198b88439debb7a2b0cf4f7ffe270781122a895484c1f6.exe
            HEUR-Trojan-Ransom.Win32.Blocker.pef-04cd6162181c33c5e5198b88439debb7a2b0cf4f7ffe270781122a895484c1f6.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
              "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
              4⤵
              • Executes dropped EXE
              PID:1056
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.vho-2e6fdc260e37c79e2fae1227cfece13f1945763f34aafb60983bb32aa93a5dc6.exe
            HEUR-Trojan-Ransom.Win32.Blocker.vho-2e6fdc260e37c79e2fae1227cfece13f1945763f34aafb60983bb32aa93a5dc6.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1068
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
              4⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:5780
            • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
              "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:6764
              • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
                "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5412
            • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
              "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
              4⤵
              • Executes dropped EXE
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:7056
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.vho-997c83357b09436a7ef6ffff93cd2042fdf111e10ec5b787447fb44222dd2815.exe
            HEUR-Trojan-Ransom.Win32.Blocker.vho-997c83357b09436a7ef6ffff93cd2042fdf111e10ec5b787447fb44222dd2815.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3444
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
              4⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:5940
            • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
              "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:5932
          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Generic-a9c07957e93c0a33f107248d19a5c78ba005a338716bbf0aacfd40b695850319.exe
            HEUR-Trojan-Ransom.Win32.Generic-a9c07957e93c0a33f107248d19a5c78ba005a338716bbf0aacfd40b695850319.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4176
            • C:\Users\Admin\AppData\Roaming\importações.exe
              "C:\Users\Admin\AppData\Roaming\importações.exe" C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Generic-a9c07957e93c0a33f107248d19a5c78ba005a338716bbf0aacfd40b695850319.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3944
              • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
                5⤵
                • Executes dropped EXE
                PID:1644
                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
                  6⤵
                  • Executes dropped EXE
                  PID:4592
                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:912
                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
                      8⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2032
                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      PID:1988
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                        9⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:5052
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                        9⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:5752
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                        9⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:5544
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          10⤵
                            PID:5872
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                          9⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:5808
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            10⤵
                              PID:5544
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:5524
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2612
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            PID:7032
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            PID:3116
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:7408
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                            • Adds Run key to start application
                            PID:5700
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                            9⤵
                              PID:7196
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                              9⤵
                                PID:7784
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                9⤵
                                  PID:4284
                                  • C:\Windows\System32\Conhost.exe
                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    10⤵
                                      PID:5780
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                    9⤵
                                      PID:6468
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                      9⤵
                                        PID:7736
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                          PID:2020
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                          9⤵
                                            PID:7836
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                            9⤵
                                              PID:7064
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                              9⤵
                                                PID:7740
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                9⤵
                                                  PID:6468
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                  9⤵
                                                    PID:7408
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                    9⤵
                                                      PID:5564
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                      9⤵
                                                        PID:5548
                                                        • C:\Windows\System32\Conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          10⤵
                                                            PID:7408
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                          9⤵
                                                            PID:7404
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                            9⤵
                                                              PID:1012
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                              9⤵
                                                                PID:3144
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                9⤵
                                                                  PID:7032
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                  9⤵
                                                                    PID:2584
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                    9⤵
                                                                      PID:6316
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                      9⤵
                                                                        PID:7436
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                        9⤵
                                                                          PID:2344
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                          9⤵
                                                                            PID:3904
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                            9⤵
                                                                              PID:8024
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                              9⤵
                                                                                PID:5296
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                9⤵
                                                                                  PID:2476
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                  9⤵
                                                                                    PID:7132
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                    9⤵
                                                                                      PID:2296
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                      9⤵
                                                                                        PID:6592
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                        9⤵
                                                                                          PID:3224
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                          9⤵
                                                                                            PID:5352
                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Generic-fd8b588e1ee4f98e4498e9a39c29ca2fcb974b55680139a12cccb49657da7658.exe
                                                                                HEUR-Trojan-Ransom.Win32.Generic-fd8b588e1ee4f98e4498e9a39c29ca2fcb974b55680139a12cccb49657da7658.exe
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • Drops desktop.ini file(s)
                                                                                • Sets desktop wallpaper using registry
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2544
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "cmd.exe"
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4068
                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                    wmic csproduct get uuid
                                                                                    5⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1084
                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Phobos.vho-d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d.exe
                                                                                HEUR-Trojan-Ransom.Win32.Phobos.vho-d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d.exe
                                                                                3⤵
                                                                                • Checks computer location settings
                                                                                • Drops startup file
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • Drops desktop.ini file(s)
                                                                                • Drops autorun.inf file
                                                                                • Drops file in Program Files directory
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: RenamesItself
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4652
                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Phobos.vho-d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d.exe
                                                                                  "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Phobos.vho-d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4920
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  "C:\Windows\system32\cmd.exe"
                                                                                  4⤵
                                                                                    PID:2216
                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                      vssadmin delete shadows /all /quiet
                                                                                      5⤵
                                                                                      • Interacts with shadow copies
                                                                                      PID:1220
                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                      wmic shadowcopy delete
                                                                                      5⤵
                                                                                        PID:1120
                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                        5⤵
                                                                                        • Modifies boot configuration data using bcdedit
                                                                                        PID:236
                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                        bcdedit /set {default} recoveryenabled no
                                                                                        5⤵
                                                                                        • Modifies boot configuration data using bcdedit
                                                                                        PID:4052
                                                                                      • C:\Windows\system32\wbadmin.exe
                                                                                        wbadmin delete catalog -quiet
                                                                                        5⤵
                                                                                        • Deletes backup catalog
                                                                                        PID:3508
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      "C:\Windows\system32\cmd.exe"
                                                                                      4⤵
                                                                                        PID:2532
                                                                                        • C:\Windows\system32\netsh.exe
                                                                                          netsh advfirewall set currentprofile state off
                                                                                          5⤵
                                                                                          • Modifies Windows Firewall
                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                          PID:5264
                                                                                        • C:\Windows\system32\netsh.exe
                                                                                          netsh firewall set opmode mode=disable
                                                                                          5⤵
                                                                                          • Modifies Windows Firewall
                                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                                          PID:5644
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                        4⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6012
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                        4⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:7488
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                        4⤵
                                                                                          PID:7464
                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                          "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                          4⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:8096
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          "C:\Windows\system32\cmd.exe"
                                                                                          4⤵
                                                                                            PID:280
                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                              vssadmin delete shadows /all /quiet
                                                                                              5⤵
                                                                                              • Interacts with shadow copies
                                                                                              PID:2520
                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                              wmic shadowcopy delete
                                                                                              5⤵
                                                                                                PID:7808
                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                5⤵
                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                PID:6328
                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                bcdedit /set {default} recoveryenabled no
                                                                                                5⤵
                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                PID:7844
                                                                                              • C:\Windows\system32\wbadmin.exe
                                                                                                wbadmin delete catalog -quiet
                                                                                                5⤵
                                                                                                • Deletes backup catalog
                                                                                                PID:4620
                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b3d54d34e2610f35ba15a83b56518ab8f1431c210344198f3356f04b1de403b1.exe
                                                                                            HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b3d54d34e2610f35ba15a83b56518ab8f1431c210344198f3356f04b1de403b1.exe
                                                                                            3⤵
                                                                                            • Modifies WinLogon for persistence
                                                                                            • Drops startup file
                                                                                            • Executes dropped EXE
                                                                                            • Enumerates connected drives
                                                                                            • Drops autorun.inf file
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:5032
                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                            HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2196
                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                              HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                              4⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Adds Run key to start application
                                                                                              PID:3692
                                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                                icacls "C:\Users\Admin\AppData\Local\8364c4df-e63d-4aea-a177-476ee4997aca" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                5⤵
                                                                                                • Modifies file permissions
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2796
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                                "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:5292
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                                  "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                  6⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:7096
                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c.exe
                                                                                            HEUR-Trojan-Ransom.Win32.Stop.gen-2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c.exe
                                                                                            3⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:828
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ngfkahih\
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:6064
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fwecmhoc.exe" C:\Windows\SysWOW64\ngfkahih\
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:5780
                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                              "C:\Windows\System32\sc.exe" create ngfkahih binPath= "C:\Windows\SysWOW64\ngfkahih\fwecmhoc.exe /d\"C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                              4⤵
                                                                                              • Launches sc.exe
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1796
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                5⤵
                                                                                                  PID:452
                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                "C:\Windows\System32\sc.exe" description ngfkahih "wifi internet conection"
                                                                                                4⤵
                                                                                                • Launches sc.exe
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5872
                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                "C:\Windows\System32\sc.exe" start ngfkahih
                                                                                                4⤵
                                                                                                • Launches sc.exe
                                                                                                PID:2740
                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                4⤵
                                                                                                • Modifies Windows Firewall
                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5916
                                                                                              • C:\Users\Admin\pxmqdbkk.exe
                                                                                                "C:\Users\Admin\pxmqdbkk.exe" /d"C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c.exe"
                                                                                                4⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5828
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vrjjgvui.exe" C:\Windows\SysWOW64\ngfkahih\
                                                                                                  5⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1384
                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    6⤵
                                                                                                      PID:5724
                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                    "C:\Windows\System32\sc.exe" config ngfkahih binPath= "C:\Windows\SysWOW64\ngfkahih\vrjjgvui.exe /d\"C:\Users\Admin\pxmqdbkk.exe\""
                                                                                                    5⤵
                                                                                                    • Launches sc.exe
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3968
                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                    "C:\Windows\System32\sc.exe" start ngfkahih
                                                                                                    5⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:5248
                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                    5⤵
                                                                                                    • Modifies Windows Firewall
                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2040
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0761.bat" "
                                                                                                    5⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:6356
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 1040
                                                                                                    5⤵
                                                                                                    • Program crash
                                                                                                    PID:5252
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 816
                                                                                                  4⤵
                                                                                                  • Program crash
                                                                                                  PID:2416
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:4004
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                  HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                  4⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:316
                                                                                                  • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                    "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:5980
                                                                                                    • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                      "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                      6⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1332
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:5080
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                  HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                  4⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1952
                                                                                                  • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                    "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:756
                                                                                                    • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe
                                                                                                      "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                      6⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3552
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2780
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                  HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                  4⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:5972
                                                                                                  • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                    "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:1964
                                                                                                    • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe
                                                                                                      "C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-bfc23474bd0294407c55aa23133438d67617be22d65a6c4e2df0a598d797a90e.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                      6⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1952
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b.exe
                                                                                                HEUR-Trojan.MSIL.Crypt.gen-1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4732
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-2871a208b4188dc2186b70c4a91241c7169a3148c9efbb417f2988014974c298.exe
                                                                                                HEUR-Trojan.MSIL.Crypt.gen-2871a208b4188dc2186b70c4a91241c7169a3148c9efbb417f2988014974c298.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4424
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1576
                                                                                                  4⤵
                                                                                                  • Program crash
                                                                                                  PID:1516
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-28961276caaabb50b21d63dc68bfe3acfa2ed2912198b3fe8cd2473384795d2b.exe
                                                                                                HEUR-Trojan.MSIL.Crypt.gen-28961276caaabb50b21d63dc68bfe3acfa2ed2912198b3fe8cd2473384795d2b.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:5724
                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-36b7c16a7a1490ec208bf0c6bc8d32f02f6e57528cf31fbfdcea08c1b82a00a8.exe
                                                                                                HEUR-Trojan.MSIL.Crypt.gen-36b7c16a7a1490ec208bf0c6bc8d32f02f6e57528cf31fbfdcea08c1b82a00a8.exe
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:6108
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-36b7c16a7a1490ec208bf0c6bc8d32f02f6e57528cf31fbfdcea08c1b82a00a8.exe
                                                                                                  "C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-36b7c16a7a1490ec208bf0c6bc8d32f02f6e57528cf31fbfdcea08c1b82a00a8.exe"
                                                                                                  4⤵
                                                                                                    PID:2040
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1112
                                                                                                      5⤵
                                                                                                      • Program crash
                                                                                                      PID:5176
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-3c34c23aef8934651937c31be7420d2fc8a22ca260f5afdda0f08f4d3730ae59.exe
                                                                                                  HEUR-Trojan.MSIL.Crypt.gen-3c34c23aef8934651937c31be7420d2fc8a22ca260f5afdda0f08f4d3730ae59.exe
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:6120
                                                                                                • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-3db9de8b202f6b0643516cf6f89e1c70acc7b2f17d8341fd830e96843cbcc44e.exe
                                                                                                  HEUR-Trojan.MSIL.Crypt.gen-3db9de8b202f6b0643516cf6f89e1c70acc7b2f17d8341fd830e96843cbcc44e.exe
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:5116
                                                                                                  • C:\Users\Admin\AppData\Roaming\model\print.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\model\print.exe"
                                                                                                    4⤵
                                                                                                      PID:4964
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                        5⤵
                                                                                                          PID:6360
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                          5⤵
                                                                                                            PID:276
                                                                                                      • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-437d686b1aeadeaf68ede093afe4c391091c5afaacc79d006f3c2d5e0dc5317c.exe
                                                                                                        HEUR-Trojan.MSIL.Crypt.gen-437d686b1aeadeaf68ede093afe4c391091c5afaacc79d006f3c2d5e0dc5317c.exe
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:6920
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1240
                                                                                                          4⤵
                                                                                                          • Program crash
                                                                                                          PID:6172
                                                                                                      • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-46406f0615c1f330788c4271a32c244859e5bc4ef2d83fc1cf4484fd10454422.exe
                                                                                                        HEUR-Trojan.MSIL.Crypt.gen-46406f0615c1f330788c4271a32c244859e5bc4ef2d83fc1cf4484fd10454422.exe
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1796
                                                                                                      • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-4cf07665a381ee6673a88a0afe2c3b65b97ac42954e2db434d7634aeac7bf550.exe
                                                                                                        HEUR-Trojan.MSIL.Crypt.gen-4cf07665a381ee6673a88a0afe2c3b65b97ac42954e2db434d7634aeac7bf550.exe
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:6812
                                                                                                      • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-5d5c077abcdc9f8be9e37508c2f0d9056c629adcb5f7b890bf04dfcf1fe8acea.exe
                                                                                                        HEUR-Trojan.MSIL.Crypt.gen-5d5c077abcdc9f8be9e37508c2f0d9056c629adcb5f7b890bf04dfcf1fe8acea.exe
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2940
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
                                                                                                          4⤵
                                                                                                            PID:2420
                                                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                                                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
                                                                                                              5⤵
                                                                                                              • Modifies Windows Firewall
                                                                                                              PID:8168
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                6⤵
                                                                                                                  PID:5916
                                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-60bd8bb9ba6573b1e02039851841dc42eb70dd59b1f033d18c39aeb572fbbd8c.exe
                                                                                                            HEUR-Trojan.MSIL.Crypt.gen-60bd8bb9ba6573b1e02039851841dc42eb70dd59b1f033d18c39aeb572fbbd8c.exe
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:6820
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 1572
                                                                                                              4⤵
                                                                                                              • Program crash
                                                                                                              PID:5412
                                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-71f0524220c02e27c282f118bd1da387695c2d805934cb4bf1362f8f1f5b0c5c.exe
                                                                                                            HEUR-Trojan.MSIL.Crypt.gen-71f0524220c02e27c282f118bd1da387695c2d805934cb4bf1362f8f1f5b0c5c.exe
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4488
                                                                                                          • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5.exe
                                                                                                            HEUR-Trojan.MSIL.Crypt.gen-91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5.exe
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:6204
                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5.exe
                                                                                                              "C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5.exe"
                                                                                                              4⤵
                                                                                                                PID:828
                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-998fde7facc565b91618ecbff1a0c3e06cce2fcf8441371b4fc4eebc9988d3d4.exe
                                                                                                              HEUR-Trojan.MSIL.Crypt.gen-998fde7facc565b91618ecbff1a0c3e06cce2fcf8441371b4fc4eebc9988d3d4.exe
                                                                                                              3⤵
                                                                                                              • Checks computer location settings
                                                                                                              PID:5812
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\343fa3d8-e53e-42bd-920c-91e3d1c84a8b.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\343fa3d8-e53e-42bd-920c-91e3d1c84a8b.exe"
                                                                                                                4⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:7940
                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-a966e362af7fac45819e17b8464a7d6ff5741e5717c90b8a22e253762bcb5a70.exe
                                                                                                              HEUR-Trojan.MSIL.Crypt.gen-a966e362af7fac45819e17b8464a7d6ff5741e5717c90b8a22e253762bcb5a70.exe
                                                                                                              3⤵
                                                                                                                PID:6320
                                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-ab98c7d6e2b3beba9fa4771132f3b8bcba387ccf1e24d9323ce7e56c0d532b26.exe
                                                                                                                HEUR-Trojan.MSIL.Crypt.gen-ab98c7d6e2b3beba9fa4771132f3b8bcba387ccf1e24d9323ce7e56c0d532b26.exe
                                                                                                                3⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:7180
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                                                  dw20.exe -x -s 868
                                                                                                                  4⤵
                                                                                                                  • Checks processor information in registry
                                                                                                                  • Enumerates system info in registry
                                                                                                                  PID:6496
                                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-abeb6a5732318dc90dda6d05548903746dedc7bb8b453201e8088a609689ddb4.exe
                                                                                                                HEUR-Trojan.MSIL.Crypt.gen-abeb6a5732318dc90dda6d05548903746dedc7bb8b453201e8088a609689ddb4.exe
                                                                                                                3⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:7700
                                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-b4c2a47860316121bcdbff33895b0015f81d59f42ca18fcdc3adf30a4a718bf8.exe
                                                                                                                HEUR-Trojan.MSIL.Crypt.gen-b4c2a47860316121bcdbff33895b0015f81d59f42ca18fcdc3adf30a4a718bf8.exe
                                                                                                                3⤵
                                                                                                                • Drops startup file
                                                                                                                PID:792
                                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-bc5aec803186c219d6a530934a8e63bb6273100c8e324b84279f8251f11a4b51.exe
                                                                                                                HEUR-Trojan.MSIL.Crypt.gen-bc5aec803186c219d6a530934a8e63bb6273100c8e324b84279f8251f11a4b51.exe
                                                                                                                3⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:3012
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1240
                                                                                                                  4⤵
                                                                                                                  • Program crash
                                                                                                                  PID:3684
                                                                                                              • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-cbba68b38ac9d1694b79a6c58863dcc556d593978da1c5d122b8ac1e0e8ef5cd.exe
                                                                                                                HEUR-Trojan.MSIL.Crypt.gen-cbba68b38ac9d1694b79a6c58863dcc556d593978da1c5d122b8ac1e0e8ef5cd.exe
                                                                                                                3⤵
                                                                                                                  PID:6808
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 1564
                                                                                                                    4⤵
                                                                                                                    • Program crash
                                                                                                                    PID:5896
                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                              1⤵
                                                                                                              • Checks SCSI registry key(s)
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:2196
                                                                                                              • C:\Windows\system32\taskmgr.exe
                                                                                                                "C:\Windows\system32\taskmgr.exe" /1
                                                                                                                2⤵
                                                                                                                • Drops startup file
                                                                                                                • Checks SCSI registry key(s)
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                PID:5096
                                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                                              C:\Windows\system32\vssvc.exe
                                                                                                              1⤵
                                                                                                                PID:5468
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                1⤵
                                                                                                                  PID:1892
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 828 -ip 828
                                                                                                                    2⤵
                                                                                                                      PID:6104
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4424 -ip 4424
                                                                                                                      2⤵
                                                                                                                        PID:2148
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5828 -ip 5828
                                                                                                                        2⤵
                                                                                                                          PID:460
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6820 -ip 6820
                                                                                                                          2⤵
                                                                                                                            PID:4180
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6808 -ip 6808
                                                                                                                            2⤵
                                                                                                                              PID:8084
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2040 -ip 2040
                                                                                                                              2⤵
                                                                                                                                PID:5264
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6920 -ip 6920
                                                                                                                                2⤵
                                                                                                                                  PID:6328
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3012 -ip 3012
                                                                                                                                  2⤵
                                                                                                                                    PID:7844
                                                                                                                                  • C:\Windows\system32\werfault.exe
                                                                                                                                    werfault.exe /h /shared Global\433e21d553314b89998c8e7eb62afe3d /t 4992 /p 2852
                                                                                                                                    2⤵
                                                                                                                                      PID:6248
                                                                                                                                    • C:\Windows\SysWOW64\werfault.exe
                                                                                                                                      werfault.exe /h /shared Global\8b24a227b286486c9ff5cc13c4b20dbf /t 7948 /p 8096
                                                                                                                                      2⤵
                                                                                                                                        PID:960
                                                                                                                                      • C:\Windows\SysWOW64\werfault.exe
                                                                                                                                        werfault.exe /h /shared Global\f2ce1dcf0e82402bba63bdf15ce677cd /t 7208 /p 7488
                                                                                                                                        2⤵
                                                                                                                                          PID:4372
                                                                                                                                      • C:\Windows\system32\wbengine.exe
                                                                                                                                        "C:\Windows\system32\wbengine.exe"
                                                                                                                                        1⤵
                                                                                                                                          PID:6904
                                                                                                                                        • C:\Windows\System32\vdsldr.exe
                                                                                                                                          C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                          1⤵
                                                                                                                                            PID:7376
                                                                                                                                          • C:\Windows\System32\vds.exe
                                                                                                                                            C:\Windows\System32\vds.exe
                                                                                                                                            1⤵
                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                            PID:7228
                                                                                                                                          • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                            C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:7740
                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt
                                                                                                                                              1⤵
                                                                                                                                              • Opens file in notepad (likely ransom note)
                                                                                                                                              PID:4740

                                                                                                                                            Network

                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                            Reconnaissance

                                                                                                                                            Resource Development

                                                                                                                                            Initial Access

                                                                                                                                            Replication Through Removable Media

                                                                                                                                            1
                                                                                                                                            T1091

                                                                                                                                            Execution

                                                                                                                                            Command and Scripting Interpreter

                                                                                                                                            1
                                                                                                                                            T1059

                                                                                                                                            System Services

                                                                                                                                            2
                                                                                                                                            T1569

                                                                                                                                            Service Execution

                                                                                                                                            2
                                                                                                                                            T1569.002

                                                                                                                                            Windows Management Instrumentation

                                                                                                                                            1
                                                                                                                                            T1047

                                                                                                                                            Persistence

                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                            2
                                                                                                                                            T1547

                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                            1
                                                                                                                                            T1547.001

                                                                                                                                            Winlogon Helper DLL

                                                                                                                                            1
                                                                                                                                            T1547.004

                                                                                                                                            Create or Modify System Process

                                                                                                                                            3
                                                                                                                                            T1543

                                                                                                                                            Windows Service

                                                                                                                                            3
                                                                                                                                            T1543.003

                                                                                                                                            Event Triggered Execution

                                                                                                                                            1
                                                                                                                                            T1546

                                                                                                                                            Netsh Helper DLL

                                                                                                                                            1
                                                                                                                                            T1546.007

                                                                                                                                            Privilege Escalation

                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                            2
                                                                                                                                            T1547

                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                            1
                                                                                                                                            T1547.001

                                                                                                                                            Winlogon Helper DLL

                                                                                                                                            1
                                                                                                                                            T1547.004

                                                                                                                                            Create or Modify System Process

                                                                                                                                            3
                                                                                                                                            T1543

                                                                                                                                            Windows Service

                                                                                                                                            3
                                                                                                                                            T1543.003

                                                                                                                                            Event Triggered Execution

                                                                                                                                            1
                                                                                                                                            T1546

                                                                                                                                            Netsh Helper DLL

                                                                                                                                            1
                                                                                                                                            T1546.007

                                                                                                                                            Defense Evasion

                                                                                                                                            Direct Volume Access

                                                                                                                                            1
                                                                                                                                            T1006

                                                                                                                                            File and Directory Permissions Modification

                                                                                                                                            1
                                                                                                                                            T1222

                                                                                                                                            Impair Defenses

                                                                                                                                            2
                                                                                                                                            T1562

                                                                                                                                            Disable or Modify System Firewall

                                                                                                                                            1
                                                                                                                                            T1562.004

                                                                                                                                            Indicator Removal

                                                                                                                                            3
                                                                                                                                            T1070

                                                                                                                                            File Deletion

                                                                                                                                            3
                                                                                                                                            T1070.004

                                                                                                                                            Modify Registry

                                                                                                                                            5
                                                                                                                                            T1112

                                                                                                                                            Credential Access

                                                                                                                                            Credentials from Password Stores

                                                                                                                                            2
                                                                                                                                            T1555

                                                                                                                                            Credentials from Web Browsers

                                                                                                                                            1
                                                                                                                                            T1555.003

                                                                                                                                            Windows Credential Manager

                                                                                                                                            1
                                                                                                                                            T1555.004

                                                                                                                                            Unsecured Credentials

                                                                                                                                            2
                                                                                                                                            T1552

                                                                                                                                            Credentials In Files

                                                                                                                                            2
                                                                                                                                            T1552.001

                                                                                                                                            Discovery

                                                                                                                                            Browser Information Discovery

                                                                                                                                            1
                                                                                                                                            T1217

                                                                                                                                            Peripheral Device Discovery

                                                                                                                                            2
                                                                                                                                            T1120

                                                                                                                                            Query Registry

                                                                                                                                            7
                                                                                                                                            T1012

                                                                                                                                            System Information Discovery

                                                                                                                                            6
                                                                                                                                            T1082

                                                                                                                                            System Location Discovery

                                                                                                                                            1
                                                                                                                                            T1614

                                                                                                                                            System Language Discovery

                                                                                                                                            1
                                                                                                                                            T1614.001

                                                                                                                                            Lateral Movement

                                                                                                                                            Replication Through Removable Media

                                                                                                                                            1
                                                                                                                                            T1091

                                                                                                                                            Collection

                                                                                                                                            Data from Local System

                                                                                                                                            2
                                                                                                                                            T1005

                                                                                                                                            Command and Control

                                                                                                                                            Web Service

                                                                                                                                            1
                                                                                                                                            T1102

                                                                                                                                            Exfiltration

                                                                                                                                            Impact

                                                                                                                                            Defacement

                                                                                                                                            1
                                                                                                                                            T1491

                                                                                                                                            Inhibit System Recovery

                                                                                                                                            4
                                                                                                                                            T1490

                                                                                                                                            Service Stop

                                                                                                                                            1
                                                                                                                                            T1489

                                                                                                                                            Replay Monitor

                                                                                                                                            Loading Replay Monitor...

                                                                                                                                            Downloads

                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                              Filesize

                                                                                                                                              64KB

                                                                                                                                              MD5

                                                                                                                                              d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                              SHA1

                                                                                                                                              2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                              SHA256

                                                                                                                                              b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                              SHA512

                                                                                                                                              c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                              Filesize

                                                                                                                                              4B

                                                                                                                                              MD5

                                                                                                                                              f49655f856acb8884cc0ace29216f511

                                                                                                                                              SHA1

                                                                                                                                              cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                              SHA256

                                                                                                                                              7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                              SHA512

                                                                                                                                              599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                              Filesize

                                                                                                                                              944B

                                                                                                                                              MD5

                                                                                                                                              6bd369f7c74a28194c991ed1404da30f

                                                                                                                                              SHA1

                                                                                                                                              0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                              SHA256

                                                                                                                                              878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                              SHA512

                                                                                                                                              8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\343fa3d8-e53e-42bd-920c-91e3d1c84a8b.exe
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              MD5

                                                                                                                                              f80fa38d37eb2d1d1d3aec66003b5780

                                                                                                                                              SHA1

                                                                                                                                              fd5e87fe12df96def7ec3823744c063ecbcf653d

                                                                                                                                              SHA256

                                                                                                                                              eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

                                                                                                                                              SHA512

                                                                                                                                              3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zECEA3F208\00485\Trojan-Ransom.Win32.Blocker.objk-3c9075ccd61cbc6ec824ea7f4027b599e003b61fe58dc85d0aa88d31ec15d9c7.exe
                                                                                                                                              Filesize

                                                                                                                                              11.7MB

                                                                                                                                              MD5

                                                                                                                                              0d5ba61b2f65559e4a0540290a0b32c2

                                                                                                                                              SHA1

                                                                                                                                              186ffbd701f572cea09e35794f01b3fed2583c93

                                                                                                                                              SHA256

                                                                                                                                              3c9075ccd61cbc6ec824ea7f4027b599e003b61fe58dc85d0aa88d31ec15d9c7

                                                                                                                                              SHA512

                                                                                                                                              005780ece41670c26e3ce27236b3b5f15b8f11749c19b2138ca7f775f4a8d1d13a392494b65e3c6f6af632ac2234b4dff9967665d1b7140ea721ce72527984c0

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zECEA3F208\00485\Trojan.Win32.Kryptik.bnm-873e791ee50cbb57172066fbefbdc9879335a9723e78f05f0db6ac0273388e8a.exe
                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              MD5

                                                                                                                                              650dac7401a7d05d739111b3c99d15ca

                                                                                                                                              SHA1

                                                                                                                                              3537f8162c125c40e5b581021741d3be770bb3a5

                                                                                                                                              SHA256

                                                                                                                                              873e791ee50cbb57172066fbefbdc9879335a9723e78f05f0db6ac0273388e8a

                                                                                                                                              SHA512

                                                                                                                                              366920e624ebec187f1bedfaf9e1b64144a66fa9f3912a40872aa9f41adb4880982a8bb11725ba8cb5e1b6d193de98dbc5581a4c6b66856b5738f07783bcaafe

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
                                                                                                                                              Filesize

                                                                                                                                              132KB

                                                                                                                                              MD5

                                                                                                                                              c970682de70be4bc7d1e178ebe7e5331

                                                                                                                                              SHA1

                                                                                                                                              3e6a7d7191b67303c0103d28decf786c4e243504

                                                                                                                                              SHA256

                                                                                                                                              5d5c077abcdc9f8be9e37508c2f0d9056c629adcb5f7b890bf04dfcf1fe8acea

                                                                                                                                              SHA512

                                                                                                                                              c31f52fbd80325894fbcccdda5a1d9fd2c81ab52d5433d3cd8e5459ecd6cae64f252ed0142891a682cde1acfdcd9569c780af00b00d356f2658a63d59d097a5b

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Trojan.exe.tmp
                                                                                                                                              Filesize

                                                                                                                                              175B

                                                                                                                                              MD5

                                                                                                                                              006105453114febe220aa8292aea3d49

                                                                                                                                              SHA1

                                                                                                                                              90f89aebdbbede889ff332b160fc251ed49ef029

                                                                                                                                              SHA256

                                                                                                                                              90e47c7e191ea4152454b6590a617c618e17b49c91aca9389d5fab4f54266b76

                                                                                                                                              SHA512

                                                                                                                                              18e6d4a0afccbaf920f950e1f75fcdf13b36610babf82ef0f9bfcfd5083b5498b614e6e1a1cc34876561f71356110cf08e87295640e767abb76054a78b1ea573

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ss3ivjyi.spy.ps1
                                                                                                                                              Filesize

                                                                                                                                              60B

                                                                                                                                              MD5

                                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                              SHA1

                                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                              SHA256

                                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                              SHA512

                                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp967C.tmp
                                                                                                                                              Filesize

                                                                                                                                              112KB

                                                                                                                                              MD5

                                                                                                                                              2cd4a14c590e54f86b57c7ee67bc8778

                                                                                                                                              SHA1

                                                                                                                                              e4b7361df844942460d20074891007ab469fad87

                                                                                                                                              SHA256

                                                                                                                                              130d4225cab930803d7ead361b2d5111474f7bdc5543829a613543396b1b3714

                                                                                                                                              SHA512

                                                                                                                                              8b18366116965796d5d0f9dd97826432c17e495f40f726b54a933ae79cb3a0c7f31365e4f00980d68ba67d4f59bda0816da4f111c3bf9588be9d0477f94be1e8

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp
                                                                                                                                              Filesize

                                                                                                                                              40KB

                                                                                                                                              MD5

                                                                                                                                              a182561a527f929489bf4b8f74f65cd7

                                                                                                                                              SHA1

                                                                                                                                              8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                                                              SHA256

                                                                                                                                              42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                                                              SHA512

                                                                                                                                              9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp96A4.tmp
                                                                                                                                              Filesize

                                                                                                                                              114KB

                                                                                                                                              MD5

                                                                                                                                              f0dcd0735cfcef0c15ceda75deb5cb3e

                                                                                                                                              SHA1

                                                                                                                                              af257a650681983a6c9e087615165269a6d0ceab

                                                                                                                                              SHA256

                                                                                                                                              d3ca053889263104532ef68de1a1200f5e1b1177cfeea702e882c5c4075c35ee

                                                                                                                                              SHA512

                                                                                                                                              cc2a123eea72756ce0914ec7c2e077b9f14c6def40a3131fdc02d5f981c5c79bba7859d02296cb1a15e4ff2491818e91c3790706cf46fffdf9a7b7fcb5a33ec4

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9865.tmp
                                                                                                                                              Filesize

                                                                                                                                              8KB

                                                                                                                                              MD5

                                                                                                                                              b1bc68029880fca99004dc66d5cb66f0

                                                                                                                                              SHA1

                                                                                                                                              7da5246e09b0ceb947d14301037e2656fb585988

                                                                                                                                              SHA256

                                                                                                                                              1d53dabf975929e2874aad7e60561a431f4f8272e41f1018759c7ce1db582cfe

                                                                                                                                              SHA512

                                                                                                                                              94186ce100e6c5d8659027570738f14f43d9bc7ffc6b4ae63ec850aa96ed4c01811f196e2c3a40b133072e4095d123d4034f6065f86c4d47bb1833e9e2fadde8

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9868.tmp
                                                                                                                                              Filesize

                                                                                                                                              48KB

                                                                                                                                              MD5

                                                                                                                                              349e6eb110e34a08924d92f6b334801d

                                                                                                                                              SHA1

                                                                                                                                              bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                                                                                              SHA256

                                                                                                                                              c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                                                                                              SHA512

                                                                                                                                              2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp987D.tmp
                                                                                                                                              Filesize

                                                                                                                                              20KB

                                                                                                                                              MD5

                                                                                                                                              49693267e0adbcd119f9f5e02adf3a80

                                                                                                                                              SHA1

                                                                                                                                              3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                                                                                                                                              SHA256

                                                                                                                                              d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                                                                                                                                              SHA512

                                                                                                                                              b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9883.tmp
                                                                                                                                              Filesize

                                                                                                                                              116KB

                                                                                                                                              MD5

                                                                                                                                              f70aa3fa04f0536280f872ad17973c3d

                                                                                                                                              SHA1

                                                                                                                                              50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                                              SHA256

                                                                                                                                              8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                                              SHA512

                                                                                                                                              30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                                                                                                                              Filesize

                                                                                                                                              50KB

                                                                                                                                              MD5

                                                                                                                                              b564a942ce2bf9b09dcfbbbb024af559

                                                                                                                                              SHA1

                                                                                                                                              c36413cfa26912e20ee7e067473e867adde72501

                                                                                                                                              SHA256

                                                                                                                                              d4f768fda9dedea79c45395db4057ffb70249b91ee6298e8d1b0c4974e888f01

                                                                                                                                              SHA512

                                                                                                                                              d6aa2308243a7018b37c24f8f1dba2885dfed91f67b3d2c3650f8653bf50d996fddcd54f4811ea3826dbe3e8c97fba228632d860abccb5c94f599e04100b74b2

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Imminent\Logs\12-09-2024
                                                                                                                                              Filesize

                                                                                                                                              8KB

                                                                                                                                              MD5

                                                                                                                                              fad17fd76a4cddd68eb074f969ade63b

                                                                                                                                              SHA1

                                                                                                                                              5f79075737a8411c0c54640cd66486495b4ade5b

                                                                                                                                              SHA256

                                                                                                                                              44b4927c45714382d83b067df05cb573fce524c3bf0d7695d4e8e3d499bdb2ae

                                                                                                                                              SHA512

                                                                                                                                              19cf7d95eee69798902c6f42ea2f1dcc24a2c0a61059f76378ee7ee4f82e2caccf979c9570aabb479858e6dd7e5ccf0279bb329ad374d33dfd411f6c430f4cf4

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mais Arquivos.exe
                                                                                                                                              Filesize

                                                                                                                                              259KB

                                                                                                                                              MD5

                                                                                                                                              a0412771fbc748a42ab9b9e8340bedbf

                                                                                                                                              SHA1

                                                                                                                                              a203666a3f60327cd48cb1c71052bc31a0be5d94

                                                                                                                                              SHA256

                                                                                                                                              77452beef9ca2df47b2de0939f12160dca92f1d6c4007c2538b7cabc4d245f14

                                                                                                                                              SHA512

                                                                                                                                              5054a7334d79593cba781ee8f0a356a80609681a9ff4727806ec153e62652c9169bf54fbbd7423fae1186edc11552caf1e0f708cb0284d78b85607a071e03bb2

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
                                                                                                                                              Filesize

                                                                                                                                              1.0MB

                                                                                                                                              MD5

                                                                                                                                              a2f259ceb892d3b0d1d121997c8927e3

                                                                                                                                              SHA1

                                                                                                                                              6e0a7239822b8d365d690a314f231286355f6cc6

                                                                                                                                              SHA256

                                                                                                                                              ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

                                                                                                                                              SHA512

                                                                                                                                              5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              012d49503bb16562386ba84e27cdfa2e

                                                                                                                                              SHA1

                                                                                                                                              b2cf1307b9fd6953c34c287b877ddce8b34f31ba

                                                                                                                                              SHA256

                                                                                                                                              1a7edd7f07fe46baff2d5ee48af9ce5e5cf6ee0ebc8811bebfa8f568481c730c

                                                                                                                                              SHA512

                                                                                                                                              83c49f8dc3e9879330e68dbf5f12f01cfac3a93c20b76114dae6a0d8c617d257e097137499123c2d170f9e47057600b575a05bb374a924384a285c58202768f7

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                                                                                                                              Filesize

                                                                                                                                              259KB

                                                                                                                                              MD5

                                                                                                                                              b2757bcc1094d9ea8a57890ea11fa6b9

                                                                                                                                              SHA1

                                                                                                                                              ab31c97cedf656e571f1294190180fa691c39446

                                                                                                                                              SHA256

                                                                                                                                              659c4f520a07238a4781a78dc27c0bbfffacffbc12fe03b4747f86663e253408

                                                                                                                                              SHA512

                                                                                                                                              9e19bed7ef41685fb2cb73355f9a16ac99ced97e2216a3f593d6e147b6da9f02d9edfe9ed76cccc9f503f3f9a8be8c7d8003eb5bf8e79320549aa36fe8898a0f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              9994fce4a097a0e81f3990585fe4c00b

                                                                                                                                              SHA1

                                                                                                                                              b6f57c87afc5baef95df2eeb4836060dfd04555a

                                                                                                                                              SHA256

                                                                                                                                              359e068b989a1fed243146338d024f2f26a1f9c5ae1584eadd3062f14719053f

                                                                                                                                              SHA512

                                                                                                                                              1b966cddfb16f5f3c2aae10bdaf8f256a91d055926ecafc01af216e037af8ef0ca71fbc362fadae40b17b995866ca5638ec8fac69c64f0bd231d3c30f9158bf6

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                                                                                                                                              Filesize

                                                                                                                                              259KB

                                                                                                                                              MD5

                                                                                                                                              e28eaad7b33fce1dd270bfcbe27043b8

                                                                                                                                              SHA1

                                                                                                                                              fd934116ddee9d0ee2df44c45036cd8d013c2121

                                                                                                                                              SHA256

                                                                                                                                              333073320c0a25882e3828e4d6f5bb65d11239f20e6be8bf4f4f7cbc78650887

                                                                                                                                              SHA512

                                                                                                                                              c384f2bae2337f3cef5b6a6e9fa3e8d747070d86286c28fc05824072158dde2d6dcce8f1cd4c6b70e04dedea0919740ab000c928a6e30fc596618c9eb600eb05

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                                                                                                                              Filesize

                                                                                                                                              259KB

                                                                                                                                              MD5

                                                                                                                                              735429bdf12ac67fe0927390f1518353

                                                                                                                                              SHA1

                                                                                                                                              32dea8f7c0c953f0c194b93ea43848617ae3966c

                                                                                                                                              SHA256

                                                                                                                                              889dbbcc313f870bab67d90c266101656b9cb5de68e8f877b03ea774e8fc5ab9

                                                                                                                                              SHA512

                                                                                                                                              1f89758f9c0885b6987057f2602ab8372f8ea8909cee9dad9f43ff18b87c9f705d1340aa99332aa57a17a987eaf0213dcc103536fc39b7c1b383f71f04ce5d40

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              22ab23f9f9825acd1b26e981b63b6702

                                                                                                                                              SHA1

                                                                                                                                              ff196a787ea095cd223151fa924a49dc8364cce6

                                                                                                                                              SHA256

                                                                                                                                              a50eb755c8d5dd3676e14a6411600ff4993987b4363d0e7facd191c30e999b8d

                                                                                                                                              SHA512

                                                                                                                                              dfe12c05e0ce3ce223dbb17e6884a953e8739900021ef82c7b0ffc1f12d6ee338fea7d8aa785d34e0bc49a465364330b6e44658861c62192fac75b3687139586

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\dclogs\2024-09-12-5.dc
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              MD5

                                                                                                                                              52476ffbbc7d384d95e750eb76d6b4cc

                                                                                                                                              SHA1

                                                                                                                                              1f3d8829eba6a46a86f24783ded36c4c2a09ddbc

                                                                                                                                              SHA256

                                                                                                                                              5c94c0e04a64da945eea96c6e75770a93bef15068d4ceb30cc55055d25b501ea

                                                                                                                                              SHA512

                                                                                                                                              6cd2ba08c7d1aa1f802f6324299bbc92b3dfd0cb4d4d8c731e4c1b34bf7143fa8475b4c5ce0448bbd279efa2ff841652f43a5cb41388a79ee3fba6874bb20c1e

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\importações.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              5620ce37cd07b6f596709091001a4bea

                                                                                                                                              SHA1

                                                                                                                                              f07a68d1d152add18fa8989a7036987467f018b7

                                                                                                                                              SHA256

                                                                                                                                              5f65321017a5af9216dd4db4545400660c5cc4b0d1221a1d6353af06b4d1c15a

                                                                                                                                              SHA512

                                                                                                                                              d0fd0d15a01c6a396f1b977214b54dc251d03fcff43a8b3e89d89d4ab46407d7efc0045c6d15884668961a5909b1787ebe0d0e8cf00e87a91291beeae6f5bb84

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\lgfiles\SystemLog_9122024.lgg
                                                                                                                                              Filesize

                                                                                                                                              78KB

                                                                                                                                              MD5

                                                                                                                                              175b364c1b2922b284e3289b6ebc20b6

                                                                                                                                              SHA1

                                                                                                                                              0b04e230544e0114bfce6a351aa4485cfeb9234d

                                                                                                                                              SHA256

                                                                                                                                              376f1b7a1d3a38c3eca2f869dffb4a27e1118b5e5bee2bcbca5a146c066918a3

                                                                                                                                              SHA512

                                                                                                                                              c719eabbc765964589ba1ca38225fbf6da29b8c10648d49e0ab8916bbfda59c373b8ac1e28fe25ab3da78638e896e3cb414a60dadaa16a8df444c5ef2b8806ad

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-50b584cc4677a24af400fb4682919ce3c2e3be14a9820681141acd6c44e7729d.exe
                                                                                                                                              Filesize

                                                                                                                                              2.7MB

                                                                                                                                              MD5

                                                                                                                                              961020fc5ab430a0471066e88aa8c4c6

                                                                                                                                              SHA1

                                                                                                                                              532414c8b31fa7303c67ad8a0a87337bc6113bf0

                                                                                                                                              SHA256

                                                                                                                                              50b584cc4677a24af400fb4682919ce3c2e3be14a9820681141acd6c44e7729d

                                                                                                                                              SHA512

                                                                                                                                              37a3e6a1952d8071109436098f86f1278bee4f69cc7eebb2b44759d22d2cafdfe66d585e26a949cb2a35c04bc57c5537319bb8716c9ef760aacdeb56843b4085

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda.exe
                                                                                                                                              Filesize

                                                                                                                                              857KB

                                                                                                                                              MD5

                                                                                                                                              7d0aa3ac75755d1f7b67f12d0a362356

                                                                                                                                              SHA1

                                                                                                                                              2c7308e44a5a72ba8c70ac7d846b8b3c1878461a

                                                                                                                                              SHA256

                                                                                                                                              5610b2906ecd713913b4b7e2975788cecb0d19abf94a16d1f81d3b43e1b9adda

                                                                                                                                              SHA512

                                                                                                                                              4b419222720e3ac88c4f166da8f2675bf772703728d7763dd471e4b0f180d2d71c2fe1ac6dd8f1d6747780c0ad24ef7556b198047853d2d9da389085b15810e1

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-72d0b083aa7fe84ab302b5a1efa6351f891f1e3d2cc164627e9a89f989df3cb3.exe
                                                                                                                                              Filesize

                                                                                                                                              3.0MB

                                                                                                                                              MD5

                                                                                                                                              2820ea0329208ef6950e350ba112f19c

                                                                                                                                              SHA1

                                                                                                                                              3935913ff07cfd847958a9416aefe195c640dc47

                                                                                                                                              SHA256

                                                                                                                                              72d0b083aa7fe84ab302b5a1efa6351f891f1e3d2cc164627e9a89f989df3cb3

                                                                                                                                              SHA512

                                                                                                                                              03cfc629ab5ee2b4a6ccf97030bc865ee5d79478f382d0d45bf7be9afb676f0aa2577b55a744ac7fcacebc5fa4c227620dc6a091360a4b7c5d01193336473239

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c72106b6cff6e8607dfe9a443c17d8b1ca178323f527f072d4b63c71ada0e811.exe
                                                                                                                                              Filesize

                                                                                                                                              259KB

                                                                                                                                              MD5

                                                                                                                                              24911eb866f79e707e508d44bc1b5765

                                                                                                                                              SHA1

                                                                                                                                              608fa9bb94fb8e4209b4aa4599402a5bfcd5fe48

                                                                                                                                              SHA256

                                                                                                                                              c72106b6cff6e8607dfe9a443c17d8b1ca178323f527f072d4b63c71ada0e811

                                                                                                                                              SHA512

                                                                                                                                              dcb22487a2985162b4a66cecaccb41cf934c48045e3265fa1366e4c993bce631b316acfeb1ba411a4601c4326a2fa0fb75c7a1be8a2645a709a54ba554e84555

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e5986334029c7e764b566c306e942190f39231cfae586bf674f453e9b5d867bc.exe
                                                                                                                                              Filesize

                                                                                                                                              448KB

                                                                                                                                              MD5

                                                                                                                                              836a2232c085d2bd7266ff66e243a0ba

                                                                                                                                              SHA1

                                                                                                                                              904bb86906c4e32cc543ab57d67b26cf180074e4

                                                                                                                                              SHA256

                                                                                                                                              e5986334029c7e764b566c306e942190f39231cfae586bf674f453e9b5d867bc

                                                                                                                                              SHA512

                                                                                                                                              5fd1974cf23a8f9fd19638b50cea08b7cd2c46a49e92c488324118cb13e0c9419d0bf66ea858890a7733802a6a29e827624e37af4938a11f1c522e291700823e

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.MSIL.Gen.gen-53810db15c47cf14cdf4f2b205594ce54a69bad4b15ec57800f2bd4f391d34d3.exe
                                                                                                                                              Filesize

                                                                                                                                              12.9MB

                                                                                                                                              MD5

                                                                                                                                              2ec61d5f703251299b046d60accbcec6

                                                                                                                                              SHA1

                                                                                                                                              7ea4b02526174d55650187223b413c1f1c266437

                                                                                                                                              SHA256

                                                                                                                                              53810db15c47cf14cdf4f2b205594ce54a69bad4b15ec57800f2bd4f391d34d3

                                                                                                                                              SHA512

                                                                                                                                              11ba357853b054200d45c439dd2b303fd9be9d6e09fa78e719a4e3fcdefd1e8a98492f1aa314ac577f37eacbea67df4ee92b9d2b615ec86b9021ec57a8f8951b

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.pef-04cd6162181c33c5e5198b88439debb7a2b0cf4f7ffe270781122a895484c1f6.exe
                                                                                                                                              Filesize

                                                                                                                                              50KB

                                                                                                                                              MD5

                                                                                                                                              958d5373e07f61f420c8e1bf25765d20

                                                                                                                                              SHA1

                                                                                                                                              1de009efa960ef1f82080799f062ae57456e958d

                                                                                                                                              SHA256

                                                                                                                                              04cd6162181c33c5e5198b88439debb7a2b0cf4f7ffe270781122a895484c1f6

                                                                                                                                              SHA512

                                                                                                                                              c6529120838aa38133ef2a9244115cb9adeea0a5bb9545045c7d9e9f5b8bb90c787839b4f24ae246ccf1ae86ba75e404b48b63751071918cf53970a52a1474e3

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.vho-2e6fdc260e37c79e2fae1227cfece13f1945763f34aafb60983bb32aa93a5dc6.exe
                                                                                                                                              Filesize

                                                                                                                                              7.7MB

                                                                                                                                              MD5

                                                                                                                                              329f50e2b47d74c3bf7e6e44ff577899

                                                                                                                                              SHA1

                                                                                                                                              9932371935bd5095ddb7d48b07182a2c634de189

                                                                                                                                              SHA256

                                                                                                                                              2e6fdc260e37c79e2fae1227cfece13f1945763f34aafb60983bb32aa93a5dc6

                                                                                                                                              SHA512

                                                                                                                                              30e0831772f6a1c4e691be4a4bd684fdbacd6f84d9e90a80e77de7b6e7402f10405894792cbc11ead15464b623d77b2c7489b6b7221a5c46b8ccd51248b9b083

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Blocker.vho-997c83357b09436a7ef6ffff93cd2042fdf111e10ec5b787447fb44222dd2815.exe
                                                                                                                                              Filesize

                                                                                                                                              5.4MB

                                                                                                                                              MD5

                                                                                                                                              0c6d9b8b4daa38c4c1fb297acb213e41

                                                                                                                                              SHA1

                                                                                                                                              5c24728b9089b706e2fada3a90d498ba83eeca3f

                                                                                                                                              SHA256

                                                                                                                                              997c83357b09436a7ef6ffff93cd2042fdf111e10ec5b787447fb44222dd2815

                                                                                                                                              SHA512

                                                                                                                                              5772f785ef5ea1f97e579e155341b0fe3e92ceb7733e29ef3bbe48fc6dd3e95da39611ff0de35e8be07725266f1097e75c43d33453b8328e0fbdffade631a5d6

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Generic-a9c07957e93c0a33f107248d19a5c78ba005a338716bbf0aacfd40b695850319.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              a1f7765d85a085e3fc89fdeb18f640f4

                                                                                                                                              SHA1

                                                                                                                                              c9210d30737f1caa6a9b01e564432a67a9c1b004

                                                                                                                                              SHA256

                                                                                                                                              a9c07957e93c0a33f107248d19a5c78ba005a338716bbf0aacfd40b695850319

                                                                                                                                              SHA512

                                                                                                                                              653aa97222b1e893b846bcc8ba97b7899b255c7f4815615d9fc3d0a13d6282a68b6da454f92b0ec120fe5306382a1dae928d3f36752374c7bdfb7b79fdfa9b1f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Generic-fd8b588e1ee4f98e4498e9a39c29ca2fcb974b55680139a12cccb49657da7658.exe
                                                                                                                                              Filesize

                                                                                                                                              62KB

                                                                                                                                              MD5

                                                                                                                                              984ed804482b455638e29cfa56d91e86

                                                                                                                                              SHA1

                                                                                                                                              608e262d942f5d464a68b9ffee0c83f99b99c901

                                                                                                                                              SHA256

                                                                                                                                              fd8b588e1ee4f98e4498e9a39c29ca2fcb974b55680139a12cccb49657da7658

                                                                                                                                              SHA512

                                                                                                                                              999915dea839739bf03814154ae2b96e4f433166af37d4e7a234ecbce2669ee0fae11bf82b2169820d436e9d2d8b3f2a5041f84068f85b9516f3031671841690

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Phobos.vho-d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d.exe
                                                                                                                                              Filesize

                                                                                                                                              55KB

                                                                                                                                              MD5

                                                                                                                                              0b5a3e9cf2e6b51213f36685d43d1600

                                                                                                                                              SHA1

                                                                                                                                              be83c8c6515e72d82fd5e0e3802a9b216e6685ef

                                                                                                                                              SHA256

                                                                                                                                              d71748408052ff7047bdf2d6d29ecbca0be93522f8a03d00b405841ba818794d

                                                                                                                                              SHA512

                                                                                                                                              498ad74dfa67a9a9fdf56275723a47fc93bb00e35bee10e516b2d880709ff3eadd4b76b36f16d0037d43c23456c2ffaf6788bdc9a9e120c0237cdbe22bf6d8fd

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b3d54d34e2610f35ba15a83b56518ab8f1431c210344198f3356f04b1de403b1.exe
                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              MD5

                                                                                                                                              64228b8bd37fd469685b12feb44b22f1

                                                                                                                                              SHA1

                                                                                                                                              1539e9cf06b34c384ae1d10e98ba6723067dce60

                                                                                                                                              SHA256

                                                                                                                                              b3d54d34e2610f35ba15a83b56518ab8f1431c210344198f3356f04b1de403b1

                                                                                                                                              SHA512

                                                                                                                                              c50125ee6ae3f9c5615a7f7334261205d16ad091528d955d53ac9e81c1ff7b9a4fa4b832c7d8c97f8c37e8ecbf5871f7e3290eb65362b9a8c62530d26f835c69

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0.exe
                                                                                                                                              Filesize

                                                                                                                                              830KB

                                                                                                                                              MD5

                                                                                                                                              8fa538666a1e99ff4e77dbae8690c488

                                                                                                                                              SHA1

                                                                                                                                              17674dea310e121f6a4bd05ac310670dc9c4fc5a

                                                                                                                                              SHA256

                                                                                                                                              11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0

                                                                                                                                              SHA512

                                                                                                                                              ccb5f23a1c3c6a3d78ac48387bde590e922ea3a25d59ea749c5a2344d50acd2b638a133f16ee83e13c4955c8fa08b8045c37f8829926c0789c76cd02263d5f4d

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c.exe
                                                                                                                                              Filesize

                                                                                                                                              12.4MB

                                                                                                                                              MD5

                                                                                                                                              53cdd911eebe425888996fab53d1c260

                                                                                                                                              SHA1

                                                                                                                                              10ac8003f029fe670195d2cc5d4cb605b415b829

                                                                                                                                              SHA256

                                                                                                                                              2b448eb1fc9450030d7f785848b4569e3aebbda92eae96d0f60a9dcdae60ce2c

                                                                                                                                              SHA512

                                                                                                                                              c718dd86ad2522e3c5af4dc9956c00f0a3cdf1201d9704f54b496dc4b8ddf14e885edbe9e5d40c993022dc8a6941d4da0d696f1a49c591c607a0e80347aaa444

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan-Ransom.Win32.Stop.gen-4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2.exe
                                                                                                                                              Filesize

                                                                                                                                              808KB

                                                                                                                                              MD5

                                                                                                                                              b2a7ab12fd91fab7767d41fa9cf06369

                                                                                                                                              SHA1

                                                                                                                                              0af43e5510d68f712dc2e05bdab07a86cbdac895

                                                                                                                                              SHA256

                                                                                                                                              4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2

                                                                                                                                              SHA512

                                                                                                                                              e601c95ffadb3035ad231246ba60bf2ff71d0cc21fa02903e04a28e476b748a2d7ba8b3eaa029352e94b07fe163b9e5a0801861b556622d6dd0c98ec85e183ae

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Desktop\00485\HEUR-Trojan.MSIL.Crypt.gen-3db9de8b202f6b0643516cf6f89e1c70acc7b2f17d8341fd830e96843cbcc44e.exe
                                                                                                                                              Filesize

                                                                                                                                              908KB

                                                                                                                                              MD5

                                                                                                                                              15ff5326b957a8b747b95c47d6a65741

                                                                                                                                              SHA1

                                                                                                                                              0d9c5be1f1c3c71e4a7971743624932f834a3499

                                                                                                                                              SHA256

                                                                                                                                              3db9de8b202f6b0643516cf6f89e1c70acc7b2f17d8341fd830e96843cbcc44e

                                                                                                                                              SHA512

                                                                                                                                              ebe3f5a5294c82c0b92ba55770902b932ca2d708879d3a15f8940fe5602ca95434bfb1282cc93d7966ed23e1a28f1402ae3203cf0e12537820651a55d8717a59

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Public\o
                                                                                                                                              Filesize

                                                                                                                                              1B

                                                                                                                                              MD5

                                                                                                                                              00594fd4f42ba43fc1ca0427a0576295

                                                                                                                                              SHA1

                                                                                                                                              85e53271e14006f0265921d02d4d736cdc580b0b

                                                                                                                                              SHA256

                                                                                                                                              a8100ae6aa1940d0b663bb31cd466142ebbdbd5187131b92d93818987832eb89

                                                                                                                                              SHA512

                                                                                                                                              6700df6600b118ab0432715a7e8a68b0bf37cdf4adaf0fb9e2b3ebe04ad19c7032cbad55e932792af360bafaa09962e2e690652bc075b2dad0c30688ba2f31a3

                                                                                                                                              Download Submit

                                                                                                                                            • C:\info.hta
                                                                                                                                              Filesize

                                                                                                                                              5KB

                                                                                                                                              MD5

                                                                                                                                              0608e8355c6945be7a822886f3201dbe

                                                                                                                                              SHA1

                                                                                                                                              e77fb64e84e9b3d012da2d2bde04ca9c73d7ca22

                                                                                                                                              SHA256

                                                                                                                                              245cf30c22092e35bbd3e2a7cbdf03c8e258c079a01b3e874ba3a5172f9a8dd0

                                                                                                                                              SHA512

                                                                                                                                              6be559ea7749cae621e43a4646794c327a54e4770c64b8bb4399ac3182a27dc36bad313f8acf47ffcc762a69e712a98fc8ccd87cbcc2cf449c9aed908d0cd3f9

                                                                                                                                              Download Submit

                                                                                                                                            • F:\AUTORUN.INF
                                                                                                                                              Filesize

                                                                                                                                              145B

                                                                                                                                              MD5

                                                                                                                                              ca13857b2fd3895a39f09d9dde3cca97

                                                                                                                                              SHA1

                                                                                                                                              8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

                                                                                                                                              SHA256

                                                                                                                                              cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

                                                                                                                                              SHA512

                                                                                                                                              55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

                                                                                                                                              Download Submit

                                                                                                                                            • F:\AutoRun.exe.exe.id[D5838490-3216].[[email protected]].eking
                                                                                                                                              Filesize

                                                                                                                                              2.8MB

                                                                                                                                              MD5

                                                                                                                                              887a505005d0692a9d5051135f4d48d1

                                                                                                                                              SHA1

                                                                                                                                              21180a8220612a67022e55691d44b4511c5b6e92

                                                                                                                                              SHA256

                                                                                                                                              fd8e1392e810a19a526bdbf8548dcb70830ea14e8e3cbd79870fc31633229032

                                                                                                                                              SHA512

                                                                                                                                              d4bfb85f1a3f3d8fd9c10a8020a9c1392801145e60706ec6a28378b4e5d7f806051f2f8869e45593045386f2d26f4eef0a1dd05d5ac00e0c310925bca5a04a07

                                                                                                                                              Download Submit

                                                                                                                                            • memory/276-16535-0x0000000006C90000-0x0000000006CA6000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              88KB

                                                                                                                                              Download

                                                                                                                                            • memory/276-16431-0x0000000000400000-0x0000000000456000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              344KB

                                                                                                                                              Download

                                                                                                                                            • memory/276-16438-0x0000000005610000-0x00000000056BE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              696KB

                                                                                                                                              Download

                                                                                                                                            • memory/276-16432-0x0000000002C10000-0x0000000002C20000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              64KB

                                                                                                                                              Download

                                                                                                                                            • memory/276-16439-0x0000000008A40000-0x0000000008A68000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              160KB

                                                                                                                                              Download

                                                                                                                                            • memory/276-16467-0x0000000006B30000-0x0000000006B48000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              96KB

                                                                                                                                              Download

                                                                                                                                            • memory/316-2091-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/316-992-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/316-990-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/792-11591-0x00000000007E0000-0x00000000008BE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              888KB

                                                                                                                                              Download

                                                                                                                                            • memory/792-11711-0x0000000002F00000-0x0000000002F12000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              72KB

                                                                                                                                              Download

                                                                                                                                            • memory/828-1509-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              340KB

                                                                                                                                              Download

                                                                                                                                            • memory/828-3202-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              340KB

                                                                                                                                              Download

                                                                                                                                            • memory/1056-476-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              36KB

                                                                                                                                              Download

                                                                                                                                            • memory/1056-1088-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              36KB

                                                                                                                                              Download

                                                                                                                                            • memory/1068-3137-0x0000000000400000-0x0000000000601000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1068-1084-0x0000000000400000-0x0000000000601000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1796-5991-0x0000000000B30000-0x0000000000B7C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              304KB

                                                                                                                                              Download

                                                                                                                                            • memory/1796-6151-0x0000000004D20000-0x0000000004D72000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              328KB

                                                                                                                                              Download

                                                                                                                                            • memory/1796-6241-0x0000000004D80000-0x0000000004D86000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/1796-6051-0x0000000002BF0000-0x0000000002BF6000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/1948-440-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              36KB

                                                                                                                                              Download

                                                                                                                                            • memory/1948-478-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              36KB

                                                                                                                                              Download

                                                                                                                                            • memory/1952-1295-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/1952-562-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/1952-563-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/2040-14294-0x0000000000400000-0x0000000000426000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              152KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-386-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-376-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-374-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-375-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-380-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-382-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-385-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-384-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-381-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2196-383-0x000001B44DBA0000-0x000001B44DBA1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2544-499-0x0000000000860000-0x0000000000876000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              88KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-491-0x0000025E36430000-0x0000025E3647A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              296KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-487-0x0000025E356A0000-0x0000025E356DA000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              232KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-457-0x0000025E34DB0000-0x0000025E35536000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              7.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-486-0x0000025E35680000-0x0000025E35698000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              96KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-432-0x0000025E19BD0000-0x0000025E1A8C0000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              12.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-458-0x0000025E34D10000-0x0000025E34D86000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              472KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-488-0x0000025E361B0000-0x0000025E36230000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              512KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-485-0x0000025E360F0000-0x0000025E361AC000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              752KB

                                                                                                                                              Download

                                                                                                                                            • memory/2852-493-0x0000025E36480000-0x0000025E36510000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              576KB

                                                                                                                                              Download

                                                                                                                                            • memory/3012-12429-0x0000000000520000-0x0000000000592000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              456KB

                                                                                                                                              Download

                                                                                                                                            • memory/3100-425-0x0000000005930000-0x00000000059CC000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              624KB

                                                                                                                                              Download

                                                                                                                                            • memory/3100-417-0x0000000000C90000-0x0000000000F50000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.8MB

                                                                                                                                              Download

                                                                                                                                            • memory/3444-3414-0x0000000000400000-0x0000000000601000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/3444-1086-0x0000000000400000-0x0000000000601000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/3552-3182-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3552-3183-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3552-2341-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3552-2343-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3692-544-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3692-4154-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3692-2246-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3692-548-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/3704-420-0x0000000004CA0000-0x0000000004D32000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              584KB

                                                                                                                                              Download

                                                                                                                                            • memory/3704-419-0x0000000005150000-0x00000000056F4000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.6MB

                                                                                                                                              Download

                                                                                                                                            • memory/3704-427-0x0000000004D40000-0x0000000005094000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              3.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/3704-416-0x00000000000F0000-0x00000000003F0000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              3.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/4424-1977-0x00000000008F0000-0x0000000000908000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              96KB

                                                                                                                                              Download

                                                                                                                                            • memory/4488-7907-0x0000000000530000-0x000000000061C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              944KB

                                                                                                                                              Download

                                                                                                                                            • memory/4720-2258-0x00000000052F0000-0x00000000052FE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              56KB

                                                                                                                                              Download

                                                                                                                                            • memory/4720-418-0x0000000000540000-0x000000000061C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              880KB

                                                                                                                                              Download

                                                                                                                                            • memory/4720-2256-0x00000000052D0000-0x00000000052D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/4720-480-0x0000000005200000-0x0000000005230000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              192KB

                                                                                                                                              Download

                                                                                                                                            • memory/4732-1087-0x00000000000A0000-0x0000000000188000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              928KB

                                                                                                                                              Download

                                                                                                                                            • memory/4732-1131-0x0000000004930000-0x000000000493A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40KB

                                                                                                                                              Download

                                                                                                                                            • memory/4760-371-0x0000029B79F60000-0x0000029B79FD6000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              472KB

                                                                                                                                              Download

                                                                                                                                            • memory/4760-370-0x0000029B79E90000-0x0000029B79ED4000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              272KB

                                                                                                                                              Download

                                                                                                                                            • memory/4760-366-0x0000029B77940000-0x0000029B77962000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              136KB

                                                                                                                                              Download

                                                                                                                                            • memory/4964-16422-0x00000000059A0000-0x00000000059F8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              352KB

                                                                                                                                              Download

                                                                                                                                            • memory/5116-5122-0x00000000054D0000-0x00000000054D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/5116-5039-0x0000000000960000-0x0000000000A3E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              888KB

                                                                                                                                              Download

                                                                                                                                            • memory/5724-3135-0x0000000000D90000-0x0000000000D96000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/5724-2965-0x0000000000D60000-0x0000000000D66000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/5724-3075-0x0000000000D70000-0x0000000000D92000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              136KB

                                                                                                                                              Download

                                                                                                                                            • memory/5724-2848-0x0000000000590000-0x00000000005BE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              184KB

                                                                                                                                              Download

                                                                                                                                            • memory/5812-10184-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              48KB

                                                                                                                                              Download

                                                                                                                                            • memory/5972-4199-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/5972-2509-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/5972-2510-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/6108-3412-0x0000000000EB0000-0x0000000000F0C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              368KB

                                                                                                                                              Download

                                                                                                                                            • memory/6108-14291-0x000000000A9E0000-0x000000000AA2A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              296KB

                                                                                                                                              Download

                                                                                                                                            • memory/6108-5040-0x0000000006450000-0x000000000645E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              56KB

                                                                                                                                              Download

                                                                                                                                            • memory/6120-4445-0x0000000000CE0000-0x0000000000D7E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              632KB

                                                                                                                                              Download

                                                                                                                                            • memory/6120-4664-0x0000000005BB0000-0x0000000005D72000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.8MB

                                                                                                                                              Download

                                                                                                                                            • memory/6120-5667-0x0000000006FE0000-0x000000000750C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.2MB

                                                                                                                                              Download

                                                                                                                                            • memory/6120-5144-0x0000000005F80000-0x0000000005FE6000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              408KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4350-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4344-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4355-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4352-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4349-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4348-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4346-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4343-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6176-4342-0x0000000000400000-0x00000000004B2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/6204-15298-0x00000000066E0000-0x0000000006732000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              328KB

                                                                                                                                              Download

                                                                                                                                            • memory/6204-8832-0x00000000004D0000-0x000000000054A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              488KB

                                                                                                                                              Download

                                                                                                                                            • memory/6204-8845-0x0000000004F50000-0x00000000050D6000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/6204-9848-0x0000000005350000-0x000000000535A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40KB

                                                                                                                                              Download

                                                                                                                                            • memory/6320-10904-0x0000000000250000-0x0000000000266000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              88KB

                                                                                                                                              Download

                                                                                                                                            • memory/6320-10912-0x0000000000A10000-0x0000000000A16000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/6808-13440-0x0000000000CF0000-0x0000000000D14000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              144KB

                                                                                                                                              Download

                                                                                                                                            • memory/6812-6733-0x0000000000740000-0x000000000082C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              944KB

                                                                                                                                              Download

                                                                                                                                            • memory/6820-7498-0x00000000050C0000-0x0000000005136000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              472KB

                                                                                                                                              Download

                                                                                                                                            • memory/6820-7413-0x0000000000810000-0x0000000000854000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              272KB

                                                                                                                                              Download

                                                                                                                                            • memory/6920-5457-0x0000000000690000-0x00000000006F8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              416KB

                                                                                                                                              Download

                                                                                                                                            • memory/7700-11601-0x0000000002C60000-0x0000000002C66000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/7700-11599-0x0000000002C10000-0x0000000002C5E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              312KB

                                                                                                                                              Download

                                                                                                                                            • memory/7700-11564-0x0000000000B70000-0x0000000000BBA000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              296KB

                                                                                                                                              Download

                                                                                                                                            • memory/7700-11585-0x0000000001440000-0x0000000001446000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              Download

                                                                                                                                            • memory/7940-10905-0x0000000000540000-0x0000000000548000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download