Overview

overview

10

Static

static

1

RNSM00477.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00477.7z

  • Size

    22.4MB

  • MD5

    e74213e7f48bbb4fc4fba13f0bfaad96

  • SHA1

    ed97322c26c9f7a028b3c587b5d1aaf656b0f22f

  • SHA256

    f1495ff599ccc310bb271cdb147f212dc55a6964e46fe037268638e32d591988

  • SHA512

    c520dac8d25ef5c0864f81e2573dd049fdf5887cbd601488f633549713696a2ac0dd8b4166531c9a40a40010d01381d13f12e7266a7d3b633422618e3bd6d0e0

  • SSDEEP

    393216:uvQVZl/lgu206A8Vdj0RlYl2g9jQ/kWwjTd4hoSGt/D3rrKAqUpW1Zb3CDDoX25P:KQV/lg506/djICP9jQ/FwtivGJ3r7jpF

Score
10/10
darkcometdharmadjvunanocorenullmixerurelasvidarvjw0rm933aspackv2defense_evasiondiscoverydropperevasionexecutionimpactkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanupxworm

Malware Config

Extracted

Family

djvu

C2

http://tbpws.top/fhsgtsspen6/get.php

http://securebiz.org/fhsgtsspen6/get.php

http://wrrst.top/fhsgtsspen6/get.php
Attributes
  • extension

    .wiot

  • offline_id

    sZ9rF572Y03XTlUZsBUVlV9YksFOEsyIfGx58yt1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://tbpws.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CtDpAM1g5f Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0333gSd743d

rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Detected Djvu ransomware 9 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (329) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Vidar Stealer 1 IoCs
    stealer
  • Blocklisted process makes network request 2 IoCs
  • Contacts a large (1134) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 10 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 11 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 11 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
    1⤵
    • Drops file in System32 directory
    PID:1164
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
    1⤵
      PID:1260
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
      1⤵
        PID:1444
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
        1⤵
          PID:1528
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
          1⤵
            PID:1668
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
            1⤵
              PID:1960
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2296
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
              1⤵
              • Suspicious use of SetThreadContext
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              PID:2436
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k SystemNetworkService
                2⤵
                • Modifies registry class
                PID:388
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
              1⤵
                PID:2796
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                1⤵
                  PID:2860
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                  1⤵
                    PID:2904
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                    1⤵
                      PID:3364
                    • C:\Windows\system32\cmd.exe
                      cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00477.7z
                      1⤵
                      • Modifies registry class
                      PID:3332
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:3200
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                      1⤵
                        PID:4124
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4556
                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Agent.pef-fa2e6e4b541571337e4be83bcb1792f7ce2216c237729aa4cc26d75a7bc49699.exe
                          HEUR-Trojan-Ransom.Win32.Agent.pef-fa2e6e4b541571337e4be83bcb1792f7ce2216c237729aa4cc26d75a7bc49699.exe
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3472
                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Blocker.pef-49d6ebf3d6a5b8e69aeeca1f702b2ef9763698bb506add7b7519b8a669902c47.exe
                          HEUR-Trojan-Ransom.Win32.Blocker.pef-49d6ebf3d6a5b8e69aeeca1f702b2ef9763698bb506add7b7519b8a669902c47.exe
                          2⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2680
                          • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                            "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4164
                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-94e6d0a399c250e270cd6eb88098bef9b840b7efc267f66868e8168401a81e7b.exe
                          HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-94e6d0a399c250e270cd6eb88098bef9b840b7efc267f66868e8168401a81e7b.exe
                          2⤵
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          PID:2216
                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-c65cb7133cca12e633e6a5af15db31486fb584878c798f13899b9843eb70588a.exe
                          HEUR-Trojan-Ransom.Win32.Cryptoff.vho-c65cb7133cca12e633e6a5af15db31486fb584878c798f13899b9843eb70588a.exe
                          2⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          PID:4268
                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Generic-2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66.exe
                          HEUR-Trojan-Ransom.Win32.Generic-2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:660
                          • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Generic-2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66.exe
                            "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Generic-2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66.exe"
                            3⤵
                            • Checks computer location settings
                            • System Location Discovery: System Language Discovery
                            PID:3576
                            • C:\Users\Admin\AppData\Local\Temp\FB_F41A.tmp.exe
                              "C:\Users\Admin\AppData\Local\Temp\FB_F41A.tmp.exe"
                              4⤵
                              • Drops startup file
                              • Adds Run key to start application
                              • Drops desktop.ini file(s)
                              • Drops autorun.inf file
                              • Drops file in System32 directory
                              • Drops file in Program Files directory
                              • System Location Discovery: System Language Discovery
                              PID:6372
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe"
                                5⤵
                                  PID:6148
                                  • C:\Windows\system32\mode.com
                                    mode con cp select=1251
                                    6⤵
                                      PID:7800
                                    • C:\Windows\system32\vssadmin.exe
                                      vssadmin delete shadows /all /quiet
                                      6⤵
                                      • Interacts with shadow copies
                                      PID:7468
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\system32\cmd.exe"
                                    5⤵
                                      PID:8748
                                      • C:\Windows\system32\mode.com
                                        mode con cp select=1251
                                        6⤵
                                          PID:9396
                                        • C:\Windows\system32\vssadmin.exe
                                          vssadmin delete shadows /all /quiet
                                          6⤵
                                          • Interacts with shadow copies
                                          PID:8656
                                      • C:\Windows\System32\mshta.exe
                                        "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                        5⤵
                                          PID:8252
                                        • C:\Windows\System32\mshta.exe
                                          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                          5⤵
                                            PID:7876
                                        • C:\Users\Admin\AppData\Local\Temp\FB_F554.tmp.exe
                                          "C:\Users\Admin\AppData\Local\Temp\FB_F554.tmp.exe"
                                          4⤵
                                            PID:6328
                                      • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-4195b6011bd6ee6c3fc55e631ac6ebcade7f421a62b88f74a5a7a82f381028d6.exe
                                        HEUR-Trojan-Ransom.Win32.PolyRansom.gen-4195b6011bd6ee6c3fc55e631ac6ebcade7f421a62b88f74a5a7a82f381028d6.exe
                                        2⤵
                                        • Modifies WinLogon for persistence
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Drops autorun.inf file
                                        • Drops file in System32 directory
                                        PID:1428
                                      • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                        HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:1056
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                          HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                          3⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:5824
                                          • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                            "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe" --Admin IsNotAutoStart IsNotTask
                                            4⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:5252
                                            • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                              "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe" --Admin IsNotAutoStart IsNotTask
                                              5⤵
                                                PID:6264
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                          HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:4412
                                          • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                            HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                            3⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:2428
                                            • C:\Windows\SysWOW64\icacls.exe
                                              icacls "C:\Users\Admin\AppData\Local\ae4dbb20-ee5e-42ae-8213-b86a701ae1b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                              4⤵
                                              • Modifies file permissions
                                              • System Location Discovery: System Language Discovery
                                              PID:2696
                                            • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                              "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe" --Admin IsNotAutoStart IsNotTask
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:6864
                                              • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                                "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe" --Admin IsNotAutoStart IsNotTask
                                                5⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:7024
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                          HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:1140
                                          • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                            HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                            3⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5000
                                            • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                              "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe" --Admin IsNotAutoStart IsNotTask
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              PID:2624
                                              • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                                "C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe" --Admin IsNotAutoStart IsNotTask
                                                5⤵
                                                • Executes dropped EXE
                                                PID:6552
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-25a22627a27b62e7220ad0c9dcd143075e65a0b87e167e2f4a16038395dd13ed.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-25a22627a27b62e7220ad0c9dcd143075e65a0b87e167e2f4a16038395dd13ed.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4084
                                          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                            dw20.exe -x -s 1440
                                            3⤵
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:384
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-48ac0f448063f3ec6329833ef2743a948ec05310cfd956d8fcf97ca66557d757.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-48ac0f448063f3ec6329833ef2743a948ec05310cfd956d8fcf97ca66557d757.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:5076
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-669453e2b4c1729cc640ff8e24d6d95c75e6dc92d7420d72bfba6f508f25f056.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-669453e2b4c1729cc640ff8e24d6d95c75e6dc92d7420d72bfba6f508f25f056.exe
                                          2⤵
                                          • Executes dropped EXE
                                          PID:2872
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-7a2597a652c9dd24f5a14179415f95b405282e10087edd625975ba9423b0c317.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-7a2597a652c9dd24f5a14179415f95b405282e10087edd625975ba9423b0c317.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:3720
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-98a6263e9dc89e5fd77dafcd22d6114cb9b7a7110515e4865619173f69cb5f44.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-98a6263e9dc89e5fd77dafcd22d6114cb9b7a7110515e4865619173f69cb5f44.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:3896
                                        • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-a173ec08c1a0d6ddf9cbb7d209d0f87ca9ec1f9d51da162d8483f87b780d54e4.exe
                                          HEUR-Trojan.MSIL.Crypt.gen-a173ec08c1a0d6ddf9cbb7d209d0f87ca9ec1f9d51da162d8483f87b780d54e4.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:1484
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=HEUR-Trojan.MSIL.Crypt.gen-a173ec08c1a0d6ddf9cbb7d209d0f87ca9ec1f9d51da162d8483f87b780d54e4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                                            3⤵
                                            • Enumerates system info in registry
                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                            PID:5128
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc390b46f8,0x7ffc390b4708,0x7ffc390b4718
                                              4⤵
                                                PID:5152
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
                                                4⤵
                                                  PID:6092
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
                                                  4⤵
                                                    PID:6100
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
                                                    4⤵
                                                      PID:452
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
                                                      4⤵
                                                        PID:5164
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                                                        4⤵
                                                          PID:5180
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
                                                          4⤵
                                                            PID:6984
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                                                            4⤵
                                                              PID:6464
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
                                                              4⤵
                                                                PID:6564
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
                                                                4⤵
                                                                  PID:6848
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
                                                                  4⤵
                                                                    PID:5060
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                                                                    4⤵
                                                                      PID:6732
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2502447403936820123,3755192192449892673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
                                                                      4⤵
                                                                        PID:6628
                                                                  • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-a28e0b9b0f32e3d2204a2fd1fbbebce766da226dd7ee3b68603640219e530357.exe
                                                                    HEUR-Trojan.MSIL.Crypt.gen-a28e0b9b0f32e3d2204a2fd1fbbebce766da226dd7ee3b68603640219e530357.exe
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1832
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1204
                                                                      3⤵
                                                                      • Program crash
                                                                      PID:3720
                                                                  • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-e8183344ad6aece1d63dbdac78a0fd85afa85c15f9d88c8fe51a260a3752e7ba.exe
                                                                    HEUR-Trojan.MSIL.Crypt.gen-e8183344ad6aece1d63dbdac78a0fd85afa85c15f9d88c8fe51a260a3752e7ba.exe
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2128
                                                                  • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Cryptos.gen-9dc47b37bd726b80b4998010e6d41288a2947b5f37b454239ea31b75ab4b1f62.exe
                                                                    HEUR-Trojan.MSIL.Cryptos.gen-9dc47b37bd726b80b4998010e6d41288a2947b5f37b454239ea31b75ab4b1f62.exe
                                                                    2⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3776
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2376
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
                                                                      3⤵
                                                                        PID:7920
                                                                    • C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Cryprar.gen-7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3.exe
                                                                      HEUR-Trojan.Win32.Cryprar.gen-7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3.exe
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:4136
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Cryprar.gen-7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Cryprar.gen-7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2456
                                                                    • C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Crypt.gen-c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d.exe
                                                                      HEUR-Trojan.Win32.Crypt.gen-c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d.exe
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4148
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\setup_install.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\setup_install.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4476
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c sonia_1.exe
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1972
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_1.exe
                                                                            sonia_1.exe
                                                                            5⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            PID:2220
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_1.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_1.exe" -a
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:5860
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c sonia_2.exe
                                                                          4⤵
                                                                            PID:2880
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_2.exe
                                                                              sonia_2.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Checks SCSI registry key(s)
                                                                              PID:3164
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 380
                                                                                6⤵
                                                                                • Program crash
                                                                                PID:5892
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c sonia_3.exe
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1868
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_3.exe
                                                                              sonia_3.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:4948
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1028
                                                                                6⤵
                                                                                • Program crash
                                                                                PID:7152
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c sonia_4.exe
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4384
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_4.exe
                                                                              sonia_4.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3200
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c sonia_5.exe
                                                                            4⤵
                                                                              PID:2504
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_5.exe
                                                                                sonia_5.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:732
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:908
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_6.exe
                                                                                sonia_6.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1480
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3320
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\sonia_7.exe
                                                                                sonia_7.exe
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                PID:4600
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 540
                                                                              4⤵
                                                                              • Program crash
                                                                              PID:3228
                                                                        • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Blocker.mgn-7421e35db6c47a53669f59d92e776c488e2cf93848fcc1fda7ce9c30edd39be6.exe
                                                                          Trojan-Ransom.Win32.Blocker.mgn-7421e35db6c47a53669f59d92e776c488e2cf93848fcc1fda7ce9c30edd39be6.exe
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:828
                                                                          • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                            \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:4284
                                                                            • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                              \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              PID:7080
                                                                          • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                            \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                            3⤵
                                                                            • Checks computer location settings
                                                                            • Drops startup file
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5272
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"
                                                                              4⤵
                                                                              • Adds Run key to start application
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry key
                                                                              PID:4720
                                                                            • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                              \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                              4⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:6968
                                                                          • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                            \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                            3⤵
                                                                              PID:10772
                                                                            • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                              \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
                                                                              3⤵
                                                                                PID:9780
                                                                              • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                                \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
                                                                                3⤵
                                                                                  PID:9112
                                                                              • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Blocker.nbjg-f927f7153b2ba69a5ac8f223889470bf0d078c916f678fd442a86345c8e3e1ef.exe
                                                                                Trojan-Ransom.Win32.Blocker.nbjg-f927f7153b2ba69a5ac8f223889470bf0d078c916f678fd442a86345c8e3e1ef.exe
                                                                                2⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                PID:1292
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
                                                                                  3⤵
                                                                                  • Blocklisted process makes network request
                                                                                  • Checks computer location settings
                                                                                  • Drops startup file
                                                                                  • Adds Run key to start application
                                                                                  PID:2408
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js
                                                                                    4⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:5728
                                                                                • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4672
                                                                              • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Crypmod.xvd-2676fe4ccf44136f62501deb19de4379009f83823a155cdb8ce774e188e9512c.exe
                                                                                Trojan-Ransom.Win32.Crypmod.xvd-2676fe4ccf44136f62501deb19de4379009f83823a155cdb8ce774e188e9512c.exe
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:3312
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 236
                                                                                  3⤵
                                                                                  • Program crash
                                                                                  PID:1796
                                                                              • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Cryptodef.aoo-4c263cc039eedc14cea2228ca90fc5de1205391685d41f3a45944e22ed87c437.exe
                                                                                Trojan-Ransom.Win32.Cryptodef.aoo-4c263cc039eedc14cea2228ca90fc5de1205391685d41f3a45944e22ed87c437.exe
                                                                                2⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                PID:2724
                                                                                • C:\Users\Admin\AppData\Local\Temp\wujek.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\wujek.exe"
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5260
                                                                              • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Encoder.nxt-686fd942124ca76f7c8996e129a63a3e0070beb90e0357c3c1bcff8f0060b981.exe
                                                                                Trojan-Ransom.Win32.Encoder.nxt-686fd942124ca76f7c8996e129a63a3e0070beb90e0357c3c1bcff8f0060b981.exe
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                PID:5592
                                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                                  cmd.exe /C Del /f /q "C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Encoder.nxt-686fd942124ca76f7c8996e129a63a3e0070beb90e0357c3c1bcff8f0060b981.exe"
                                                                                  3⤵
                                                                                    PID:6768
                                                                                • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Foreign.nrqa-0b5639b779aa6cbf3f54ae94d3a910ea498c424ba8dd8ab3771d30c6801bd134.exe
                                                                                  Trojan-Ransom.Win32.Foreign.nrqa-0b5639b779aa6cbf3f54ae94d3a910ea498c424ba8dd8ab3771d30c6801bd134.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:5700
                                                                                  • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Foreign.nrqa-0b5639b779aa6cbf3f54ae94d3a910ea498c424ba8dd8ab3771d30c6801bd134.exe
                                                                                    Trojan-Ransom.Win32.Foreign.nrqa-0b5639b779aa6cbf3f54ae94d3a910ea498c424ba8dd8ab3771d30c6801bd134.exe
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5172
                                                                                • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.GandCrypt.jes-bf8c773c471ee25afe88a77afaaff3ac64bbbdc635391030462807420b125cdf.exe
                                                                                  Trojan-Ransom.Win32.GandCrypt.jes-bf8c773c471ee25afe88a77afaaff3ac64bbbdc635391030462807420b125cdf.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  • Enumerates connected drives
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Checks processor information in registry
                                                                                  PID:3564
                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                    nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:6180
                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                    nslookup emsisoft.bit dns1.soprodns.ru
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5864
                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                    nslookup gandcrab.bit dns1.soprodns.ru
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:10892
                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                    nslookup nomoreransom.bit dns1.soprodns.ru
                                                                                    3⤵
                                                                                      PID:10296
                                                                                  • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.GenericCryptor.cys-dfe4b6b9916fa54799e9589dd1f03373d93f4c43ee16a548bdb57e2b66dad31a.exe
                                                                                    Trojan-Ransom.Win32.GenericCryptor.cys-dfe4b6b9916fa54799e9589dd1f03373d93f4c43ee16a548bdb57e2b66dad31a.exe
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3856
                                                                                    • C:\Users\Admin\AppData\Local\Temp\ofryu.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\ofryu.exe"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:6516
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
                                                                                      3⤵
                                                                                        PID:6628
                                                                                    • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.GenericCryptor.czo-07fbb49d2a94f415506b715f67020416ae7fa17451be31a769de00a7042efe85.exe
                                                                                      Trojan-Ransom.Win32.GenericCryptor.czo-07fbb49d2a94f415506b715f67020416ae7fa17451be31a769de00a7042efe85.exe
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6308
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ofryu.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\ofryu.exe"
                                                                                        3⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:448
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
                                                                                        3⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6156
                                                                                    • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.GenericCryptor.czx-520e95f25bbc5b09bce059ae431c1e91e093f435f5409c591c1c7b7dd446c2f0.exe
                                                                                      Trojan-Ransom.Win32.GenericCryptor.czx-520e95f25bbc5b09bce059ae431c1e91e093f435f5409c591c1c7b7dd446c2f0.exe
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6904
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ofryu.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\ofryu.exe"
                                                                                        3⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1484
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
                                                                                        3⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6964
                                                                                    • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Zerber.dsbc-918559aaf8b2b59caf3c77690ddfd995ceed3ba6f55030593ef87fdf042ea0a7.exe
                                                                                      Trojan-Ransom.Win32.Zerber.dsbc-918559aaf8b2b59caf3c77690ddfd995ceed3ba6f55030593ef87fdf042ea0a7.exe
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1276
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                                                                        3⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:5352
                                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                                        C:\Windows\system32\netsh.exe advfirewall reset
                                                                                        3⤵
                                                                                        • Modifies Windows Firewall
                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1848
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_J7QSAWC_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                        3⤵
                                                                                          PID:8188
                                                                                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_0G0SERMV_.txt
                                                                                          3⤵
                                                                                            PID:10268
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Zerber.eiyc-9f9eb56bec10a38eee6a55a5813046b37603008e056b7df8d2f06d4127517148.exe
                                                                                          Trojan-Ransom.Win32.Zerber.eiyc-9f9eb56bec10a38eee6a55a5813046b37603008e056b7df8d2f06d4127517148.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6220
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan.MSIL.Crypt.bsxv-3b932615c9745c61257bb899203ee80dff42a8d81b0788ef951a0de8d833e081.exe
                                                                                          Trojan.MSIL.Crypt.bsxv-3b932615c9745c61257bb899203ee80dff42a8d81b0788ef951a0de8d833e081.exe
                                                                                          2⤵
                                                                                          • Drops startup file
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2068
                                                                                          • C:\Users\Admin\Desktop\00477\Trojan.MSIL.Crypt.bsxv-3b932615c9745c61257bb899203ee80dff42a8d81b0788ef951a0de8d833e081.exe
                                                                                            Trojan.MSIL.Crypt.bsxv-3b932615c9745c61257bb899203ee80dff42a8d81b0788ef951a0de8d833e081.exe
                                                                                            3⤵
                                                                                            • Adds Run key to start application
                                                                                            • Checks whether UAC is enabled
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:6868
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan.MSIL.Crypt.dkcy-3e786282f56388e2284cec8740096edef69eb5ae2ea535f3e2806483acaf0a2c.exe
                                                                                          Trojan.MSIL.Crypt.dkcy-3e786282f56388e2284cec8740096edef69eb5ae2ea535f3e2806483acaf0a2c.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:3856
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan.MSIL.Crypt.ham-e96f1d0e4eac0d5bbc447fecf1aef347d1d572966f00957df3ec78eb64a51a2a.exe
                                                                                          Trojan.MSIL.Crypt.ham-e96f1d0e4eac0d5bbc447fecf1aef347d1d572966f00957df3ec78eb64a51a2a.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6172
                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                            3⤵
                                                                                            • Modifies WinLogon for persistence
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:7124
                                                                                            • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
                                                                                              "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:6276
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan.Win32.Cryprar.ah-be309533a800c4dc3f2c4e0f27fad033b63da5f55191d8017e2821cbbbd2b45e.exe
                                                                                          Trojan.Win32.Cryprar.ah-be309533a800c4dc3f2c4e0f27fad033b63da5f55191d8017e2821cbbbd2b45e.exe
                                                                                          2⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6676
                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                            "C:\Windows\System32\mshta.exe" vBSCrIpt:CLose ( cREAteObjecT ("wScrIPT.ShELL" ). RuN ("CMD.ExE /R TYPE ""C:\Users\Admin\Desktop\00477\Trojan.Win32.Cryprar.ah-be309533a800c4dc3f2c4e0f27fad033b63da5f55191d8017e2821cbbbd2b45e.exe"" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK& IF """" == """" for %Q iN ( ""C:\Users\Admin\Desktop\00477\Trojan.Win32.Cryprar.ah-be309533a800c4dc3f2c4e0f27fad033b63da5f55191d8017e2821cbbbd2b45e.exe"" ) do taskkill -iM ""%~NxQ"" /F " , 0 , TRUE ) )
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:6252
                                                                                        • C:\Users\Admin\Desktop\00477\Trojan.Win32.Crypt.akzp-90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715.exe
                                                                                          Trojan.Win32.Crypt.akzp-90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6424
                                                                                          • C:\Users\Admin\Desktop\00477\Trojan.Win32.Crypt.akzp-90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715.exe
                                                                                            Trojan.Win32.Crypt.akzp-90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715.exe
                                                                                            3⤵
                                                                                              PID:3164
                                                                                          • C:\Users\Admin\Desktop\00477\VHO-Trojan-Ransom.Win32.Zerber.gen-f0fc884ccb361e802c08b1fe5addaf31ad105fd686ae9aa7549dd0d087640df8.exe
                                                                                            VHO-Trojan-Ransom.Win32.Zerber.gen-f0fc884ccb361e802c08b1fe5addaf31ad105fd686ae9aa7549dd0d087640df8.exe
                                                                                            2⤵
                                                                                              PID:6756
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                            1⤵
                                                                                              PID:664
                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                              1⤵
                                                                                                PID:4620
                                                                                              • C:\Program Files\7-Zip\7zFM.exe
                                                                                                "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00477.7z"
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                PID:2876
                                                                                              • C:\Windows\system32\taskmgr.exe
                                                                                                "C:\Windows\system32\taskmgr.exe" /4
                                                                                                1⤵
                                                                                                • Checks SCSI registry key(s)
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:4756
                                                                                                • C:\Windows\system32\taskmgr.exe
                                                                                                  "C:\Windows\system32\taskmgr.exe" /1
                                                                                                  2⤵
                                                                                                  • Drops startup file
                                                                                                  • Checks SCSI registry key(s)
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:2844
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3312 -ip 3312
                                                                                                1⤵
                                                                                                  PID:4600
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4476 -ip 4476
                                                                                                  1⤵
                                                                                                    PID:2808
                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:5300
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3164 -ip 3164
                                                                                                      1⤵
                                                                                                        PID:1300
                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:5772
                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          PID:3800
                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                            2⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:5292
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4948 -ip 4948
                                                                                                          1⤵
                                                                                                            PID:7060
                                                                                                          • C:\Windows\system32\vssvc.exe
                                                                                                            C:\Windows\system32\vssvc.exe
                                                                                                            1⤵
                                                                                                              PID:12192
                                                                                                            • C:\Windows\system32\AUDIODG.EXE
                                                                                                              C:\Windows\system32\AUDIODG.EXE 0x340 0x3fc
                                                                                                              1⤵
                                                                                                                PID:10516
                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                1⤵
                                                                                                                  PID:9304
                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                  1⤵
                                                                                                                    PID:11036
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                    1⤵
                                                                                                                      PID:5500
                                                                                                                    • C:\Windows\system32\dwm.exe
                                                                                                                      "dwm.exe"
                                                                                                                      1⤵
                                                                                                                        PID:2872
                                                                                                                      • C:\Windows\system32\dwm.exe
                                                                                                                        "dwm.exe"
                                                                                                                        1⤵
                                                                                                                          PID:4564
                                                                                                                        • C:\Windows\system32\dwm.exe
                                                                                                                          "dwm.exe"
                                                                                                                          1⤵
                                                                                                                            PID:11692
                                                                                                                          • C:\Windows\system32\dwm.exe
                                                                                                                            "dwm.exe"
                                                                                                                            1⤵
                                                                                                                              PID:10416
                                                                                                                            • C:\Windows\system32\dwm.exe
                                                                                                                              "dwm.exe"
                                                                                                                              1⤵
                                                                                                                                PID:9000
                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                1⤵
                                                                                                                                  PID:4788

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Reconnaissance

                                                                                                                                Resource Development

                                                                                                                                Initial Access

                                                                                                                                Replication Through Removable Media

                                                                                                                                1
                                                                                                                                T1091

                                                                                                                                Execution

                                                                                                                                Command and Scripting Interpreter

                                                                                                                                1
                                                                                                                                T1059

                                                                                                                                JavaScript

                                                                                                                                1
                                                                                                                                T1059.007

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Scripting

                                                                                                                                1
                                                                                                                                T1064

                                                                                                                                Windows Management Instrumentation

                                                                                                                                1
                                                                                                                                T1047

                                                                                                                                Persistence

                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                2
                                                                                                                                T1547

                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                1
                                                                                                                                T1547.001

                                                                                                                                Winlogon Helper DLL

                                                                                                                                1
                                                                                                                                T1547.004

                                                                                                                                Create or Modify System Process

                                                                                                                                1
                                                                                                                                T1543

                                                                                                                                Windows Service

                                                                                                                                1
                                                                                                                                T1543.003

                                                                                                                                Event Triggered Execution

                                                                                                                                1
                                                                                                                                T1546

                                                                                                                                Netsh Helper DLL

                                                                                                                                1
                                                                                                                                T1546.007

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Privilege Escalation

                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                2
                                                                                                                                T1547

                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                1
                                                                                                                                T1547.001

                                                                                                                                Winlogon Helper DLL

                                                                                                                                1
                                                                                                                                T1547.004

                                                                                                                                Create or Modify System Process

                                                                                                                                1
                                                                                                                                T1543

                                                                                                                                Windows Service

                                                                                                                                1
                                                                                                                                T1543.003

                                                                                                                                Event Triggered Execution

                                                                                                                                1
                                                                                                                                T1546

                                                                                                                                Netsh Helper DLL

                                                                                                                                1
                                                                                                                                T1546.007

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Defense Evasion

                                                                                                                                Direct Volume Access

                                                                                                                                1
                                                                                                                                T1006

                                                                                                                                File and Directory Permissions Modification

                                                                                                                                1
                                                                                                                                T1222

                                                                                                                                Impair Defenses

                                                                                                                                1
                                                                                                                                T1562

                                                                                                                                Disable or Modify System Firewall

                                                                                                                                1
                                                                                                                                T1562.004

                                                                                                                                Indicator Removal

                                                                                                                                3
                                                                                                                                T1070

                                                                                                                                File Deletion

                                                                                                                                3
                                                                                                                                T1070.004

                                                                                                                                Modify Registry

                                                                                                                                3
                                                                                                                                T1112

                                                                                                                                Scripting

                                                                                                                                1
                                                                                                                                T1064

                                                                                                                                Credential Access

                                                                                                                                Unsecured Credentials

                                                                                                                                1
                                                                                                                                T1552

                                                                                                                                Credentials In Files

                                                                                                                                1
                                                                                                                                T1552.001

                                                                                                                                Discovery

                                                                                                                                Browser Information Discovery

                                                                                                                                1
                                                                                                                                T1217

                                                                                                                                Network Service Discovery

                                                                                                                                1
                                                                                                                                T1046

                                                                                                                                Peripheral Device Discovery

                                                                                                                                2
                                                                                                                                T1120

                                                                                                                                Query Registry

                                                                                                                                5
                                                                                                                                T1012

                                                                                                                                System Information Discovery

                                                                                                                                7
                                                                                                                                T1082

                                                                                                                                System Location Discovery

                                                                                                                                1
                                                                                                                                T1614

                                                                                                                                System Language Discovery

                                                                                                                                1
                                                                                                                                T1614.001

                                                                                                                                Lateral Movement

                                                                                                                                Replication Through Removable Media

                                                                                                                                1
                                                                                                                                T1091

                                                                                                                                Collection

                                                                                                                                Data from Local System

                                                                                                                                1
                                                                                                                                T1005

                                                                                                                                Command and Control

                                                                                                                                Web Service

                                                                                                                                1
                                                                                                                                T1102

                                                                                                                                Exfiltration

                                                                                                                                Impact

                                                                                                                                Inhibit System Recovery

                                                                                                                                2
                                                                                                                                T1490

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.exe
                                                                                                                                  Filesize

                                                                                                                                  12.4MB

                                                                                                                                  MD5

                                                                                                                                  60c2ed9cb922cbc456b3b5763c1cba4e

                                                                                                                                  SHA1

                                                                                                                                  c799138cab52fe61a6249f7b49a6d325940f5b34

                                                                                                                                  SHA256

                                                                                                                                  d99cd8cfb357a75b1e8d2b14b6ac05f5e18fcfec8888b865943415e00e01b6f0

                                                                                                                                  SHA512

                                                                                                                                  77111a0279cce404ab0553372fd0c34aef4123c96bba7a468b34e533ed4d8fb6e2ebac335c5ea7a4135e2ad7d8641523bcbe90b36c9c7293fe56956b342b25ae

                                                                                                                                  Download Submit

                                                                                                                                • C:\Program Files\7-Zip\7-zip.chm.exe
                                                                                                                                  Filesize

                                                                                                                                  1.8MB

                                                                                                                                  MD5

                                                                                                                                  f01d474cce9dee24d952f6905b28f2cc

                                                                                                                                  SHA1

                                                                                                                                  c71365c8455373c8dda3cab569ba63488c903bcd

                                                                                                                                  SHA256

                                                                                                                                  738720c81c02dff8306783227ba109b1f0d2027044a3d2072695db8f91012f5c

                                                                                                                                  SHA512

                                                                                                                                  13700137395f2c04bd9a98cd6b4a70aee347f44bcd086b8b91e6c8bb2224730188b39b43157932c5be4c5f743b5c40dc1d773dba2ecc84fb3a7b68ed05264ca0

                                                                                                                                  Download Submit

                                                                                                                                • C:\Program Files\7-Zip\Lang\af.txt.id-615AD47B.[[email protected]].arrow
                                                                                                                                  Filesize

                                                                                                                                  2.6MB

                                                                                                                                  MD5

                                                                                                                                  ec115828fce04cc0e7f51e56a9061672

                                                                                                                                  SHA1

                                                                                                                                  c188f707a82f2aba2363d49000b71a3e74e9a69f

                                                                                                                                  SHA256

                                                                                                                                  33aaaf74e1858978d0f6f8aced29e878b26ddb44a1e20af19150c5a2dcd2ba5e

                                                                                                                                  SHA512

                                                                                                                                  a5aaa4de48ce7477ee5bc7d9f17f5ad0a7b4acbeac3ba3dbe0e890c4adc513d74db9144a26419c6197974bde544012de7d52c7c0df0c6554dd1547e663da0d00

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                                                                                                                                  Filesize

                                                                                                                                  1KB

                                                                                                                                  MD5

                                                                                                                                  7fb5fa1534dcf77f2125b2403b30a0ee

                                                                                                                                  SHA1

                                                                                                                                  365d96812a69ac0a4611ea4b70a3f306576cc3ea

                                                                                                                                  SHA256

                                                                                                                                  33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

                                                                                                                                  SHA512

                                                                                                                                  a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
                                                                                                                                  Filesize

                                                                                                                                  436B

                                                                                                                                  MD5

                                                                                                                                  971c514f84bba0785f80aa1c23edfd79

                                                                                                                                  SHA1

                                                                                                                                  732acea710a87530c6b08ecdf32a110d254a54c8

                                                                                                                                  SHA256

                                                                                                                                  f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                                                                                                                                  SHA512

                                                                                                                                  43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                                                                                                                                  Filesize

                                                                                                                                  174B

                                                                                                                                  MD5

                                                                                                                                  644d4381bd77fee59eddaa92a7d926e7

                                                                                                                                  SHA1

                                                                                                                                  463d8a86d32fd90d9d0127c8d57c00f21a88ce1f

                                                                                                                                  SHA256

                                                                                                                                  5a10b5c31be10bc46e4c5baa7b39856c99bfea4a0ec08c647efb9fba37e94ba8

                                                                                                                                  SHA512

                                                                                                                                  66e4c4a4c1885f719d161240b00cedf68de9d4869c0dbe06cf80a4102c36c32f1379031840f8c92e50bc5707ca43c4776ee5f88c3a76a6b39679f18d79d2a8e8

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
                                                                                                                                  Filesize

                                                                                                                                  170B

                                                                                                                                  MD5

                                                                                                                                  882911f6aed6808b48b2413c44990462

                                                                                                                                  SHA1

                                                                                                                                  765852589d5f7b0935876df803b7203e611ee6de

                                                                                                                                  SHA256

                                                                                                                                  03dc0d0b593a0ce8ba7ab5f33572782b7574a70d1f14980b4412baabc0a08963

                                                                                                                                  SHA512

                                                                                                                                  7415dfb2b09ed58c49a98fe72d15026469d11b89a51678edbf8deb2685d6989ad2e60aea14e78e986cca808d3dbf3c44fb1e435b372b37867fdd1de3ab559352

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  MD5

                                                                                                                                  d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                  SHA1

                                                                                                                                  2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                  SHA256

                                                                                                                                  b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                  SHA512

                                                                                                                                  c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                  Filesize

                                                                                                                                  4B

                                                                                                                                  MD5

                                                                                                                                  f49655f856acb8884cc0ace29216f511

                                                                                                                                  SHA1

                                                                                                                                  cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                  SHA256

                                                                                                                                  7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                  SHA512

                                                                                                                                  599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                  Filesize

                                                                                                                                  944B

                                                                                                                                  MD5

                                                                                                                                  6bd369f7c74a28194c991ed1404da30f

                                                                                                                                  SHA1

                                                                                                                                  0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                  SHA256

                                                                                                                                  878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                  SHA512

                                                                                                                                  8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                  Filesize

                                                                                                                                  152B

                                                                                                                                  MD5

                                                                                                                                  e765f3d75e6b0e4a7119c8b14d47d8da

                                                                                                                                  SHA1

                                                                                                                                  cc9f7c7826c2e1a129e7d98884926076c3714fc0

                                                                                                                                  SHA256

                                                                                                                                  986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                                                                                                                                  SHA512

                                                                                                                                  a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                  Filesize

                                                                                                                                  152B

                                                                                                                                  MD5

                                                                                                                                  53bc70ecb115bdbabe67620c416fe9b3

                                                                                                                                  SHA1

                                                                                                                                  af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                                                                                                                                  SHA256

                                                                                                                                  b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                                                                                                                                  SHA512

                                                                                                                                  cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                  Filesize

                                                                                                                                  6KB

                                                                                                                                  MD5

                                                                                                                                  83ff250653576c0c1e4d0221ef94f533

                                                                                                                                  SHA1

                                                                                                                                  aae9d9817d9077fb9d1dea34d4f92e09c3e1752c

                                                                                                                                  SHA256

                                                                                                                                  e24f71c4713af56f3ce8a56f6c3daa8bf3590ede52d995a68dc00e74f401e616

                                                                                                                                  SHA512

                                                                                                                                  a3866ab93b83b9d94b4ba15fb17f9edc4072ca118045e97cca89a01709b16d038e1d4f4d5b1652c12d17a2ffa0d0d5ccd677395c449ec340b327773cdd55fb7b

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                  Filesize

                                                                                                                                  6KB

                                                                                                                                  MD5

                                                                                                                                  e3f39defb273407177496b2b425dfc5a

                                                                                                                                  SHA1

                                                                                                                                  b6c3244e85ac7f48380d108b8ee5f3ea55b26dc9

                                                                                                                                  SHA256

                                                                                                                                  39b22fe3eb0e078bc9f40568357249bc124a4e23589f6a3bf9b52f98c3a344f3

                                                                                                                                  SHA512

                                                                                                                                  2aeb4e5627917eb3dbcbd59bb1a171faff97ee4f6d541812b3863f8262cc3c453a541cc7f4539179bf08c76ae4099be73080092c9cc19ff301f953c611628adc

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                  Filesize

                                                                                                                                  5KB

                                                                                                                                  MD5

                                                                                                                                  e38f4813c977eebc76d0637e0a7bb120

                                                                                                                                  SHA1

                                                                                                                                  8993297f57518e644def157c5f13a1062c5bcbf8

                                                                                                                                  SHA256

                                                                                                                                  9aa97a40bc4b8d368ec0c4f434571cccf3968685cdd73f875af1c09a0b500b88

                                                                                                                                  SHA512

                                                                                                                                  e4a096bd68ee6a7eb74c046dd5c4d68d7043f1cb4b044825c39f9f82bc98aa3de88ecc5f8bcad8f7de67d2d2ba9bed9dff7be8a11c20023064f633097fd50587

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                  Filesize

                                                                                                                                  203B

                                                                                                                                  MD5

                                                                                                                                  2ddb3b74166118a6c97a96c1a23463df

                                                                                                                                  SHA1

                                                                                                                                  d6215b2c453e43d46e98b63448946bdc424df564

                                                                                                                                  SHA256

                                                                                                                                  5b0d72e5455177535c782798e69685085fe1a0acf843fb28a281b44fa9dde16f

                                                                                                                                  SHA512

                                                                                                                                  3d85c3c0df71e9e62b93a2ffe68fb6a081802ae12b70b153b67144698542f081d40cbdfe64c430fe8d46e2f8403dd6089f0e64d0c0e080dac99f3454bedd22b8

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                  Filesize

                                                                                                                                  203B

                                                                                                                                  MD5

                                                                                                                                  ad5bc0d8b488c9eabbd1a5e33af62221

                                                                                                                                  SHA1

                                                                                                                                  54ada7f655d3c125a64fb7f324c82bb755978cad

                                                                                                                                  SHA256

                                                                                                                                  686277bb49661fad8b99edfb15cb93ca37457a9872544bad17be21814f35cf66

                                                                                                                                  SHA512

                                                                                                                                  7acc32646f9657532acb81ee873030873a26d05694504505751a2a0e51d26d30d63fe3abc5d0448c1b158b0c5c433852992e07ce36fbc3f571ebb655cdf8b09a

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a0570.TMP
                                                                                                                                  Filesize

                                                                                                                                  203B

                                                                                                                                  MD5

                                                                                                                                  cf4abeb74c3e7c346e39a335050d3f1f

                                                                                                                                  SHA1

                                                                                                                                  7aeeb85d517ecd1f10447781603f5f3e49edc011

                                                                                                                                  SHA256

                                                                                                                                  0d865a14513d916181d47be631a9b5cd682c4fc8f6da8158d558c1d4fac3b078

                                                                                                                                  SHA512

                                                                                                                                  969400fb5881b65dfdaedbda51f4a908d7236c0ed2163d832f360b6518fafb4ef13297870142e7e7027ac4113082555bc3a0ec8b884ee325d2c9f95afb58d2b9

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                  Filesize

                                                                                                                                  16B

                                                                                                                                  MD5

                                                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                                                  SHA1

                                                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                  SHA256

                                                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                  SHA512

                                                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                  Filesize

                                                                                                                                  10KB

                                                                                                                                  MD5

                                                                                                                                  df3e7a0982a85455c9e5fa6378f25568

                                                                                                                                  SHA1

                                                                                                                                  0bea9c86dfea49fc2aa5acf02693112a8495b623

                                                                                                                                  SHA256

                                                                                                                                  5aba195be09d4b01fc19e91ed0a86560ab54d0b025fc251dae683cd6c0da9fd0

                                                                                                                                  SHA512

                                                                                                                                  075097c17c8b0db6f06e4fbb49556040c2eb968ec790f3ef2f69fce4214d8693b271845229edf0bd49593c83e85001ad7028a1df785b433ac205567934ac6945

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                  Filesize

                                                                                                                                  10KB

                                                                                                                                  MD5

                                                                                                                                  534aadf687b3146d9dfe0cae415dd864

                                                                                                                                  SHA1

                                                                                                                                  5b69a3c02dad6bfa1708957363813aa2c6c1f117

                                                                                                                                  SHA256

                                                                                                                                  a1c9e3f6670aef3673600f32971abe2334bf3183e547a496cb5eaa323c5d0aee

                                                                                                                                  SHA512

                                                                                                                                  baed16002f1eed9b303c4c356a757716166c4db20cb04515d7621f01bb17e324322cd9c776d8a27b44cc640376ca804f5c8808bcad3f926962da55b44bfd7a0d

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4306EA29\setup_install.exe
                                                                                                                                  Filesize

                                                                                                                                  290KB

                                                                                                                                  MD5

                                                                                                                                  7cc9cbab6325f4b10a89a3c24e1caf9c

                                                                                                                                  SHA1

                                                                                                                                  d75a849f474adb91089a006527a99ba4eeed61a5

                                                                                                                                  SHA256

                                                                                                                                  5eedc8b1329f005772ef5e477e5c43ee06aa8f827214a41002f17b2a1d526675

                                                                                                                                  SHA512

                                                                                                                                  46ccafc1bb25478aa4f001c5905562fa27a5301bb1414298c5be71672ac52b9e396593b56494826fcaaa85628c4e8c95ce5f95e292504d82716a9f8234c03bba

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\FB_F41A.tmp.exe
                                                                                                                                  Filesize

                                                                                                                                  92KB

                                                                                                                                  MD5

                                                                                                                                  11cebf8d2bf9d8280a7f39b7082d32ac

                                                                                                                                  SHA1

                                                                                                                                  f6522b104d57fe049a2138ff33565a63f10c1596

                                                                                                                                  SHA256

                                                                                                                                  d93297586a62aadc48592f2af677b908d7480f2f5b45cb96bd936bb821dd2f36

                                                                                                                                  SHA512

                                                                                                                                  101477879804873da5e011291f2c6c43863bd97b8bd02d34b643b22f39075db07618129a85d87dbb75eb4a326d89f82cf7fdc47a619145cf7b713c0ceb7a3558

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\FB_F554.tmp.exe
                                                                                                                                  Filesize

                                                                                                                                  69KB

                                                                                                                                  MD5

                                                                                                                                  317cd1ce327b6520bf4ee007bcd39e61

                                                                                                                                  SHA1

                                                                                                                                  2f1113395ca0491080d1092c3636cda6cf711998

                                                                                                                                  SHA256

                                                                                                                                  111f84e27210508af75d586f6e107f5465ddff68cb8545e9327ad1ae69337ed1

                                                                                                                                  SHA512

                                                                                                                                  813833ba59a624d1f0851141202ac72e2c846254e46f9fe0e210614f97388ee2765b9d6c9e15b9aa7ea1ecffb9465092bf23df399ea1a6307a0a4481f0cde6e8

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hwg5iu3c.ekd.ps1
                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\info.js
                                                                                                                                  Filesize

                                                                                                                                  45KB

                                                                                                                                  MD5

                                                                                                                                  93b5edb9e6adaefdf05b30d32640e3ca

                                                                                                                                  SHA1

                                                                                                                                  3bcaff18eaab66c7b998bacbd7433b5962b96be4

                                                                                                                                  SHA256

                                                                                                                                  840e4184458f4d9e41db774bbbee80b2b4cba8708c60e7de22932aaeb0b19bcd

                                                                                                                                  SHA512

                                                                                                                                  67134af16ccfa8e1ea0446d7381318bb4a25d2278502df1ae5df6a4a8e608be426be19fff741c1d379b991d6e525f42bb5af46b5c0bd17686afd7269c3337bd2

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\nsaC347.tmp\sapoqnmyo.dll
                                                                                                                                  Filesize

                                                                                                                                  20KB

                                                                                                                                  MD5

                                                                                                                                  877d8bff6420ad9e9a3c2f8b443e78bc

                                                                                                                                  SHA1

                                                                                                                                  2b30780849a48aeb353d02eaa3e2a53492c5035f

                                                                                                                                  SHA256

                                                                                                                                  5c6ed2bf2593fe951107cb6eb64eb8064b768194c3ff32ef02a76c43810ae5e8

                                                                                                                                  SHA512

                                                                                                                                  35091c2b43094df03c33e3b6eb87f2817dffab50dd0aa0259b722509ec54e7bc3c9c60379082e880c32d199c3fc6afe142684845479c18483c4ac2e12a9de0ee

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ofryu.exe
                                                                                                                                  Filesize

                                                                                                                                  542KB

                                                                                                                                  MD5

                                                                                                                                  237a7bdf9c8d33056cda3fd7582386ac

                                                                                                                                  SHA1

                                                                                                                                  60d8f9b47d470c0346db3d974b7920a515c5dca0

                                                                                                                                  SHA256

                                                                                                                                  f7b80275260f939b3f5d6b9244da213c61b7be68aa36ad8b94af3bc26baee34f

                                                                                                                                  SHA512

                                                                                                                                  a3fa8b3b4320122c730e42ae9acb29dd9d4fe930745f933ea6e41561ca2ddbf2b2ff94019573de8c5d8185572517b8cc289bf8652b1d4f084f6c19f31b176be4

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                  Filesize

                                                                                                                                  80KB

                                                                                                                                  MD5

                                                                                                                                  491f2d2b56298d11b3de1683d3289e34

                                                                                                                                  SHA1

                                                                                                                                  fcb9911b381ddcb4fe39ac3fb2f573cedb09f3f6

                                                                                                                                  SHA256

                                                                                                                                  f767201ad99b3604f098de015eb2de4c5d0aa14735331740c5fd9b42b75f980b

                                                                                                                                  SHA512

                                                                                                                                  58a60ad1451f451396177fbe59465cf19018f7fcba33a9442db8f3af8d83eb19023bb8d88c9030afb61abbf82cc5fcd2546356c68fb3b916118c285df127eb3c

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpCFE9.tmp
                                                                                                                                  Filesize

                                                                                                                                  1.6MB

                                                                                                                                  MD5

                                                                                                                                  4f3387277ccbd6d1f21ac5c07fe4ca68

                                                                                                                                  SHA1

                                                                                                                                  e16506f662dc92023bf82def1d621497c8ab5890

                                                                                                                                  SHA256

                                                                                                                                  767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

                                                                                                                                  SHA512

                                                                                                                                  9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\wujek.exe
                                                                                                                                  Filesize

                                                                                                                                  72KB

                                                                                                                                  MD5

                                                                                                                                  38273b7e7a3bcce8288397a2abea0a69

                                                                                                                                  SHA1

                                                                                                                                  8ba5a92278a4ed0e42866540cd0dd6bdde47157a

                                                                                                                                  SHA256

                                                                                                                                  0c1e718f9a6233f0268bf7c3e38d22e59a5bc1f7a7ae93e1edcc5f378699d8f9

                                                                                                                                  SHA512

                                                                                                                                  4ed47f9274ac568b8f637fbd5034c93481a5556dc78a409d8a129e971b532ffa8102ec641074926597d9d09c8a2f62d2c7d42c2618c0c4d1bac72bcc0acf5136

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                                                                                                                  Filesize

                                                                                                                                  52KB

                                                                                                                                  MD5

                                                                                                                                  056485671c5a4a15c5e3c96f201c2c71

                                                                                                                                  SHA1

                                                                                                                                  27e280084b9431543356ff7fba903e2c6eef6ac1

                                                                                                                                  SHA256

                                                                                                                                  98578251a853ac45fe550b816bb75bf91906cd8be80d630a2ae761fdeb0ffc36

                                                                                                                                  SHA512

                                                                                                                                  44f101bf8ba2bf550dfbf6dab8820bdbbdb66874ae868268a4653964d7c37708915019c82a06cc10e9d21273832c138d4b2ec0e9115599e6961b872b08424344

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
                                                                                                                                  Filesize

                                                                                                                                  1KB

                                                                                                                                  MD5

                                                                                                                                  7b54738ebd5170448a7eac293aa91956

                                                                                                                                  SHA1

                                                                                                                                  768eb2c07b25a4a304f251b9c26aea6681cad816

                                                                                                                                  SHA256

                                                                                                                                  ee33a43b98be7b111cf61dd241a89d98918d87981583baff6cdf3a953464bf06

                                                                                                                                  SHA512

                                                                                                                                  6b6dfa5a61bd1b69850a95266bb387bd30a76d086794fd68c6059d0d170a14449f2f2a99f011be5beb8aaa1300f7ad8a164338ec1dc1a67e5d13137cd2d8f9c9

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Agent.pef-fa2e6e4b541571337e4be83bcb1792f7ce2216c237729aa4cc26d75a7bc49699.exe
                                                                                                                                  Filesize

                                                                                                                                  101KB

                                                                                                                                  MD5

                                                                                                                                  aa2510bc5da7eb2f002db67ed121fc0a

                                                                                                                                  SHA1

                                                                                                                                  4951649b006a60fd8642ea3127d6a9b253df89a8

                                                                                                                                  SHA256

                                                                                                                                  fa2e6e4b541571337e4be83bcb1792f7ce2216c237729aa4cc26d75a7bc49699

                                                                                                                                  SHA512

                                                                                                                                  45c1954b659638036d974cccb1bfd8548013534d4a67b02a92e223568f46470f927cb4cde528d3e9d180cf8b3a795ca08245cb0ae053b91fbccc551a374d516b

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Blocker.pef-49d6ebf3d6a5b8e69aeeca1f702b2ef9763698bb506add7b7519b8a669902c47.exe
                                                                                                                                  Filesize

                                                                                                                                  52KB

                                                                                                                                  MD5

                                                                                                                                  562b7d81a7db424e98c0a669815732f8

                                                                                                                                  SHA1

                                                                                                                                  b2b02ecd2eb5d1ddab8fdca6f0e21d37e5d90c55

                                                                                                                                  SHA256

                                                                                                                                  49d6ebf3d6a5b8e69aeeca1f702b2ef9763698bb506add7b7519b8a669902c47

                                                                                                                                  SHA512

                                                                                                                                  6cc6511fe7977e5db673c8ee1861d27406fbc48ebf6f00400caff103d3e31873b7adb489a49bcaf87d139614c49cb818b067a411f81f6021e408fc702f0d51de

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-94e6d0a399c250e270cd6eb88098bef9b840b7efc267f66868e8168401a81e7b.exe
                                                                                                                                  Filesize

                                                                                                                                  1.8MB

                                                                                                                                  MD5

                                                                                                                                  8fd8152c8b44ba4c1b4895e75f1ccbd0

                                                                                                                                  SHA1

                                                                                                                                  8233224356fb166086f1f01652a3f07e8c6f3e66

                                                                                                                                  SHA256

                                                                                                                                  94e6d0a399c250e270cd6eb88098bef9b840b7efc267f66868e8168401a81e7b

                                                                                                                                  SHA512

                                                                                                                                  64e21ad96d7f6f0ce49ba166b6f969ddb2cada7a717d276c88f2f0f606768a2cd47acb6c84ed75437c31b6d82c408aae22580c6b4afccd2d8cf7b57053ca9570

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-c65cb7133cca12e633e6a5af15db31486fb584878c798f13899b9843eb70588a.exe
                                                                                                                                  Filesize

                                                                                                                                  130KB

                                                                                                                                  MD5

                                                                                                                                  a7713f6ea7d1517a38be9e0f12ead27c

                                                                                                                                  SHA1

                                                                                                                                  3c7f8fa6d6420535e3ab91cf05474793381c40b7

                                                                                                                                  SHA256

                                                                                                                                  c65cb7133cca12e633e6a5af15db31486fb584878c798f13899b9843eb70588a

                                                                                                                                  SHA512

                                                                                                                                  bc7191f5249a60e2386691f1c5bd7aa99d64937946ce112a32bdd3ba52f74ab6a9fae8b256d7f95f4ff2e3218761aecd806c86e8b7ee401dacda41268973d59e

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-4195b6011bd6ee6c3fc55e631ac6ebcade7f421a62b88f74a5a7a82f381028d6.exe
                                                                                                                                  Filesize

                                                                                                                                  12.4MB

                                                                                                                                  MD5

                                                                                                                                  bf649b31aceca048fcd71e2db82dd0e0

                                                                                                                                  SHA1

                                                                                                                                  e6b9c9192e702f8a4e5551430439862c54de3727

                                                                                                                                  SHA256

                                                                                                                                  4195b6011bd6ee6c3fc55e631ac6ebcade7f421a62b88f74a5a7a82f381028d6

                                                                                                                                  SHA512

                                                                                                                                  333bb7890bd54a51157be7f0a5a2de357a9f1303416ed9076054b2e86f6d5782e215ee43f5028b62624534502d44eaa36744633a2fb179edf77c72beffb9d77f

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c.exe
                                                                                                                                  Filesize

                                                                                                                                  665KB

                                                                                                                                  MD5

                                                                                                                                  7e63e528999696128449c6a757d98239

                                                                                                                                  SHA1

                                                                                                                                  f8b77ef9687e2305dd3e896f395cc7ea880cbe4f

                                                                                                                                  SHA256

                                                                                                                                  2da6b8701261713c68a89d8ace48809627a80eaece6a3af179242a66a11dec3c

                                                                                                                                  SHA512

                                                                                                                                  1a5c6171d2ef7de8f64b96824aca313ae62f350bf9baa303f0751e4b4fbea4da81f5c66c0f53ebf405e64162bbb4eb34fcde32ad9ab6b4674ea72d837f761356

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa.exe
                                                                                                                                  Filesize

                                                                                                                                  762KB

                                                                                                                                  MD5

                                                                                                                                  a445bb9e7a5b793b3092b3e3d7f9b48f

                                                                                                                                  SHA1

                                                                                                                                  04202bc59cd7357fe2776ca23951699eadbdace1

                                                                                                                                  SHA256

                                                                                                                                  8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa

                                                                                                                                  SHA512

                                                                                                                                  4ea76d9eb4511c011e941659b66b30858725e73a734a5f05cf4451038b819f61e5f0ca2a9b3496d2123e7ff734bfce833dd516944850afca911cffdec11c39de

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan-Ransom.Win32.Stop.gen-9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4.exe
                                                                                                                                  Filesize

                                                                                                                                  676KB

                                                                                                                                  MD5

                                                                                                                                  8469c4c346926ba7b918b52e13a08cb6

                                                                                                                                  SHA1

                                                                                                                                  dbc6667901b3fe41fceb964616c51abe805ef38a

                                                                                                                                  SHA256

                                                                                                                                  9810a2d9e5bf1ac509a0e41f7b463134edaee62a60aa0391ad6f699d063cdba4

                                                                                                                                  SHA512

                                                                                                                                  70e61410bcf0b586e788b1eefc902ae8c75f0a4eccd177c215d52c697ff8619bf7ad940ced4dd910165bac90041e6ff99b052fcf59fb20939388039f19e61845

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-25a22627a27b62e7220ad0c9dcd143075e65a0b87e167e2f4a16038395dd13ed.exe
                                                                                                                                  Filesize

                                                                                                                                  301KB

                                                                                                                                  MD5

                                                                                                                                  84e5c5a110c3c83ce6a4e9e203e47341

                                                                                                                                  SHA1

                                                                                                                                  26713db13e854151a65bf98fa231c34cdf4596ce

                                                                                                                                  SHA256

                                                                                                                                  25a22627a27b62e7220ad0c9dcd143075e65a0b87e167e2f4a16038395dd13ed

                                                                                                                                  SHA512

                                                                                                                                  c9171453dbd726ee8d28f964bb2c6272650dc1febc598e8bd0c320b402685d52ca9e30c76b7000a23c40f1c7f3f23596344aed2d02903cbde66ecd046eca0a85

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-48ac0f448063f3ec6329833ef2743a948ec05310cfd956d8fcf97ca66557d757.exe
                                                                                                                                  Filesize

                                                                                                                                  59KB

                                                                                                                                  MD5

                                                                                                                                  b48d535fc531c52d2331250c84809219

                                                                                                                                  SHA1

                                                                                                                                  480818b907b823c5edd8fa552ef6d9ab5e8a21db

                                                                                                                                  SHA256

                                                                                                                                  48ac0f448063f3ec6329833ef2743a948ec05310cfd956d8fcf97ca66557d757

                                                                                                                                  SHA512

                                                                                                                                  bdff617bc1eed6af178a58d346c2d77f6e63a7209426e26437a958b9fbec6d6c04b99ef51dd0bfd15024ba32fd4039892e38c8c64f8fc5e775d29de3d8447776

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-669453e2b4c1729cc640ff8e24d6d95c75e6dc92d7420d72bfba6f508f25f056.exe
                                                                                                                                  Filesize

                                                                                                                                  72KB

                                                                                                                                  MD5

                                                                                                                                  354a18688062282c766a965e44ff9247

                                                                                                                                  SHA1

                                                                                                                                  913989d8eba686a17a71de69e8d85bb77c721493

                                                                                                                                  SHA256

                                                                                                                                  669453e2b4c1729cc640ff8e24d6d95c75e6dc92d7420d72bfba6f508f25f056

                                                                                                                                  SHA512

                                                                                                                                  909305c7e6731a44c997fc57ff1771bfe21ef628c67d9045ce86ac027ddec44d93f609ccfedbc1e4de0e9196aaf4d2da8a96e7d3b1f34542f1c9fcae2a5401aa

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-98a6263e9dc89e5fd77dafcd22d6114cb9b7a7110515e4865619173f69cb5f44.exe
                                                                                                                                  Filesize

                                                                                                                                  1.0MB

                                                                                                                                  MD5

                                                                                                                                  785cbbe2b1b2d6638a54a738b2fbf582

                                                                                                                                  SHA1

                                                                                                                                  ab327642cc8527d5290aaee06275fc0d59b9cb67

                                                                                                                                  SHA256

                                                                                                                                  98a6263e9dc89e5fd77dafcd22d6114cb9b7a7110515e4865619173f69cb5f44

                                                                                                                                  SHA512

                                                                                                                                  73d65f3930d0bb3a7025535c75a771927763c2017ef49ce02fd46ad4129beaf4353fd75e51fba97e05409a392af9ae7a731b4b6a2eaabdf6ae9272f60933e4b7

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-a173ec08c1a0d6ddf9cbb7d209d0f87ca9ec1f9d51da162d8483f87b780d54e4.exe
                                                                                                                                  Filesize

                                                                                                                                  89KB

                                                                                                                                  MD5

                                                                                                                                  34582288dcd615cdd894859d6891bee6

                                                                                                                                  SHA1

                                                                                                                                  b64d83f49fb5d865c7c3d19cee6eaa2b86325ecc

                                                                                                                                  SHA256

                                                                                                                                  a173ec08c1a0d6ddf9cbb7d209d0f87ca9ec1f9d51da162d8483f87b780d54e4

                                                                                                                                  SHA512

                                                                                                                                  f7ae0aacc7b231b8f8d7d0df5164682c450d2718401e74cf27f2d4d715947c0ed0d67442139caaa6e34677ef425c7ff6ae3dc661e16d4388f15bd5a488238620

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-a28e0b9b0f32e3d2204a2fd1fbbebce766da226dd7ee3b68603640219e530357.exe
                                                                                                                                  Filesize

                                                                                                                                  577KB

                                                                                                                                  MD5

                                                                                                                                  eaa106716ebf7170cfd141e12835ce19

                                                                                                                                  SHA1

                                                                                                                                  e0fe9d60494f9f8313cbc0362c439c7cc329f333

                                                                                                                                  SHA256

                                                                                                                                  a28e0b9b0f32e3d2204a2fd1fbbebce766da226dd7ee3b68603640219e530357

                                                                                                                                  SHA512

                                                                                                                                  1037b5f5115c680b2f44836fd0d9611e6fab227c78bc8404ec55f71eda0dc13cfaaa248d81d2914a6f840f283136814b09dc124f2944e63a9dbb566a38d31f86

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Crypt.gen-e8183344ad6aece1d63dbdac78a0fd85afa85c15f9d88c8fe51a260a3752e7ba.exe
                                                                                                                                  Filesize

                                                                                                                                  108KB

                                                                                                                                  MD5

                                                                                                                                  8d071e7f634fb06e5dc86e0c133f7d50

                                                                                                                                  SHA1

                                                                                                                                  a31208fb6c2aaad013b034d0e1fd548b655dd78e

                                                                                                                                  SHA256

                                                                                                                                  e8183344ad6aece1d63dbdac78a0fd85afa85c15f9d88c8fe51a260a3752e7ba

                                                                                                                                  SHA512

                                                                                                                                  6c5393df5fd0ecdcd802b18f4e5e7bbde5146293f1e7f8d6022f24feb6cf43c73caa5e3ecdde3407a4a2d74bf096987b7126b71d9430395d842ccec4b65bbfb3

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.MSIL.Cryptos.gen-9dc47b37bd726b80b4998010e6d41288a2947b5f37b454239ea31b75ab4b1f62.exe
                                                                                                                                  Filesize

                                                                                                                                  573KB

                                                                                                                                  MD5

                                                                                                                                  e2715ae1e79f91d4986c160ec8758748

                                                                                                                                  SHA1

                                                                                                                                  74880975a558801e947a26c1a880ab7709e1a40e

                                                                                                                                  SHA256

                                                                                                                                  9dc47b37bd726b80b4998010e6d41288a2947b5f37b454239ea31b75ab4b1f62

                                                                                                                                  SHA512

                                                                                                                                  1078090d2d00cc0d07ec4a2ec8214fec5404505d42aeab1e206b9a7ee7769d25a6cec1d4bd3ac79689c6e2bbb55d1d12e3490628c5700a1f22adee68c8e49231

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Cryprar.gen-7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3.exe
                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  MD5

                                                                                                                                  63d38ab0fe5f27a5d4e3d04fd746f9d4

                                                                                                                                  SHA1

                                                                                                                                  eff646def1ffd6efd929eb4332ed6fdd37d4513b

                                                                                                                                  SHA256

                                                                                                                                  7899613f148045977450d49ebf25c0532de81f304d2b84f504396e97fb6bc4f3

                                                                                                                                  SHA512

                                                                                                                                  4313fa2268a6283a8088b6135226f8f4dcfe120a71f9249423ac30e911167050f700d7643876e6e36e82047a8e63d0993a64b17ed714316e3600d8d8faa1f766

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\HEUR-Trojan.Win32.Crypt.gen-c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d.exe
                                                                                                                                  Filesize

                                                                                                                                  2.6MB

                                                                                                                                  MD5

                                                                                                                                  a1a2a0b423349f463d23969864a111c0

                                                                                                                                  SHA1

                                                                                                                                  37d83a34da50b959759cbb18b01654bbd17bbb3f

                                                                                                                                  SHA256

                                                                                                                                  c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d

                                                                                                                                  SHA512

                                                                                                                                  3100ef7b7cb3c5887bbf6a8eededee660da6f0744e09943bc1276b9db09baaed7dab299a09ace9ba64c09a17d5a47126b8edd9e21be96d78b2bcd9a434940d2d

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Blocker.mgn-7421e35db6c47a53669f59d92e776c488e2cf93848fcc1fda7ce9c30edd39be6.exe
                                                                                                                                  Filesize

                                                                                                                                  104KB

                                                                                                                                  MD5

                                                                                                                                  900de89b8b893997dca9f009394f51a2

                                                                                                                                  SHA1

                                                                                                                                  7915dfcd0b53d2485c248773846cff8f871aa719

                                                                                                                                  SHA256

                                                                                                                                  7421e35db6c47a53669f59d92e776c488e2cf93848fcc1fda7ce9c30edd39be6

                                                                                                                                  SHA512

                                                                                                                                  9f34934a9f6c7c59cd9e5f2cfad318c20714daf66c8debda4d9ef173a1d74cb51a03ef03974f5ed1b4e5016237bf09f597cdf590fa7c58402309dadc82d76899

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Blocker.nbjg-f927f7153b2ba69a5ac8f223889470bf0d078c916f678fd442a86345c8e3e1ef.exe
                                                                                                                                  Filesize

                                                                                                                                  355KB

                                                                                                                                  MD5

                                                                                                                                  23fe4e56e66ece317fe7b1f01d00c428

                                                                                                                                  SHA1

                                                                                                                                  b9192af60469577547043823f70dda6ae279b131

                                                                                                                                  SHA256

                                                                                                                                  f927f7153b2ba69a5ac8f223889470bf0d078c916f678fd442a86345c8e3e1ef

                                                                                                                                  SHA512

                                                                                                                                  2a90c49688633c94c1571aa40fb8e1404a38375370afc9813bbd4657b6c0b09c7259ac697145dd0b1688b9487bb5503efa80496927ddd581e07ffad868e526b1

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Desktop\00477\Trojan-Ransom.Win32.Crypmod.xvd-2676fe4ccf44136f62501deb19de4379009f83823a155cdb8ce774e188e9512c.exe
                                                                                                                                  Filesize

                                                                                                                                  83KB

                                                                                                                                  MD5

                                                                                                                                  7527a2a4651f049c3ea59e6fb2d812d4

                                                                                                                                  SHA1

                                                                                                                                  0624af5078b6ad71f7d67a2e8ebb69cc1f8f5321

                                                                                                                                  SHA256

                                                                                                                                  2676fe4ccf44136f62501deb19de4379009f83823a155cdb8ce774e188e9512c

                                                                                                                                  SHA512

                                                                                                                                  aba0e00c70964c1857ebe3aa3c0cda5e06473337fe7acebf2dd5cd0370e78a1b411791eae96bae05c84b7cf5680dc29066bc74b5de832201fdc35b819fcb2517

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\Documents\_READ_ME.txt
                                                                                                                                  Filesize

                                                                                                                                  622B

                                                                                                                                  MD5

                                                                                                                                  aa3edc06b3b93143ff604ae0b91f8d10

                                                                                                                                  SHA1

                                                                                                                                  ab31aac4a38923059a567fa93c895a1bd11ad325

                                                                                                                                  SHA256

                                                                                                                                  3c4e6d74aba110139e4a8f51504a3f1cb07d69e6e45301663dfb795f23e7a27a

                                                                                                                                  SHA512

                                                                                                                                  0a342a262d0289034b560ef23a539f9800f04794ce9136733cf5c8f1c3e40ae8ff1a269076b2c46ea985fdf1860015a46800286853081e652d92a18f4710d21d

                                                                                                                                  Download Submit

                                                                                                                                • F:\AUTORUN.INF
                                                                                                                                  Filesize

                                                                                                                                  145B

                                                                                                                                  MD5

                                                                                                                                  ca13857b2fd3895a39f09d9dde3cca97

                                                                                                                                  SHA1

                                                                                                                                  8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

                                                                                                                                  SHA256

                                                                                                                                  cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

                                                                                                                                  SHA512

                                                                                                                                  55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

                                                                                                                                  Download Submit

                                                                                                                                • \??\c:\users\admin\desktop\00477\heur-trojan-ransom.win32.generic-2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66.exe
                                                                                                                                  Filesize

                                                                                                                                  248KB

                                                                                                                                  MD5

                                                                                                                                  81b62a10b4c7b8628c97368644cf2dbf

                                                                                                                                  SHA1

                                                                                                                                  fc0c2d3988a66f14af152e7d1a3aec2e1e5659d7

                                                                                                                                  SHA256

                                                                                                                                  2e0a4f31be75bbd732ff6871f13c7afb260811f960cd3a071cdf3f2d826f0c66

                                                                                                                                  SHA512

                                                                                                                                  255791b53cad6fa8f64d855ba37dd1a786d039cbd62d8aa3e5e9d611a9f601c7d23b590aca667bb868ed8433b3f9d4a32e28ad43ec559d3b84a2c07c1f724df2

                                                                                                                                  Download Submit

                                                                                                                                • \??\c:\users\admin\desktop\00477\heur-trojan.msil.crypt.gen-7a2597a652c9dd24f5a14179415f95b405282e10087edd625975ba9423b0c317.exe
                                                                                                                                  Filesize

                                                                                                                                  424KB

                                                                                                                                  MD5

                                                                                                                                  72634ada02610ec7fb5674df3acdada7

                                                                                                                                  SHA1

                                                                                                                                  839693965c71fa8ad883ea612e12dabdba428300

                                                                                                                                  SHA256

                                                                                                                                  7a2597a652c9dd24f5a14179415f95b405282e10087edd625975ba9423b0c317

                                                                                                                                  SHA512

                                                                                                                                  956519aafeb2113d1a15b2ada20f8b2fb38ffec857c04dc40e9c6a11d4f2bc3cb0ec63e63c90775dec3f3865f55f7a9d001db449c80d94ea65436b0876183891

                                                                                                                                  Download Submit

                                                                                                                                • memory/448-860-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/448-785-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/732-439-0x0000000002B80000-0x0000000002B9E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  120KB

                                                                                                                                  Download

                                                                                                                                • memory/732-434-0x00000000009E0000-0x0000000000A06000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/828-532-0x0000000000400000-0x0000000000549000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.3MB

                                                                                                                                  Download

                                                                                                                                • memory/1484-1099-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/1484-863-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-226-0x0000000005860000-0x00000000058FC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  624KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-225-0x0000000000F20000-0x0000000000FB6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  600KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-228-0x00000000059A0000-0x0000000005A32000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  584KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-227-0x0000000005EB0000-0x0000000006454000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.6MB

                                                                                                                                  Download

                                                                                                                                • memory/1832-231-0x0000000005900000-0x000000000590A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  40KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-20514-0x0000000001450000-0x0000000001464000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  80KB

                                                                                                                                  Download

                                                                                                                                • memory/1832-232-0x0000000005A40000-0x0000000005A96000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  344KB

                                                                                                                                  Download

                                                                                                                                • memory/2128-289-0x0000000000FF0000-0x0000000001010000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  128KB

                                                                                                                                  Download

                                                                                                                                • memory/2128-294-0x00000000017A0000-0x00000000017BA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  104KB

                                                                                                                                  Download

                                                                                                                                • memory/2216-113-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.7MB

                                                                                                                                  Download

                                                                                                                                • memory/2216-401-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.7MB

                                                                                                                                  Download

                                                                                                                                • memory/2376-538-0x00000000062F0000-0x000000000633C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  304KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-483-0x00000000059F0000-0x0000000005D44000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.3MB

                                                                                                                                  Download

                                                                                                                                • memory/2376-748-0x0000000007260000-0x0000000007271000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  68KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-731-0x0000000007300000-0x0000000007396000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  600KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-716-0x0000000005D60000-0x0000000005D6A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  40KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-668-0x0000000007680000-0x0000000007CFA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  6.5MB

                                                                                                                                  Download

                                                                                                                                • memory/2376-669-0x0000000007040000-0x000000000705A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  104KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-636-0x0000000071F40000-0x0000000071F8C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  304KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-652-0x0000000006EF0000-0x0000000006F93000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  652KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-436-0x0000000002420000-0x0000000002456000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  216KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-646-0x0000000006280000-0x000000000629E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  120KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-437-0x0000000004EE0000-0x0000000005508000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  6.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2376-633-0x00000000062A0000-0x00000000062D2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  200KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-536-0x00000000058E0000-0x00000000058FE000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  120KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-471-0x0000000005780000-0x00000000057E6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  408KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-466-0x00000000055C0000-0x00000000055E2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-472-0x0000000005980000-0x00000000059E6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  408KB

                                                                                                                                  Download

                                                                                                                                • memory/2428-450-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2428-176-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2428-174-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2436-562-0x0000013C1C460000-0x0000013C1C4AC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  304KB

                                                                                                                                  Download

                                                                                                                                • memory/2680-107-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  36KB

                                                                                                                                  Download

                                                                                                                                • memory/2680-146-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  36KB

                                                                                                                                  Download

                                                                                                                                • memory/2872-222-0x0000000000F40000-0x0000000000F58000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  96KB

                                                                                                                                  Download

                                                                                                                                • memory/3164-549-0x0000000000400000-0x000000000089E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4.6MB

                                                                                                                                  Download

                                                                                                                                • memory/3200-424-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                  Download

                                                                                                                                • memory/3312-377-0x0000000000400000-0x0000000000415000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  84KB

                                                                                                                                  Download

                                                                                                                                • memory/3472-426-0x0000000000400000-0x000000000041CF08-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  115KB

                                                                                                                                  Download

                                                                                                                                • memory/3776-350-0x0000000000990000-0x0000000000A24000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  592KB

                                                                                                                                  Download

                                                                                                                                • memory/3776-27069-0x00000000010A0000-0x00000000010EE000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  312KB

                                                                                                                                  Download

                                                                                                                                • memory/3856-719-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/3856-682-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/3856-916-0x0000000000340000-0x0000000000358000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  96KB

                                                                                                                                  Download

                                                                                                                                • memory/4084-214-0x000000001BBC0000-0x000000001BC66000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  664KB

                                                                                                                                  Download

                                                                                                                                • memory/4084-216-0x00000000009C0000-0x00000000009C8000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                  Download

                                                                                                                                • memory/4084-210-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4.8MB

                                                                                                                                  Download

                                                                                                                                • memory/4084-211-0x000000001B0C0000-0x000000001B15C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  624KB

                                                                                                                                  Download

                                                                                                                                • memory/4164-405-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  36KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-415-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-480-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-398-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  572KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-389-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-397-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  572KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-416-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-399-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  572KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-411-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-404-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-407-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-482-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-410-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-403-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  572KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-481-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  572KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-402-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-417-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-414-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-413-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-406-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-408-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-409-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.5MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-477-0x000000006EB40000-0x000000006EB63000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  140KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-476-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  100KB

                                                                                                                                  Download

                                                                                                                                • memory/4476-479-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4476-412-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.1MB

                                                                                                                                  Download

                                                                                                                                • memory/4756-83-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-76-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-85-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-88-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-78-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-86-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-87-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-82-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-84-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4756-77-0x00000214FF860000-0x00000214FF861000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  Download

                                                                                                                                • memory/4948-561-0x0000000000400000-0x00000000008FA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.0MB

                                                                                                                                  Download

                                                                                                                                • memory/5000-291-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/5000-533-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/5000-531-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/5000-293-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-496-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-1129-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-765-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-500-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-497-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-499-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5592-484-0x00007FF7221A0000-0x00007FF722D5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  11.7MB

                                                                                                                                  Download

                                                                                                                                • memory/5824-543-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/5824-542-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.2MB

                                                                                                                                  Download

                                                                                                                                • memory/6308-786-0x00000000002C0000-0x00000000002F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  196KB

                                                                                                                                  Download

                                                                                                                                • memory/6308-686-0x00000000002C0000-0x00000000002F1000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  196KB

                                                                                                                                  Download

                                                                                                                                • memory/6516-806-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download

                                                                                                                                • memory/6516-707-0x0000000000400000-0x0000000000487000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  540KB

                                                                                                                                  Download