Overview

overview

10

Static

static

1

RNSM00463.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00463.7z

  • Size

    75.1MB

  • MD5

    70762512ab2bcdfe3ba5528929042036

  • SHA1

    3a44bc767c9fb58afee903dd2792518a2b5db9c6

  • SHA256

    28a519359d43eabd0bd2e8b1411e2136f4b77f8c1f46bc5041f65f7d17d0d866

  • SHA512

    86efc123c02ed3988814c3c153f6ca5d0965b3cadf33a85ccc1faae173aae5d5b8067eeb2fa2ec31238bba1673cb10d2a264d06f162c28e34813161eabbdf2ce

  • SSDEEP

    1572864:kIbTKYr+1n5414c9QdeMTNHz7gZ9npl2Hemr3SR8rAqzPNSmkX:RKf4DQd1pTsZDMHJriSrAqzO

Score
10/10
demonwareraccoonagilenetaspackv2defense_evasiondiscoverypersistencepyinstallerransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\README.txt

Family

demonware

Ransom Note
Tango Down! Seems like you got hit by DemonWare ransomware! Don't Panic, you get have your files back! DemonWare uses a basic encryption script to lock your files. This type of ransomware is known as CRYPTO. You'll need a decryption key in order to unlock your files. Your files will be deleted when the timer runs out, so you better hurry. You have 10 hours to find your key C'mon, be glad I don't ask for payment like other ransomware. Please visit: https://keys.zeznzo.nl and search for your IP/hostname to get your key. Kind regards, Zeznzo
URLs

https://keys.zeznzo.nl

Signatures

  • DemonWare

    Ransomware first seen in mid-2020.

    ransomwaredemonware
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
  • Renames multiple (83) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 7 IoCs
  • Executes dropped EXE 45 IoCs
  • Loads dropped DLL 43 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00463.7z
    1⤵
    • Modifies registry class
    PID:2736
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2640
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4220
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00463.7z"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-039edbbd634d43da4a757d24ba6b1f4def3abb4dd063e2747219819334067bed.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-039edbbd634d43da4a757d24ba6b1f4def3abb4dd063e2747219819334067bed.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
            4⤵
              PID:5780
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
              4⤵
                PID:8240
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                4⤵
                  PID:9472
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                  4⤵
                    PID:9256
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                    4⤵
                      PID:9224
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                      4⤵
                        PID:11688
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                        4⤵
                          PID:9640
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                          4⤵
                            PID:12000
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                            4⤵
                              PID:5228
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                              4⤵
                                PID:8800
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                4⤵
                                  PID:11288
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                  4⤵
                                    PID:6996
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                    4⤵
                                      PID:7844
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                      4⤵
                                        PID:10784
                                    • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-095342b7049bb0b46e83bad53ea90bea7be0b0a0639485193d0c273d0eb80e39.exe
                                      HEUR-Trojan-Ransom.MSIL.Blocker.gen-095342b7049bb0b46e83bad53ea90bea7be0b0a0639485193d0c273d0eb80e39.exe
                                      3⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3668
                                    • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                      HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                      3⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:4384
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe" -Force
                                        4⤵
                                          PID:11904
                                        • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                          C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                          4⤵
                                            PID:6884
                                          • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                            C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                            4⤵
                                              PID:10152
                                          • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9668bbd926bf73dd307e8eb9acb69e68ddee127c940a67bf0d6c0c9d889a6bf2.exe
                                            HEUR-Trojan-Ransom.MSIL.Blocker.gen-9668bbd926bf73dd307e8eb9acb69e68ddee127c940a67bf0d6c0c9d889a6bf2.exe
                                            3⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:1660
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4288
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1236
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:8384
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:8032
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:11856
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                              4⤵
                                                PID:10932
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                4⤵
                                                  PID:8176
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                  4⤵
                                                    PID:11888
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                    4⤵
                                                      PID:2080
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                      4⤵
                                                        PID:11196
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                        4⤵
                                                          PID:11540
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                          4⤵
                                                            PID:12216
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                            4⤵
                                                              PID:4908
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                              4⤵
                                                                PID:10340
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                4⤵
                                                                  PID:9336
                                                              • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a9fb5eb534dc6bd3b5ba5d57349efd9c55c9d8020f63b2d6d21835f36d635aff.exe
                                                                HEUR-Trojan-Ransom.MSIL.Blocker.gen-a9fb5eb534dc6bd3b5ba5d57349efd9c55c9d8020f63b2d6d21835f36d635aff.exe
                                                                3⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3856
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                  4⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5096
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                  4⤵
                                                                    PID:3584
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                    4⤵
                                                                      PID:5912
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                      4⤵
                                                                        PID:7752
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                        4⤵
                                                                          PID:9300
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                          4⤵
                                                                            PID:9680
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                            4⤵
                                                                              PID:4400
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                5⤵
                                                                                  PID:5972
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                4⤵
                                                                                  PID:9108
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                  4⤵
                                                                                    PID:2592
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                    4⤵
                                                                                      PID:2164
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                      4⤵
                                                                                        PID:7392
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                        4⤵
                                                                                          PID:10440
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                          4⤵
                                                                                            PID:6480
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                            4⤵
                                                                                              PID:2736
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                              4⤵
                                                                                                PID:6772
                                                                                            • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa.exe
                                                                                              HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa.exe
                                                                                              3⤵
                                                                                              • Executes dropped EXE
                                                                                              • Adds Run key to start application
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1436
                                                                                              • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa.exe
                                                                                                4⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5628
                                                                                            • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d7ec622cd33aa5ae0a66337357f724a2a013b9d3ff91c51694e28065c5ea59d7.exe
                                                                                              HEUR-Trojan-Ransom.MSIL.Blocker.gen-d7ec622cd33aa5ae0a66337357f724a2a013b9d3ff91c51694e28065c5ea59d7.exe
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:4292
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                4⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4160
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                4⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:6112
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                4⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2496
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                4⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:8832
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                4⤵
                                                                                                  PID:9228
                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                  4⤵
                                                                                                    PID:11292
                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                    4⤵
                                                                                                      PID:9628
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                      4⤵
                                                                                                        PID:11664
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                        4⤵
                                                                                                          PID:5748
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                          4⤵
                                                                                                            PID:11072
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                            4⤵
                                                                                                              PID:10384
                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                              4⤵
                                                                                                                PID:10776
                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                                4⤵
                                                                                                                  PID:9652
                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                                  4⤵
                                                                                                                    PID:6136
                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
                                                                                                                    4⤵
                                                                                                                      PID:6556
                                                                                                                  • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f82ddb5a7484a583727029b8474105a7fa4af2f61f2bd0a71c4794e5aad39453.exe
                                                                                                                    HEUR-Trojan-Ransom.MSIL.Blocker.gen-f82ddb5a7484a583727029b8474105a7fa4af2f61f2bd0a71c4794e5aad39453.exe
                                                                                                                    3⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:2896
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                                                                                                                      4⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1932
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                                                                                                                        5⤵
                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:5656
                                                                                                                    • C:\Users\Admin\AppData\Roaming\MAINPROC.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
                                                                                                                      4⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:10128
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
                                                                                                                        5⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:8368
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 8368 -s 496
                                                                                                                          6⤵
                                                                                                                          • Program crash
                                                                                                                          PID:7464
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
                                                                                                                        5⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:10300
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 10300 -s 496
                                                                                                                          6⤵
                                                                                                                          • Program crash
                                                                                                                          PID:11236
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SMSS.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
                                                                                                                        5⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:10304
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SMSS.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
                                                                                                                          6⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:10432
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "Explorer.exe HelpMe.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                                                                                                                        5⤵
                                                                                                                          PID:6488
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "Explorer.exe HelpMe.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
                                                                                                                            6⤵
                                                                                                                              PID:6644
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Python.Agent.gen-01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb.exe
                                                                                                                        HEUR-Trojan-Ransom.Python.Agent.gen-01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:4820
                                                                                                                        • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Python.Agent.gen-01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb.exe
                                                                                                                          HEUR-Trojan-Ransom.Python.Agent.gen-01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb.exe
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:3792
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Blocker.gen-18e9bcf34eddc90a695dbbc6e9979b163affc9288e7ea7f2e7dbb4a2f693cf18.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Blocker.gen-18e9bcf34eddc90a695dbbc6e9979b163affc9288e7ea7f2e7dbb4a2f693cf18.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2884
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 772
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:3932
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 792
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:5348
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 924
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:5624
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 792
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:5764
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1228
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:6108
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1292
                                                                                                                          4⤵
                                                                                                                          • Program crash
                                                                                                                          PID:4536
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Blocker.pef-fa83fcf1d8e11178d12f7b7cb9a064d7125e1c7b0ea412f82bee14d37316d2a3.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Blocker.pef-fa83fcf1d8e11178d12f7b7cb9a064d7125e1c7b0ea412f82bee14d37316d2a3.exe
                                                                                                                        3⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:1236
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3668
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of UnmapMainImage
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:3788
                                                                                                                        • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                          C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Suspicious use of UnmapMainImage
                                                                                                                          PID:1596
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f41d2bb776d1af7c88f91c03951197a8d41ff02bcaa8e5d1dc9099cf16827de2.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f41d2bb776d1af7c88f91c03951197a8d41ff02bcaa8e5d1dc9099cf16827de2.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in Program Files directory
                                                                                                                        PID:1492
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Encoder.gen-c4a98a97c1d41eca96c3e4f21cdc4b1da50d42f31c8f6f4f2d0d7cc9065813e2.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Encoder.gen-c4a98a97c1d41eca96c3e4f21cdc4b1da50d42f31c8f6f4f2d0d7cc9065813e2.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:5256
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Encoder.vho-090180aef36119bdef55a60525962f6a17c6edd37b6a73538c88d0a49fdde3c5.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Encoder.vho-090180aef36119bdef55a60525962f6a17c6edd37b6a73538c88d0a49fdde3c5.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:5208
                                                                                                                        • C:\Users\Admin\Desktop\00463\payload.etl
                                                                                                                          "payload.etl"
                                                                                                                          4⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                          PID:6072
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Decode.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Decode.exe"
                                                                                                                            5⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Adds Run key to start application
                                                                                                                            PID:3620
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LTE.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LTE.exe"
                                                                                                                            5⤵
                                                                                                                            • Drops startup file
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in Program Files directory
                                                                                                                            PID:2676
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "payload.etl"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "payload.etl"
                                                                                                                            5⤵
                                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                            PID:624
                                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                                              ping 1.1.1.1 -n 1 -w 100
                                                                                                                              6⤵
                                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                              • Runs ping.exe
                                                                                                                              PID:5568
                                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                                              ping 1.1.1.1 -n 1 -w 900
                                                                                                                              6⤵
                                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                              • Runs ping.exe
                                                                                                                              PID:5972
                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Generic-9ed4eef354ebf341f7c1e80face8ca83a494671bed731ac8fae0bc48c90adebc.exe
                                                                                                                        HEUR-Trojan-Ransom.Win32.Generic-9ed4eef354ebf341f7c1e80face8ca83a494671bed731ac8fae0bc48c90adebc.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3748
                                                                                                                        • C:\Users\Admin\AppData\Roaming\Meus Dados.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\Meus Dados.exe" C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Generic-9ed4eef354ebf341f7c1e80face8ca83a494671bed731ac8fae0bc48c90adebc.exe
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:5844
                                                                                                                          • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                                                                                                            "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
                                                                                                                            5⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5820
                                                                                                                            • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                                                                                                                              "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
                                                                                                                              6⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5156
                                                                                                                              • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
                                                                                                                                7⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:5676
                                                                                                                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
                                                                                                                                  8⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2624
                                                                                                                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
                                                                                                                                  8⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:5480
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4228
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4296
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:7020
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:7576
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4228
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:3948
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:7792
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:11504
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                    9⤵
                                                                                                                                      PID:10108
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                      9⤵
                                                                                                                                        PID:11580
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                        9⤵
                                                                                                                                          PID:9044
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                          9⤵
                                                                                                                                            PID:5992
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                            9⤵
                                                                                                                                              PID:2016
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                              9⤵
                                                                                                                                                PID:11188
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                9⤵
                                                                                                                                                  PID:6988
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                  9⤵
                                                                                                                                                    PID:10952
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                    9⤵
                                                                                                                                                      PID:3576
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                      9⤵
                                                                                                                                                        PID:6844
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                        9⤵
                                                                                                                                                          PID:6588
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                          9⤵
                                                                                                                                                            PID:1716
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                            9⤵
                                                                                                                                                              PID:5828
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                              9⤵
                                                                                                                                                                PID:4640
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                                9⤵
                                                                                                                                                                  PID:9060
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                                                                                                  9⤵
                                                                                                                                                                    PID:2996
                                                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-1fc9d8075c177847560b3efe00f9b61ee27dfb4073693ed13ccf431f2b5ece73.exe
                                                                                                                                                        HEUR-Trojan-Ransom.Win32.PolyRansom.gen-1fc9d8075c177847560b3efe00f9b61ee27dfb4073693ed13ccf431f2b5ece73.exe
                                                                                                                                                        3⤵
                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                        • Drops startup file
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                        • Drops autorun.inf file
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:4800
                                                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-321d59b076665e69fccc8f73c109e7d24c4c7199a0546d319638a65e60a83e9f.exe
                                                                                                                                                        HEUR-Trojan-Ransom.Win32.Stop.gen-321d59b076665e69fccc8f73c109e7d24c4c7199a0546d319638a65e60a83e9f.exe
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops startup file
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5352
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                          4⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                          PID:4144
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1028
                                                                                                                                                          4⤵
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:5652
                                                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                        HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                        3⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5884
                                                                                                                                                        • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                          4⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:8668
                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                            icacls "C:\Users\Admin\AppData\Local\adae6ab9-48ac-4e39-b764-44d6d4fba29c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                            5⤵
                                                                                                                                                            • Modifies file permissions
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:9084
                                                                                                                                                          • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                            "C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                            5⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:12020
                                                                                                                                                            • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe
                                                                                                                                                              "C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-379b6b6f6ee3e1a65c652f453b5df28de6be02bb9b086a7e0c48570945614d87.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                              6⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:6240
                                                                                                                                                      • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                        HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                        3⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5528
                                                                                                                                                        • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                          4⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:9552
                                                                                                                                                          • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                            "C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                            5⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:7568
                                                                                                                                                            • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe
                                                                                                                                                              "C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Stop.gen-f64101c39b8344473763277c715167216eba418e86f4f2cf22ee7724182b930a.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                              6⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:7796
                                                                                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                                                                                    "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                    1⤵
                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                    PID:3340
                                                                                                                                                    • C:\Windows\system32\taskmgr.exe
                                                                                                                                                      "C:\Windows\system32\taskmgr.exe" /1
                                                                                                                                                      2⤵
                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                      • Drops startup file
                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                      PID:5060
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2884 -ip 2884
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2332
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2884 -ip 2884
                                                                                                                                                      1⤵
                                                                                                                                                        PID:5296
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2884 -ip 2884
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5692
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2884 -ip 2884
                                                                                                                                                          1⤵
                                                                                                                                                            PID:6036
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 2884
                                                                                                                                                            1⤵
                                                                                                                                                              PID:6008
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2884 -ip 2884
                                                                                                                                                              1⤵
                                                                                                                                                                PID:5440
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5352 -ip 5352
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:6076
                                                                                                                                                                • C:\Windows\system32\werfault.exe
                                                                                                                                                                  werfault.exe /h /shared Global\a7d28c34ebc348cdac66cb84fdbe0d33 /t 184 /p 1492
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:5948
                                                                                                                                                                  • C:\Windows\system32\werfault.exe
                                                                                                                                                                    werfault.exe /h /shared Global\50ef472fc7d74c40b16f0fe61dfed757 /t 440 /p 3620
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:4392
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 8368 -ip 8368
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:8632
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 10300 -ip 10300
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:11216
                                                                                                                                                                        • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:2648
                                                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read-me!!! 0 .txt.DEMON
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:7820
                                                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00463\README.txt
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Opens file in notepad (likely ransom note)
                                                                                                                                                                              PID:10912
                                                                                                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:7360
                                                                                                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:7288

                                                                                                                                                                                Network

                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                Reconnaissance

                                                                                                                                                                                Resource Development

                                                                                                                                                                                Initial Access

                                                                                                                                                                                Replication Through Removable Media

                                                                                                                                                                                1
                                                                                                                                                                                T1091

                                                                                                                                                                                Execution

                                                                                                                                                                                Persistence

                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                2
                                                                                                                                                                                T1547

                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                1
                                                                                                                                                                                T1547.001

                                                                                                                                                                                Winlogon Helper DLL

                                                                                                                                                                                1
                                                                                                                                                                                T1547.004

                                                                                                                                                                                Privilege Escalation

                                                                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                                                                2
                                                                                                                                                                                T1547

                                                                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                                                                1
                                                                                                                                                                                T1547.001

                                                                                                                                                                                Winlogon Helper DLL

                                                                                                                                                                                1
                                                                                                                                                                                T1547.004

                                                                                                                                                                                Defense Evasion

                                                                                                                                                                                File and Directory Permissions Modification

                                                                                                                                                                                1
                                                                                                                                                                                T1222

                                                                                                                                                                                Indicator Removal

                                                                                                                                                                                1
                                                                                                                                                                                T1070

                                                                                                                                                                                File Deletion

                                                                                                                                                                                1
                                                                                                                                                                                T1070.004

                                                                                                                                                                                Modify Registry

                                                                                                                                                                                2
                                                                                                                                                                                T1112

                                                                                                                                                                                Credential Access

                                                                                                                                                                                Credentials from Password Stores

                                                                                                                                                                                1
                                                                                                                                                                                T1555

                                                                                                                                                                                Credentials from Web Browsers

                                                                                                                                                                                1
                                                                                                                                                                                T1555.003

                                                                                                                                                                                Unsecured Credentials

                                                                                                                                                                                1
                                                                                                                                                                                T1552

                                                                                                                                                                                Credentials In Files

                                                                                                                                                                                1
                                                                                                                                                                                T1552.001

                                                                                                                                                                                Discovery

                                                                                                                                                                                Peripheral Device Discovery

                                                                                                                                                                                2
                                                                                                                                                                                T1120

                                                                                                                                                                                Query Registry

                                                                                                                                                                                3
                                                                                                                                                                                T1012

                                                                                                                                                                                Remote System Discovery

                                                                                                                                                                                1
                                                                                                                                                                                T1018

                                                                                                                                                                                System Information Discovery

                                                                                                                                                                                4
                                                                                                                                                                                T1082

                                                                                                                                                                                System Location Discovery

                                                                                                                                                                                1
                                                                                                                                                                                T1614

                                                                                                                                                                                System Language Discovery

                                                                                                                                                                                1
                                                                                                                                                                                T1614.001

                                                                                                                                                                                System Network Configuration Discovery

                                                                                                                                                                                1
                                                                                                                                                                                T1016

                                                                                                                                                                                Internet Connection Discovery

                                                                                                                                                                                1
                                                                                                                                                                                T1016.001

                                                                                                                                                                                Lateral Movement

                                                                                                                                                                                Replication Through Removable Media

                                                                                                                                                                                1
                                                                                                                                                                                T1091

                                                                                                                                                                                Collection

                                                                                                                                                                                Data from Local System

                                                                                                                                                                                1
                                                                                                                                                                                T1005

                                                                                                                                                                                Command and Control

                                                                                                                                                                                Web Service

                                                                                                                                                                                1
                                                                                                                                                                                T1102

                                                                                                                                                                                Exfiltration

                                                                                                                                                                                Impact

                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                Downloads

                                                                                                                                                                                • C:\Program Files\7-Zip\7-zip.chm.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.8MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  90bc7104a2d0b4acf29631eb63a7721f

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  29a33cb82f4e21da62844cff8800322cd5ed0bca

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  d029e702e49df3ad2436f935f2824f67d38f37693a0024740286b8564edb6886

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  104a97a956d9b742114d68ff58d329b7d486f6b4936d0cf4cdcc05bf95a4126cae8266ebdc64bad5f9d5d38aa3329967370aaff93b6cc041fc3eea0b130c31cb

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  64KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  f49655f856acb8884cc0ace29216f511

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  944B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  6bd369f7c74a28194c991ed1404da30f

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  53KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  a26df49623eff12a70a93f649776dab7

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  efb53bd0df3ac34bd119adf8788127ad57e53803

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  b12c1106c8abd5a3afc2ce78c48eb9d8

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  71729df3f95e9680a268c9fa50fc33eb9af18d66

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  fbee9d20ff949a1c1d73b52caa72707461a0dfc4d1420cb6e24b08ce1b15b2df

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  5b707f2e33db6adb676844c6359ab605d62abfced85c07208bd467fe9ca17ec95cff7e81caa4d1697b21f53b9260ffb413762a308109627908c79ef93e230fbf

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Decode.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  59KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  a7bc46e76db85d33fd3219d8ba4a185d

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  a55f93af48a92d9e609152edd098df9372d36b93

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  24ac0f78875081601a36e7e118b6cbf47ce76504241baf3dbe7fc98939844292

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  e102e7fd7b5f879fe58eb2b01a9ec9f262853b236579277643ab9044505528e8042049b5aabe83193aa728196a2cac3cdda84e720513f981cb28ef9f02c14aaf

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LTE.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  18KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  cfdd482f35c82355ed94e9b2f620c856

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  3008d6e227615b638e1a9d5232eae21ac00a9e0a

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  d2e6ae19c57ba2fec342463637471628dcdc2a8053cad001668bde01127b8fa8

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  96f566ee21f866cdf22fe9eb5b09f59b4acce4584deac1df530e60534f9e38ef9c1d0674f2195574b4a3a63d95b724413bc932775631a22c627dfbbb1a16dd46

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SMSS.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  76KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  0e362e7005823d0bec3719b902ed6d62

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  590d860b909804349e0cdc2f1662b37bd62f7463

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\MSVCP140.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  613KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  c1b066f9e3e2f3a6785161a8c7e0346a

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  8b3b943e79c40bc81fdac1e038a276d034bbe812

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\PIL\_imaging.cp39-win_amd64.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  3.0MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  7bdda60c9136dfcef785132a0c77b193

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  f6bcd152d638cf54767203edb238eef2993b98bd

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  bec23da5408f0fff9fe31c0ba49f6cd305ab6e242c270305c904295e54e88266

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  b2e3df1aefdf271e494c91a9fa19bf0dbf8696fe30e524827659198080467dc5dc5d4a2394f27cefd8bb9923ece8757ccedaae3b5f836d4175690f128032098d

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\VCRUNTIME140.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  94KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  18049f6811fc0f94547189a9e104f5d2

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_bz2.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  84KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  a991152fd5b8f2a0eb6c34582adf7111

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  3589342abea22438e28aa0a0a86e2e96e08421a1

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  7301fc2447e7e6d599472d2c52116fbe318a9ff9259b8a85981c419bfd20e3ef

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  f039ac9473201d27882c0c11e5628a10bdbe5b4c9b78ead246fd53f09d25e74c984e9891fccbc27c63edc8846d5e70f765ca7b77847a45416675d2e7c04964fc

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_ctypes.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  124KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  7322f8245b5c8551d67c337c0dc247c9

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  5f4cb918133daa86631211ae7fa65f26c23fcc98

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_hashlib.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  64KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  88e2bf0a590791891fb5125ffcf5a318

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  39f96abbabf3fdd46844ba5190d2043fb8388696

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  e7aecb61a54dcc77b6d9cafe9a51fd1f8d78b2194cc3baf6304bbd1edfd0aee6

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  7d91d2fa95bb0ffe92730679b9a82e13a3a6b9906b2c7f69bc9065f636a20be65e1d6e7a557bfd6e4b80edd0f00db92eb7fea06345c2c9b98176c65d18c4bdbf

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_lzma.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  159KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  cdd13b537dad6a910cb9cbb932770dc9

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  b37706590d5b6f18c042119d616df6ff8ce3ad46

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  638cd8c336f90629a6260e67827833143939497d542838846f4fc94b2475bb3e

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  c375fb6914cda3ae7829d016d3084f3b5b9f78f200a62f076ec1646576f87694eec7fa6f1c99cbe30824f2fe6e2d61ecdeb50061383b12143cd2678004703199

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_socket.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  78KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  478abd499eefeba3e50cfc4ff50ec49d

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  fe1aae16b411a9c349b0ac1e490236d4d55b95b2

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\_tkinter.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  64KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  df830d3061aa2524eeec14ed02f7ad65

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  daa6eef81006dae88d3ad776764401a566261028

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  1b4d93153d06bcdbff02ce3a68f6a620ccbe4ba163baf78698d5fba3f54d4357

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  0fa007990184e731e8a431572676033de99f25d5bffa627e9aa35e4ab96d5ccb1ecebf383bb29ce28fb46ae24505ead2be21a93ed53750a37be6e9ec7dd22d22

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\base_library.zip
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  763KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  636be3ddb8732c9c52de9c7c86f5b9ee

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  ccb3a2da7846cc8af9da8ec78c679cbf168ca2f8

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  cba1949b47775b76b488bdaf60267248a847773a35df8530d16d6ed25738eda9

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  a2059e915806116d754363554e9489508bbb7ffd765ab0203e94b05ba0874b5d1a1534deb8b4ca2f18699983ecac39139a77fcf01adecd0f91276ecff641e1d3

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\libcrypto-1_1.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  3.2MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  89511df61678befa2f62f5025c8c8448

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  df3961f833b4964f70fcf1c002d9fd7309f53ef8

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\libffi-7.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  32KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  eef7981412be8ea459064d3090f4b3aa

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  c60da4830ce27afc234b3c3014c583f7f0a5a925

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\python39.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4.3MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  1d5e4c20a20740f38f061bdf48aaca4f

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI48202\select.pyd
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  28KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  fed3dae56f7c9ea35d2e896fede29581

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  ae5b2ef114138c4d8a6479d6441967c170c5aa23

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cawqzpot.zcr.ps1
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  60B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\nsyF2A9.tmp\INetC.dll
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  24KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  640bff73a5f8e37b202d911e4749b2e9

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  9588dd7561ab7de3bca392b084bec91f3521c879

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  50KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  efbf0dc8e8fc515bc585418c844a88e6

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  ab4a864b3a1e4e2d89023af826bab4a8c83a8425

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  2e3ae23377a360a8ed96cfd5a1cbc08861d1831be6976b482ef960911095fe27

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  d303960e47ec3833af2771aaf272e22e82c65055d3db50130f707ed86101157027b52a95e4be9112a5d0e70e0dfc473affc118c37ed851de29a3af69a03dc84d

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  296KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  86918a6fe5f85b4fd8eb3c4585a7f528

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  479ff9d153bfed3685012b1b37403a28a414f71a

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  321d59b076665e69fccc8f73c109e7d24c4c7199a0546d319638a65e60a83e9f

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  a3c9afe611932ecf068488157cc5ee6f6250bfdb99169a91955ea99aa0b1d00d7acf4d04695ffc59ef2913ad460a017bdef8f76df3f7a756d868f001d7b96bef

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  262KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  facf8e6698f585c63768c81392617951

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  24fd71cb8b8275bc226afbcc4e34b91febfaa892

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  0f15bf8c4b5e9605bf4d67b8ce0cf5d56ea66992bc2b547998a5a7fda7371542

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  77a2f55bf4cdca1bda6e922b21ae4cf0d76ecb486c0a7fe089ab7b3991a4a8de7db92ce73901b31085d0a10b74a14d8cdba377ce42e82e10798de024b5dab724

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-039edbbd634d43da4a757d24ba6b1f4def3abb4dd063e2747219819334067bed.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.4MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  867eb03324e1d467f2f919ef54d6e3ea

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  58c2f054f73771397a2e58cc4e7e48de2ba1ef09

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  039edbbd634d43da4a757d24ba6b1f4def3abb4dd063e2747219819334067bed

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  ef8647f3b05ea37256f5db147ec389b58e10956c3c2c1f95bf425378b3491792988c0ba22203e18ad837594099075f9ad04fa38046dd37282834109fcd247a93

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-095342b7049bb0b46e83bad53ea90bea7be0b0a0639485193d0c273d0eb80e39.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.0MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  23f3c38836736401d0737b1427350d42

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  d4fa2b83c3f396c33a5bb2c59b5da8f2aaf53f20

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  095342b7049bb0b46e83bad53ea90bea7be0b0a0639485193d0c273d0eb80e39

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  90bf821640cc2dd4b8f8e0e46a960f6dae9d15140876e7e4edf83e988c6f23905e9a12f2038ab214d962c0573b7edf7839f8c6706ea7ad970d099ce57ad3d4c6

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.2MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  1d9afc3b06154312da8b0b9395e8fe7f

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  20e0e67522ee702e9f5f32d44af685cfc8b56009

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  deee37c33efc3250990517bb633805cd7564bc9c5d20383576fdc76cbadb3486d916fcbf790738713e2bb0b6aee450ee84bfc2e8140704e8c72725ccab77d39e

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9668bbd926bf73dd307e8eb9acb69e68ddee127c940a67bf0d6c0c9d889a6bf2.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  423KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  0c5a14574c87776a012e01ba2db01f9d

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  45cb22f676665db7b1b0655615a5f1b2776f65c4

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  9668bbd926bf73dd307e8eb9acb69e68ddee127c940a67bf0d6c0c9d889a6bf2

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  838931705b2a58da60b1ba726ac45834a0d0593f4c5cede437724bcd6e5f7df9a45e43b960d76358a9efbd24702d7fee956fff9e97780ca11ecf0dda872f1f12

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a9fb5eb534dc6bd3b5ba5d57349efd9c55c9d8020f63b2d6d21835f36d635aff.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.5MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  33300ce155ce544a9be453c5d2372a34

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  f119b62b49a1ce99883285f4f69a711a5c2d5393

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  a9fb5eb534dc6bd3b5ba5d57349efd9c55c9d8020f63b2d6d21835f36d635aff

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  1a8578008e6216e00fd8cb268c03dea186bd6eed4bb41c976fc892bdacfed2a09510df6777996a77f7444f585faf904dee86bb90c32c760d4211a64d53f8f51b

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  309KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  0f8f3c508e4bcda6108dc61714e94d07

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  fd262760bc91d1d7762f3f1e453634a2c0af6c0f

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  d2890c754ab95d16d9d1d93f680a850db565a61c68bbaf0337696bfbb485e8fa

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  18eb1ffed8d56a09a8829d61e04f0266333317e6fac858c886443a5551c094b77663c272fb0cf50455e42ac0445c68dc69e88de8c2791c87ae6abbfe5375b562

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d7ec622cd33aa5ae0a66337357f724a2a013b9d3ff91c51694e28065c5ea59d7.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.1MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  5193bfdb36d398a7f71c1145c969060a

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  42eaaf362ff6ce327c391d8a9ad2b7795f1f1d42

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  d7ec622cd33aa5ae0a66337357f724a2a013b9d3ff91c51694e28065c5ea59d7

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  35b3470bb11d4015eea20c8d430cde206589ae7c6ca735c9744e0259ec2701a45214757619129fab7f8732e383dee22c037480a99176a8c8a269ed5bfde0f7d8

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f82ddb5a7484a583727029b8474105a7fa4af2f61f2bd0a71c4794e5aad39453.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.6MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  d33d2cc2bb1c1021b6342d926cf11116

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  0e7d157df42bfce3629a890255f4863f49fa1d6e

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  f82ddb5a7484a583727029b8474105a7fa4af2f61f2bd0a71c4794e5aad39453

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  f6231a770781c96485573f1c9d06a36214d8755556d1c68a0da2cca4d6de04a62b3a3f3d251056da5f3d6b980ad057bc356b8698f4d21f6f389a1d329b1062d1

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Python.Agent.gen-01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  23.5MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  cede0a34e9d113730c70ff5bf98a26ba

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  6afb850b76ca0bff6ed1aaadd4b5232351807611

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  01846406554cd4b29e1d9bd0f35396fcb437b8f264edf4f86431bda7a530edbb

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  6da7515ba7b9bf1678e52d3fa1437a375b627376a84635a8b0c494daab5b2de49baba1b50ddb72eed8b33600a14259eceaf3aa13ec7f268751fd9cdcc2d65c24

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Blocker.gen-18e9bcf34eddc90a695dbbc6e9979b163affc9288e7ea7f2e7dbb4a2f693cf18.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  461KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  c8f3719f09fa3745d000e418825cb947

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  a92d5a33dd958c47e2d4d2632298b4100f4905b5

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  18e9bcf34eddc90a695dbbc6e9979b163affc9288e7ea7f2e7dbb4a2f693cf18

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  9c6596e719a4e49e22301bd80a92c94173b138aaa51e6cd7f12117724acf8f3c52996cb53c08cfbd78f039e1d14f580751b21849feaf0e0333229174c02ac246

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Blocker.pef-fa83fcf1d8e11178d12f7b7cb9a064d7125e1c7b0ea412f82bee14d37316d2a3.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  50KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  b71397649522d063e1c619a7cdbc177a

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  ea5a2156544d0c64d675da978144feed41bbd7b2

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  fa83fcf1d8e11178d12f7b7cb9a064d7125e1c7b0ea412f82bee14d37316d2a3

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  7b1c475ee0659a8a364a8ca066a1ddf14316dc727c1e739e6a7f3a1abdf904972868d50abd874273d41fa2fdac13e42ae01b1b29c47273267252e8cde8e0dbb3

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  385KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  403562b9b515c98ddd563cd73fc08b13

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  d5464be8f8093f3acca7e15b0c9b4611ef9ee31b

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  847b0faf9d6726e338dd469072be221efec625aa1e89a40427b33a551bbbd68e79c071979ba670a7daf2808c459b15f6df1069f240b29d8020573487d786f96e

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Convagent.gen-ab97531316f9accb0212142ba0d64acf4596f13da35ffe9c9ceda718784b2e02.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  385KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  9ae3a9b77f71c15afd7b64db9f9804ef

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  395e4e6e3d26d9ad9ef5db6c4a65bd8fb789a818

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  e8ace770b68937b02d4c17465981d49b82aef2568001a86ed82b026310bbc377

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  5705c0852a709e11944e56a41e803ee3f57575df4cbfa34a7bf7a985308dfdb9d1f13b8707114653f42d6c3ffefa87d95394077d7b8461f8fa39ca180fa99046

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f41d2bb776d1af7c88f91c03951197a8d41ff02bcaa8e5d1dc9099cf16827de2.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.8MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  3efd6f02c8000aaf8cd95a6f670b81ba

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  3a285486f6893184aac18f9d5391415e0b7f913c

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  f41d2bb776d1af7c88f91c03951197a8d41ff02bcaa8e5d1dc9099cf16827de2

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  aafc06666446be7575bbcde3de248aff7f41d7994de58b17d7dda47ec17855053619433753acb4acb777cf49ccc595fd05b22840ab9ffcd4adc6f4c029691058

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\00463\HEUR-Trojan-Ransom.Win32.Encoder.gen-c4a98a97c1d41eca96c3e4f21cdc4b1da50d42f31c8f6f4f2d0d7cc9065813e2.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  96KB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  486e7f80b803f8074ee51ca382ffc6e4

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  ac9d7c92fdec13d475954346d6a3c6f32e041836

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  c4a98a97c1d41eca96c3e4f21cdc4b1da50d42f31c8f6f4f2d0d7cc9065813e2

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  632b915a069ea72122ccca80c2b3961a0c3486a148f7301e59799a919c5b54fc233bc923e21ab9960ca686c7b49c4d064ad74fc9abf7434e13fa329559036199

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Desktop\Read-me!!! 4 .txt
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  737B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  3f6a14606b7e88b4d8efdf08554617a7

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  7ab21eb1fbd4c148b1753d9fe9af6c5a8eb56547

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  166a9482d6b60e7fd49e7463efc04e62f3edf57b11f0b5b77b8d138a736aa801

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  666be8da3f2d737dd9f26fa38818efb412bf6b01b675647797a3b748c4330a5ae7051ea810a4c1c9047d262382886e9c7fc9a2bd49642e94a5ecc2b93291434f

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Users\Admin\Pictures\README.txt
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  575B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  efd54055b28e173ea64831fc59a0aca8

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  cdf18b0692a53cbeed66ee14fa0f54666cf04013

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  e3cf65e96fcf774320e0ae4a42d6544f1aef476cd67184432465b2c595180a99

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  5ecf69dbdf824a6e0221e7f953ed58889bbd76ee563e9fc7e5d95b68245d0f4af0e0ec5f13f002975b65bacf0cd29027964b9f8c4174134ed08358e41b58f4d5

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • C:\Windows\SysWOW64\HelpMe.exe
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.2MB

                                                                                                                                                                                  MD5

                                                                                                                                                                                  cedb9852248ba1aa431006bcfbcd2e76

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  82f4d844967b57128f89a634c4da5f1cbff74804

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  1fc9d8075c177847560b3efe00f9b61ee27dfb4073693ed13ccf431f2b5ece73

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  1888a7257d92939a48a08277a6eeb6125c5da1981ae8f49daabf4e371074902a96dd5c1555bd1ecf5a5de1b9dd907212636f81b9757ec016482162fefa756ef8

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • F:\AUTORUN.INF
                                                                                                                                                                                  Filesize

                                                                                                                                                                                  145B

                                                                                                                                                                                  MD5

                                                                                                                                                                                  ca13857b2fd3895a39f09d9dde3cca97

                                                                                                                                                                                  SHA1

                                                                                                                                                                                  8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

                                                                                                                                                                                  SHA256

                                                                                                                                                                                  cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

                                                                                                                                                                                  SHA512

                                                                                                                                                                                  55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

                                                                                                                                                                                  Download Submit

                                                                                                                                                                                • memory/892-132-0x00000274DC580000-0x00000274DC5C4000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  272KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/892-135-0x00000274DC5F0000-0x00000274DC60E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  120KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/892-133-0x00000274DC650000-0x00000274DC6C6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  472KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/892-131-0x00000274DA010000-0x00000274DA032000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  136KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1236-338-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  36KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1236-769-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  36KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1236-7417-0x0000000006140000-0x000000000618C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  304KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1436-3534-0x0000000007290000-0x00000000072FA000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  424KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1436-3156-0x0000000007050000-0x000000000709A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  296KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1436-195-0x0000000000E70000-0x0000000000EC4000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  336KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1492-1955-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1492-1744-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1492-883-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1596-1365-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  56KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1596-947-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  408KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1596-1363-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  56KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1596-1075-0x0000000000400000-0x000000000043C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  240KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-14794-0x0000000000CF0000-0x0000000000D68000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  480KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-194-0x0000000004F20000-0x0000000004F2A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  40KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-190-0x0000000004E50000-0x0000000004EE2000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  584KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-188-0x0000000000410000-0x000000000047E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  440KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-189-0x00000000054C0000-0x0000000005A64000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  5.6MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/1660-14793-0x0000000000B40000-0x0000000000BAE000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  440KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2636-8689-0x000000001F2A0000-0x000000001F900000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.4MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2636-8691-0x0000000001780000-0x00000000017E0000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  384KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2636-174-0x0000000000230000-0x0000000000890000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.4MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2676-1490-0x000001BD16490000-0x000001BD1649A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  40KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2884-1713-0x0000000000400000-0x0000000002D01000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  41.0MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2896-203-0x00000000007B0000-0x0000000000946000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.6MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2896-1395-0x0000000007300000-0x0000000007328000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  160KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2896-204-0x0000000005310000-0x0000000005664000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  3.3MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2896-205-0x0000000006380000-0x00000000068AC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  5.2MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/2896-206-0x0000000005D30000-0x0000000005DCC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  624KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-140-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-141-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-148-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-149-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-150-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-146-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-151-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-145-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-147-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3340-139-0x0000020112830000-0x0000020112831000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  4KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3620-1488-0x000001A9BCB90000-0x000001A9BCBA6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  88KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3668-173-0x0000000000470000-0x00000000004BE000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  312KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3668-1728-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  36KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3668-175-0x0000000000C60000-0x0000000000C66000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  24KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3668-749-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  36KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3788-840-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  380KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3788-717-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  408KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3788-894-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  380KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3856-10465-0x00000000019C0000-0x0000000001A2A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  424KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3856-10464-0x000000001F970000-0x000000001FFD6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.4MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/3856-187-0x0000000000820000-0x0000000000EB0000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.6MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1377-0x00000000068E0000-0x00000000068FA000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  104KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1400-0x00000000087D0000-0x0000000008E4A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.5MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-303-0x0000000005E00000-0x0000000005E66000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  408KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-304-0x0000000005EE0000-0x0000000005F46000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  408KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-268-0x0000000004E20000-0x0000000004E56000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  216KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-283-0x00000000054F0000-0x0000000005B18000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  6.2MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-295-0x0000000005C60000-0x0000000005C82000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  136KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1176-0x0000000006470000-0x00000000064BC000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  304KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1376-0x0000000006950000-0x00000000069E6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  600KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1378-0x00000000075C0000-0x00000000075E2000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  136KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4288-1174-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  120KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4292-12591-0x0000000006860000-0x0000000006A6E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.1MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4292-12594-0x00000000066C0000-0x000000000672E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  440KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4292-199-0x00000000003E0000-0x000000000060C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.2MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2190-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2189-0x00000000064C0000-0x000000000652E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  440KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2205-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2203-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2201-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2199-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2198-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2193-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2191-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2209-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2195-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2212-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2213-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2178-0x0000000006900000-0x0000000006B0E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.1MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-6417-0x0000000000E70000-0x0000000000E8E000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  120KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2215-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2179-0x0000000006440000-0x00000000064B6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  472KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-2207-0x00000000064C0000-0x0000000006529000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  420KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4384-186-0x0000000000430000-0x0000000000668000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  2.2MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/4800-2148-0x0000000000400000-0x0000000000478000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  480KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/5060-1906-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/5060-4815-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  1.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/5256-1506-0x0000000000400000-0x000000000045A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  360KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/5352-2010-0x0000000000400000-0x00000000023B4000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  31.7MB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/5748-8110-0x0000000006700000-0x000000000674C000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  304KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/6072-1437-0x0000000001220000-0x0000000001226000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  24KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/6072-1432-0x0000000000A50000-0x0000000000A78000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  160KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10128-7526-0x000000000AAA0000-0x000000000AAA6000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  24KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10128-7560-0x0000000005370000-0x0000000005384000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  80KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10128-7525-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  80KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10152-8385-0x000000006E810000-0x000000006E849000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10152-7816-0x0000000069F10000-0x0000000069F49000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10152-7806-0x000000006E4B0000-0x000000006E4E9000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10152-14770-0x0000000069F10000-0x0000000069F49000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  228KB

                                                                                                                                                                                  Download

                                                                                                                                                                                • memory/10304-7593-0x0000000000830000-0x000000000084A000-memory.dmp

                                                                                                                                                                                  Filesize

                                                                                                                                                                                  104KB

                                                                                                                                                                                  Download