agenttesla | fe681686e68278cbd393354a7f3a7a044e25cf99d8e093e0ed9342ca21423f6e

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00457.7z
Size

94.2MB
MD5

0c9b6bbe2d9d8bccd81434f178293a02
SHA1

4e76101a350d50677b5c3eff1f2cdc06b8a059f6
SHA256

fe681686e68278cbd393354a7f3a7a044e25cf99d8e093e0ed9342ca21423f6e
SHA512

01cbf237680737c1b44c56390cc9ae40ec2d5f14815dc9fea2d5cd793c229d3670306102376d37b9e46ec9d19940a4eb5bf3e65c221ebf96d95c74c8d0d2978b
SSDEEP

1572864:0hX+BE1eArX8iIH80O6XBipwQRqaJFTZyB/l5xLE+kLvNqyKF1+B6wONgqCGUzSc:0hX+C3X8iLoRfillyB/DNo6FYB6wOuO+

Malware Config

Extracted

Family

fickerstealer

80.87.192.115:80

Extracted

Path

C:\Users\Admin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Your ID: a897b099bf811da5f3a69ceedd351c4f9afac28b8d72f4544d4d6a521209ad24

URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

Extracted

Family

redline

Botnet

@zveryga99872

152.228.150.198:11188

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker

Detect MafiaWare666 ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-277-0x0000000000D00000-0x0000000000D3E000-memory.dmp	family_mafiaware666
behavioral1/files/0x0008000000023c49-275.dat	family_mafiaware666

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/9976-2528-0x0000000000400000-0x000000000367B000-memory.dmp	family_glupteba

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1940-2728-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1940-2728-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/9736-2113-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/10744-3934-0x0000000005320000-0x0000000005372000-memory.dmp	family_agenttesla

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/10744-3934-0x0000000005320000-0x0000000005372000-memory.dmp	Core1

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/9912-2625-0x0000000000400000-0x000000000326C000-memory.dmp	family_onlylogger
behavioral1/memory/9788-2723-0x0000000000400000-0x000000000325A000-memory.dmp	family_onlylogger

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
5416	netsh.exe

Executes dropped EXE 6 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05.exe

pid	Process
5104	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exe
772	HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe
4752	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exe
2816	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exe
1744	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exe
372	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
11152	icacls.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/64-506-0x000002B2A2280000-0x000002B2A2310000-memory.dmp	agile_net
behavioral1/memory/772-433-0x00000000069C0000-0x00000000069E8000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
49	raw.githubusercontent.com
146	discord.com
147	discord.com
153	discord.com
159	discord.com
164	discord.com
198	iplogger.org
46	raw.githubusercontent.com
281	iplogger.org
200	iplogger.org
275	iplogger.org
386	discord.com
197	iplogger.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
79	icanhazip.com
130	api.ipify.org
140	api.ipify.org
199	api.2ip.ua
201	api.2ip.ua
362	api.2ip.ua

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
5688	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023c57-986.dat	upx
behavioral1/memory/2224-989-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x000200000002276a-1081.dat	upx
behavioral1/memory/2224-1450-0x0000000000400000-0x00000000005BB000-memory.dmp	upx

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4480	sc.exe
5136	sc.exe
3104	sc.exe
5984	sc.exe
2424	sc.exe
5864	sc.exe
5460	sc.exe
10072	sc.exe
10060	sc.exe

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
10708	9788	WerFault.exe	235
10760	9912	WerFault.exe	213
10012	9788	WerFault.exe	235
10832	9912	WerFault.exe	213
5376	9912	WerFault.exe	213
10264	9788	WerFault.exe	235
5852	9788	WerFault.exe	235
2632	9912	WerFault.exe	213
10724	9788	WerFault.exe	235
10640	9912	WerFault.exe	213
10076	11116	WerFault.exe	336
5852	9788	WerFault.exe	235
10468	9912	WerFault.exe	213
9872	9912	WerFault.exe	213
10412	9912	WerFault.exe	213
2000	9788	WerFault.exe	235
1948	9788	WerFault.exe	235

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
4656	cmd.exe
6040	netsh.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023c55-837.dat	nsis_installer_1
behavioral1/files/0x0007000000023c55-837.dat	nsis_installer_2
behavioral1/files/0x0002000000022750-1108.dat	nsis_installer_1
behavioral1/files/0x0002000000022750-1108.dat	nsis_installer_2
behavioral1/files/0x0007000000023da0-2559.dat	nsis_installer_1
behavioral1/files/0x0007000000023da0-2559.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
5884	vssadmin.exe

Kills process with taskkill 49 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
9916	taskkill.exe
10396	taskkill.exe
5044	taskkill.exe
6112	taskkill.exe
4040	taskkill.exe
10836	taskkill.exe
10676	taskkill.exe
10776	taskkill.exe
9792	taskkill.exe
10788	taskkill.exe
10972	taskkill.exe
10308	taskkill.exe
10436	taskkill.exe
5824	taskkill.exe
2508	taskkill.exe
5612	taskkill.exe
6344	taskkill.exe
280	taskkill.exe
11084	taskkill.exe
10400	taskkill.exe
10012	taskkill.exe
10588	taskkill.exe
10180	taskkill.exe
9728	taskkill.exe
10204	taskkill.exe
11144	taskkill.exe
10676	taskkill.exe
6024	taskkill.exe
10076	taskkill.exe
5932	taskkill.exe
10412	taskkill.exe
10956	taskkill.exe
10076	taskkill.exe
10076	taskkill.exe
6116	taskkill.exe
5740	taskkill.exe
2360	taskkill.exe
6112	taskkill.exe
4656	taskkill.exe
1268	taskkill.exe
2772	taskkill.exe
10148	taskkill.exe
6660	taskkill.exe
5704	taskkill.exe
10120	taskkill.exe
11056	taskkill.exe
10764	taskkill.exe
5628	taskkill.exe
10164	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
5280	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
10364	schtasks.exe
10844	schtasks.exe
13960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exetaskmgr.exe

pid	Process
4804	powershell.exe
4804	powershell.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
4780	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zFM.exepowershell.exetaskmgr.exetaskmgr.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe

description	pid	Process
Token: SeRestorePrivilege	4520	7zFM.exe
Token: 35	4520	7zFM.exe
Token: SeSecurityPrivilege	4520	7zFM.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	1000	taskmgr.exe
Token: SeSystemProfilePrivilege	1000	taskmgr.exe
Token: SeCreateGlobalPrivilege	1000	taskmgr.exe
Token: SeDebugPrivilege	4780	taskmgr.exe
Token: SeSystemProfilePrivilege	4780	taskmgr.exe
Token: SeCreateGlobalPrivilege	4780	taskmgr.exe
Token: 33	1000	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1000	taskmgr.exe
Token: SeDebugPrivilege	2816	HEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exe
Token: SeDebugPrivilege	772	HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	Process
4520	7zFM.exe
4520	7zFM.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	Process
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
1000	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe
4780	taskmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskmgr.exepowershell.execmd.exe

description	pid	Process	procid_target
PID 1000 wrote to memory of 4780	1000	taskmgr.exe	91
PID 1000 wrote to memory of 4780	1000	taskmgr.exe	91
PID 4804 wrote to memory of 2920	4804	powershell.exe	96
PID 4804 wrote to memory of 2920	4804	powershell.exe	96
PID 2920 wrote to memory of 5104	2920	cmd.exe	97
PID 2920 wrote to memory of 5104	2920	cmd.exe	97
PID 2920 wrote to memory of 5104	2920	cmd.exe	97
PID 2920 wrote to memory of 772	2920	cmd.exe	98
PID 2920 wrote to memory of 772	2920	cmd.exe	98
PID 2920 wrote to memory of 772	2920	cmd.exe	98
PID 2920 wrote to memory of 4752	2920	cmd.exe	99
PID 2920 wrote to memory of 4752	2920	cmd.exe	99
PID 2920 wrote to memory of 4752	2920	cmd.exe	99
PID 2920 wrote to memory of 2816	2920	cmd.exe	100
PID 2920 wrote to memory of 2816	2920	cmd.exe	100
PID 2920 wrote to memory of 1744	2920	cmd.exe	101
PID 2920 wrote to memory of 1744	2920	cmd.exe	101
PID 2920 wrote to memory of 1744	2920	cmd.exe	101
PID 2920 wrote to memory of 372	2920	cmd.exe	102
PID 2920 wrote to memory of 372	2920	cmd.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
10724	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00457.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:3548
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:772
  - - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe
      "C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe"
      4⤵
      PID:1940
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:2036
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:3324
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05.exe
    3⤵
    - Executes dropped EXE
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
      4⤵
      PID:1784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:10352
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Encoder.gen-9a916febed4382b4a866f016305fc60955650c1b0b1765f89baa733ce14b6121.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-9a916febed4382b4a866f016305fc60955650c1b0b1765f89baa733ce14b6121.exe
    3⤵
    PID:1560
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Foreign.gen-31fb2562fb02909b66a419aecf13a91e67e1182e50d175ac567c6e96b8d481f0.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-31fb2562fb02909b66a419aecf13a91e67e1182e50d175ac567c6e96b8d481f0.exe
    3⤵
    PID:2328
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Gen.gen-a3bc02793e389eca1d2d3eab3ad4925b50ad90d64d66e418789b62144a5f8f74.exe
    HEUR-Trojan-Ransom.MSIL.Gen.gen-a3bc02793e389eca1d2d3eab3ad4925b50ad90d64d66e418789b62144a5f8f74.exe
    3⤵
    PID:2884
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Gen.gen-ae3009c41ce889c28f9b229cb15277a86175c13fea39846db32e8f979ed2eb82.exe
    HEUR-Trojan-Ransom.MSIL.Gen.gen-ae3009c41ce889c28f9b229cb15277a86175c13fea39846db32e8f979ed2eb82.exe
    3⤵
    PID:64
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
    HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      4⤵
      Kills process with taskkill
      PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      4⤵
      PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      "reg" delete HKCU\Software\Raccine /F
      4⤵
      Modifies registry key
      PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /DELETE /TN "Raccine Rules Updater" /F
      4⤵
      PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:6048
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config Dnscache start= auto
      4⤵
      Launches sc.exe
      PID:5864
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config FDResPub start= auto
      4⤵
      Launches sc.exe
      PID:3104
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SSDPSRV start= auto
      4⤵
      Launches sc.exe
      PID:5136
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config upnphost start= auto
      4⤵
      Launches sc.exe
      PID:5984
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      4⤵
      Launches sc.exe
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:5332
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      4⤵
      Launches sc.exe
      PID:2424
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SQLWriter start= disabled
      4⤵
      Launches sc.exe
      PID:10060
  - - C:\Windows\SysWOW64\sc.exe
      "sc.exe" config SstpSvc start= disabled
      4⤵
      Launches sc.exe
      PID:10072
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:5760
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:9960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      4⤵
      Kills process with taskkill
      PID:10164
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:10180
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      4⤵
      Kills process with taskkill
      PID:5612
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      4⤵
      Kills process with taskkill
      PID:9916
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:10008
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:9932
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      4⤵
      Kills process with taskkill
      PID:10148
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:9908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      4⤵
      Kills process with taskkill
      PID:10076
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:9792
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      4⤵
      Kills process with taskkill
      PID:9728
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      4⤵
      Kills process with taskkill
      PID:6344
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:8748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      4⤵
      Kills process with taskkill
      PID:280
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:9172
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6660
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      4⤵
      Kills process with taskkill
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      4⤵
      Kills process with taskkill
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      4⤵
      Kills process with taskkill
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      4⤵
      Kills process with taskkill
      PID:10396
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:10416
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      4⤵
      Kills process with taskkill
      PID:11056
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:11084
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      4⤵
      Kills process with taskkill
      PID:10076
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      4⤵
      Kills process with taskkill
      PID:5740
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:10576
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      4⤵
      Kills process with taskkill
      PID:10788
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      4⤵
      Kills process with taskkill
      PID:10764
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:11184
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:10440
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      4⤵
      Kills process with taskkill
      PID:10412
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      4⤵
      Kills process with taskkill
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      4⤵
      Kills process with taskkill
      PID:11084
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      4⤵
      Kills process with taskkill
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      4⤵
      Kills process with taskkill
      PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:10788
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      4⤵
      Kills process with taskkill
      PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      4⤵
      Kills process with taskkill
      PID:10836
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocautoupds.exe /F
      4⤵
      Kills process with taskkill
      PID:10956
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:10400
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:10012
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlservr.exe /F
      4⤵
      Kills process with taskkill
      PID:10308
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      4⤵
      Kills process with taskkill
      PID:10012
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      4⤵
      Kills process with taskkill
      PID:10436
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM ocssd.exe /F
      4⤵
      Kills process with taskkill
      PID:10076
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM synctime.exe /F
      4⤵
      Kills process with taskkill
      PID:10676
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      4⤵
      Kills process with taskkill
      PID:5824
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:9916
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      4⤵
      Kills process with taskkill
      PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM oracle.exe /F
      4⤵
      Kills process with taskkill
      PID:10776
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      4⤵
      Kills process with taskkill
      PID:10588
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:10340
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:10888
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      4⤵
      Kills process with taskkill
      PID:10676
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlagent.exe /F
      4⤵
      Kills process with taskkill
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM wordpad.exe /F
      4⤵
      Kills process with taskkill
      PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:10832
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      4⤵
      Kills process with taskkill
      PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM sqlbrowser.exe /F
      4⤵
      Kills process with taskkill
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM mysqld-opt.exe /F
      4⤵
      Kills process with taskkill
      PID:10120
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
      4⤵
      PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:5304
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:10900
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:812
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:10916
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:11276
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:11564
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:11888
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:12104
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:824
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:11348
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 cmd.exe
      4⤵
      PID:11836
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe
      4⤵
      PID:11820
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe *32
      4⤵
      PID:12044
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 conhost.exe
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net.exe
      4⤵
      PID:13844
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 net1.exe
      4⤵
      PID:13952
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 ARP.EXE
      4⤵
      PID:14000
  - - C:\Users\Admin\AppData\Local\Temp\oof2aump.exe
      "C:\Users\Admin\AppData\Local\Temp\oof2aump.exe" 4780 icacls.exe
      4⤵
      PID:14524
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Trumper.gen-181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5.exe
    HEUR-Trojan-Ransom.MSIL.Trumper.gen-181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5.exe
    3⤵
    PID:4400
  - - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Trumper.gen-181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5.exe
      C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Trumper.gen-181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5.exe
      4⤵
      PID:9736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4656
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6040
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:10512
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:2360
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Agent.gen-659a1a605a6aece70fd1906c5b4856475aa292c37f0dfd6299d1d1cb38849faf.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-659a1a605a6aece70fd1906c5b4856475aa292c37f0dfd6299d1d1cb38849faf.exe
    3⤵
    PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\Rar.exe
      "C:\Users\Admin\AppData\Local\Temp\\Rar.exe" e -y -p[gk09834LKF] setup.rar
      4⤵
      PID:5872
  - - C:\Users\Admin\AppData\Local\Temp\_setup.exe
      C:\Users\Admin\AppData\Local\Temp\\_setup.exe
      4⤵
      PID:1396
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Agent.gen-c9e55d0d04f850fccf1b71904ca20bbfbe11e606bc5fdd8fbaf61fcfc810e1c2.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-c9e55d0d04f850fccf1b71904ca20bbfbe11e606bc5fdd8fbaf61fcfc810e1c2.exe
    3⤵
    PID:1380
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c0254a54fe0f73249d0447e4deb60459ea3c7f39bcf5305593977fe13bc0bb9.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c0254a54fe0f73249d0447e4deb60459ea3c7f39bcf5305593977fe13bc0bb9.exe
    3⤵
    PID:2224
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Cryptor.gen-01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f.exe
    3⤵
    PID:5708
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-30ccdb8b209993e704303f2771d22d9d7812d8a6c71dc9cb6abdaf46180ddb8d.exe
    HEUR-Trojan-Ransom.Win32.Generic-30ccdb8b209993e704303f2771d22d9d7812d8a6c71dc9cb6abdaf46180ddb8d.exe
    3⤵
    PID:5880
  - - C:\windows\system32\sc.exe
      "C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-30ccdb8b209993e704303f2771d22d9d7812d8a6c71dc9cb6abdaf46180ddb8d.exe" start= auto
      4⤵
      Launches sc.exe
      PID:4480
  - - \??\c:\windows\system32\cmd.exe
      "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
      4⤵
      PID:5692
  - - \??\c:\Windows\system32\vssadmin.exe
      "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:5884
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-5f54b2a37a8012cf3d023b9ec9f08081239eadebb0615f6de365595b8d429437.exe
    HEUR-Trojan-Ransom.Win32.Generic-5f54b2a37a8012cf3d023b9ec9f08081239eadebb0615f6de365595b8d429437.exe
    3⤵
    PID:5096
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe
    HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp 437
      4⤵
      PID:3000
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 437
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
      4⤵
      PID:284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
      4⤵
      PID:10744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5688
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
        5⤵
        Views/modifies file attributes
        
        PID:10724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
        5⤵
        
        PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
        5⤵
        
        PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
        5⤵
        
        PID:11932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
        5⤵
        
        PID:11344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      PID:11948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe" /RU SYSTEM /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe" /F
      4⤵
      PID:14532
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-fa2c56fde9e9006a859c409ed90594d4422bebf9eccc64fd70ac296eea2e47ac.exe
    HEUR-Trojan-Ransom.Win32.Generic-fa2c56fde9e9006a859c409ed90594d4422bebf9eccc64fd70ac296eea2e47ac.exe
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5448
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-0482b585b08be2da8287964cb8a966b34d138c956ce908aee0ae73fe2cd6797f.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-0482b585b08be2da8287964cb8a966b34d138c956ce908aee0ae73fe2cd6797f.exe
    3⤵
    PID:9976
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-10e1f1c29be80c8dd103f9fcb440ca20524a93c803dd6456218bdc0969942f3a.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-10e1f1c29be80c8dd103f9fcb440ca20524a93c803dd6456218bdc0969942f3a.exe
    3⤵
    PID:10044
  - - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-10e1f1c29be80c8dd103f9fcb440ca20524a93c803dd6456218bdc0969942f3a.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-10e1f1c29be80c8dd103f9fcb440ca20524a93c803dd6456218bdc0969942f3a.exe
      4⤵
      PID:10096
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491.exe
    3⤵
    PID:9912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 464
      4⤵
      Program crash
      PID:10760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 928
      4⤵
      Program crash
      PID:10832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 976
      4⤵
      Program crash
      PID:5376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 984
      4⤵
      Program crash
      PID:2632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 940
      4⤵
      Program crash
      PID:10640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 1004
      4⤵
      Program crash
      PID:10468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 1056
      4⤵
      Program crash
      PID:9872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "HEUR-Trojan-Ransom.Win32.Stop.gen-2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491.exe" /f & erase "C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491.exe" & exit
      4⤵
      PID:10896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "HEUR-Trojan-Ransom.Win32.Stop.gen-2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 940
      4⤵
      Program crash
      PID:10412
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-672c5539ebdcd49b7ca3e045b534b125f9b5ab6365fd04b10cf27c702147e121.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-672c5539ebdcd49b7ca3e045b534b125f9b5ab6365fd04b10cf27c702147e121.exe
    3⤵
    PID:9788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 572
      4⤵
      Program crash
      PID:10708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 688
      4⤵
      Program crash
      PID:10012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 668
      4⤵
      Program crash
      PID:10264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 804
      4⤵
      Program crash
      PID:5852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 888
      4⤵
      Program crash
      PID:10724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 828
      4⤵
      Program crash
      PID:5852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 1240
      4⤵
      Program crash
      PID:2000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9788 -s 1248
      4⤵
      Program crash
      PID:1948
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
    3⤵
    PID:10316
  - - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
      4⤵
      PID:10892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\ca01d7fc-1a80-4a6a-865f-c1f817344673" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:11152
    - - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
        
        "C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:9916
      - C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe
        
        "C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-7d72adf083ee907da1cabdf9334e2c6df4886f4bf960ca29ea770f94aed7a01d.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:2828
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-002847149ecf732c063cc9a14e74d815679fe61f6520bf31a162b727431bd611.exe
    HEUR-Trojan.MSIL.Crypt.gen-002847149ecf732c063cc9a14e74d815679fe61f6520bf31a162b727431bd611.exe
    3⤵
    PID:5960
  - - C:\Users\Admin\AppData\Roaming\updates.exe
      "C:\Users\Admin\AppData\Roaming\updates.exe"
      4⤵
      PID:10592
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\updates.exe" "updates.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:5416
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-049b243300bafe044d5b8374110e2bd7dd94f4786898ce02b9333df7b4408b7e.exe
    HEUR-Trojan.MSIL.Crypt.gen-049b243300bafe044d5b8374110e2bd7dd94f4786898ce02b9333df7b4408b7e.exe
    3⤵
    PID:2900
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-0e706781e9fedb804fbf72dbebc5d1d0116f6cb4b52541620b222506a5c2c232.exe
    HEUR-Trojan.MSIL.Crypt.gen-0e706781e9fedb804fbf72dbebc5d1d0116f6cb4b52541620b222506a5c2c232.exe
    3⤵
    PID:10984
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-3472f0575ba3f9df08504eff3c75593a9ed6c666cc6177a8008242173d23eb88.exe
    HEUR-Trojan.MSIL.Crypt.gen-3472f0575ba3f9df08504eff3c75593a9ed6c666cc6177a8008242173d23eb88.exe
    3⤵
    PID:10368
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:10752
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-3522e65715d27dc3e8c2fbe46d8e6f910129be94e5155859ab547120acc9943a.exe
    HEUR-Trojan.MSIL.Crypt.gen-3522e65715d27dc3e8c2fbe46d8e6f910129be94e5155859ab547120acc9943a.exe
    3⤵
    PID:11116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11116 -s 852
      4⤵
      Program crash
      PID:10076
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-45930aced8c185ad02fafc0f7299d48a44d14331fdc2cdf599bd3aa92faf82f1.exe
    HEUR-Trojan.MSIL.Crypt.gen-45930aced8c185ad02fafc0f7299d48a44d14331fdc2cdf599bd3aa92faf82f1.exe
    3⤵
    PID:10204
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-6289d07102323f809a2988505603ed77c813fe0a71d1c18ecd02588c7ef13327.exe
    HEUR-Trojan.MSIL.Crypt.gen-6289d07102323f809a2988505603ed77c813fe0a71d1c18ecd02588c7ef13327.exe
    3⤵
    PID:10316
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-67e781f57e130e15b5740d03a5de55ccf3e80d082ec82e2b114bde1c99f06097.exe
    HEUR-Trojan.MSIL.Crypt.gen-67e781f57e130e15b5740d03a5de55ccf3e80d082ec82e2b114bde1c99f06097.exe
    3⤵
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      4⤵
      PID:10248
- - C:\Users\Admin\Desktop\00457\HEUR-Trojan.MSIL.Crypt.gen-6ee75254ed2f0c49a5243efef84b72309b17ed4ad2c3bda74cb6a30029c1cd35.exe
    HEUR-Trojan.MSIL.Crypt.gen-6ee75254ed2f0c49a5243efef84b72309b17ed4ad2c3bda74cb6a30029c1cd35.exe
    3⤵
    PID:10744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4780

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 9788 -ip 9788
1⤵
PID:10348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 9912 -ip 9912
1⤵
PID:10616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9788 -ip 9788
1⤵
PID:9236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 9912 -ip 9912
1⤵
PID:10648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9788 -ip 9788
1⤵
PID:10404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 9912 -ip 9912
1⤵
PID:10432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 9788 -ip 9788
1⤵
PID:4976

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\562cd69d64e646ffaaa7dcee2bdf96fd /t 3960 /p 2884
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9912 -ip 9912
1⤵
PID:9924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 9788 -ip 9788
1⤵
PID:11152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 9912 -ip 9912
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 11116 -ip 11116
1⤵
PID:9908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 9788 -ip 9788
1⤵
PID:11184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9912 -ip 9912
1⤵
PID:9680

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\38a1dc6487ed433596a98d4aa3660bfb /t 4052 /p 64
1⤵
PID:10960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 9912 -ip 9912
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 9912 -ip 9912
1⤵
PID:11180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 9788 -ip 9788
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 9788 -ip 9788
1⤵
PID:824

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\398226976c7f48b4bf4e9e5596006657 /t 4052 /p 64
1⤵
PID:11636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Codec\codec.exe

Filesize
184KB

MD5
0c7ba98fddfd75d7a658d868d87559cd

SHA1
c8aafa1364e828a1c9108d06f56c26a540359cc5

SHA256
9888760008b570dc0a619913e5b73e35254a148465450458453702b1c9146795

SHA512
9e7c36a91701ef97843a355e6098ad5682b38199f55eb76127f2e51f3ace29076bd55d4db51d49bd040257a610fafa0de2539c54c47032723b2a99123258cca8

Download Submit
C:\Program Files (x86)\Codec\uninstall.exe

Filesize
53KB

MD5
dbcd815004c3c2e45050793eb326d1d9

SHA1
996ccbaaf825315c5016954d1fd030f69e4d4f2a

SHA256
bb6bc3274e427f1925a3462c17ed99b94962ad4dbaec289372ec3194347d2590

SHA512
c4ec3936d0689d965ef8c3cb274c6346770218074c3433da3325211d4c9df68559f981b6e6be0f7ede91a20b60d2f3494eff13c346798a07a84f2f316744dc20

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
873997840ef06a836303582178e496bd

SHA1
e8d70be0743c7d0a80715efe4c08fb9038f5b142

SHA256
6410e87f2056c458dbf3048eb478a58e21befd05b56f753b61eb0fb7af10fe10

SHA512
455b950ebfe7f6df5ddf43161d5ee7a19e026395b5e88cad4a43c5e7d6e2ef89bcae17c39efc64544f8a5b41183b99ffd8b76045c1fb64ba4645b1d8628d6196

Download Submit
C:\ProgramData\kaosdma.txt

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
C:\Users\Admin\AppData\Local\306e674c71741eb920815210ecde76f6\Admin@KBKWGEBK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\306e674c71741eb920815210ecde76f6\Admin@KBKWGEBK_en-US\System\Process.txt

Filesize
4KB

MD5
c808aaf81e753199e2d068f3542c23da

SHA1
0ec793b2ddfa22df80e888d750364b2c5c5e6373

SHA256
eef8fd42fbf75c17714388c1fcde502fb6f8195a03e021f341286f959182709a

SHA512
d9bc371a39047e26b753d505970c9e47e8e0ed98d3c960e593a7ef7400e5afe8ce0e5294921a583fb6d13490e02ef7081d1816b2760fb468bc87da23dd6813cc

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journalopcodes

Filesize
16B

MD5
c287ed4a5dab1a3df89a79931832c84e

SHA1
37edd3c0cb33f8032d3310643e8549b80df2288e

SHA256
7b43c99de4853d8a87b95fbc47d55996759a83f8ae7329bbc1a0d0521aa5a0a8

SHA512
8e961914cc6af7b337646b6d3a3fd32c67bd489525bfa68920540c658b6035362eec11151989c8a89327127d01b32b8066cc361f076e1fe7f1237a7711af15b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENTopcodes

Filesize
32B

MD5
b3c29b213084406fb838d221e59ca5e3

SHA1
5dfb5b07a6f6af3d671447036b43d194313761d8

SHA256
f7b22c071f035dad917e85e607e03242f3bc9ee4e11d51b99a9461a4224c0c2a

SHA512
05cd9e11305d4b0113b4b3a61163792f53c4cef0447b975eb2affbae267f21a45c182642b1db92ecd2b61ea3c923cb98f978b984c300a3908735d392785c5b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001opcodes

Filesize
48B

MD5
29e46468e5eef51eca470bdf75c0955f

SHA1
1157d5a86a004fc5208e11f89c213f75e4310c50

SHA256
2f5ce5400231aed4e4152f5ce3ae78838a93d5912928b60bfdda698902e6d15b

SHA512
e18d535d80459aa1a8e99f61beda23f8641a5169d8d68fc8af3d798a618aacbec8a842c58d1a731d1c3900018512e72610efb114da535e2ae23632cebc7c190a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\indexopcodes

Filesize
32B

MD5
801a5b408006807c13eab6ef37466393

SHA1
62fecbfce9367cc0a37bc12c43a0f7040d0b8182

SHA256
1cee876be2677ac601f90d5a6f7e8839b25c722c161018154946098f51f12379

SHA512
4e459abecb6868455c56770c8070fd0327e076e163dfde427c4542d3212659e06991e4b5628b2c27e94e4b8018be5fcfd5d1a86cd252b8a4b925fc65715da508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0opcodes

Filesize
8KB

MD5
cd12e821ada9d6cac6d4e2798a5c146f

SHA1
cd260dbae274d9395686d29708d70e0e91b148f1

SHA256
e5da6db5395a0cefee376a9815626f8740c02f47ce2f879c204b3cd4ef20c016

SHA512
3fb2542703c7a922f0a02a25f0a2f9498ddce6c0c1740fa060017f80f0370f92a2f749281ecb17ac5e10adafc5ccf9abb68574699d14fd01e4c861c5b9ad6e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1opcodes

Filesize
264KB

MD5
40cd40d8962ac6a170d1a64d7f167236

SHA1
e4ea6a0fc80bc85291791795035c41678812aa18

SHA256
eb08e9e5ff431a9dab37c71c51cd50da16da51293de5f3164b1e3f11009bb065

SHA512
331a1a3b277516f769a0eff00b1b5ac3be73cdcddbd239aee61440ed474b163a675420e7ee88c80f93cb7a42e5ce4188e140c61471ea7b77f7202e09c823aac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2opcodes

Filesize
8KB

MD5
0cefdf0dfc9c383b48677b6b30e81b81

SHA1
98f10a88e456ccd254a83f22402785a72dea2985

SHA256
7681991db277801a90aad5805309ed9a93baeb764807f303f3d3b7ae16bc28d2

SHA512
3cefd57da5af7cafd09cf6faabdd85216077f52e200dc5e71e4b3a99edb54fbb7d65de8f5cb14b013d4726b5f3a13f9ee6e9217eea5c389f1e18ae06db73c2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3opcodes

Filesize
8KB

MD5
e54c59ac08a426af0846975a36ff4aae

SHA1
a015aec1dbff630807809191892881bd081937e5

SHA256
aee5984116c719d823f432f64a276d296fe5cafce65173270960d974d9be0e8d

SHA512
68af93c21f739ec525e4a9f4ac89752b50d289184b8d9b2cc67982bcb6afa00481acf95e881eacbee84dda937d96ca8e352b473d0e43ce704bb67eba20bdfa85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\851652CC-B423-4CFC-8191-3081B61FCB35opcodes

Filesize
172KB

MD5
42825ae1ee0a9945167c09c31fe78a84

SHA1
f0a09ea383051c189ec0be8d96b36c5df306f9f9

SHA256
ccbe3eeab2fcbb755ea72bf9be77e548a8dc9e4682220a0260de97ef40434f64

SHA512
d5503d0f1ddf508e36f542b95bc41a1844816ed07fc4675a70a1da976391198c1a0e310a500c3086400004b17d0ad4ca38e0cde71ffd6581c9e17e46ec680249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\92C5EBFF-0826-4432-AEB2-8D3596A4169Fopcodes

Filesize
172KB

MD5
fb5aab80d3a2412fb37da023d40af936

SHA1
c38fe275c722d5e7e0839a13524160b8d151e25b

SHA256
a807d488282d2ba2dd679a06fda4fb40a980b29ceb5edfed6d8426ccb6f94869

SHA512
30921dbffa9aa54bad42bef4db0b457433cb61a3f266f767c71e38826646d895ebb51910021be3824e52edecc88d19cf04e3058e93edfd8566c122f83cbc1dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrsopcodes

Filesize
512KB

MD5
c43d10169c20ba4d9e3cd81f614396e2

SHA1
f0d30d62326ba39c93f56fc0451ebd679261e694

SHA256
544d64d5827810d841738d58ee35e7003ae5373f3bac489fbf53088f2fc65f72

SHA512
391cc5d2c71b6f40b45b5df21b0516f213d0248cea3a784784a9af8051193a24b9dc5f9b7f00f1d696815ec3ba2c58e71d0964542e050c6caec4181a090000d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datopcodes

Filesize
8KB

MD5
5ccde2d3a82eacb36d9ecc6ef0b2c491

SHA1
e4ea91c60c87067da961aa9e04158f137e91e3bf

SHA256
e0a39b3e380dc28ba819ffa7bbf0d7cc74137b0e916ae26b4f2ba9d145c98c0d

SHA512
acd119d61482a9b2f27a015299115dbf1f27167d7292a63cad49b22738bff0b97431bc6270e2638deb055a7e3b86d1373726f03977bfcdb7cdf9345c4db4b258

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}opcodes

Filesize
36KB

MD5
b1ff73dacf69c14ccf0865c1aa47a934

SHA1
c688f7080617fe23a9de4af3a6047dc09806129f

SHA256
d42fffe11586a56ca9dfc9abd3608b9c7cc8f9e5b5b369d25ff608c291b5ef37

SHA512
650c35db641af28d4d1bb71ea80bdb3710b566723760b9654f38e83e162431fb107501c417b0a3b778fc1ca0e11606e57dd26dac4b8dfb90ef75b8960a5a5c57

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_mscopcodes

Filesize
36KB

MD5
563dd8d33f9635b7a613113fc4c39f24

SHA1
9b925afbbf31a32c2e59e7df9a40b142cb526aab

SHA256
44a0071305792c971306fe515935b3b2ebbc8a3dcbce5d1848ae930f4ed74119

SHA512
527380794edc57a3acfda35dc052ebc8643ce889d5683546eb26dc581c588e59169c435a0a0f20ca83700c38f78b24bc6ea6d050f1e440658e419d2d841402a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662832033209.txtopcodes

Filesize
77KB

MD5
c4304c72a663be643a646894200cfea6

SHA1
9826df5b6857b04b269200afa41c53d02b7c651f

SHA256
e18ad5c66e61d607947b1736eeb76c43495c3233fdd4575c07cd6d195e1f9160

SHA512
ec061445266a3e1032ad126e84099c39953bc689d1f5c718f747c3c58902b1cd98ff5307ae8d80ead8cd865f516f7d30a10f2ce1ad25851dceac2cd7f2f46632

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665100703612.txtopcodes

Filesize
47KB

MD5
f3169f6aca0975191214d2b2e7374e42

SHA1
d8f47d1de95a2ea42e34933c975751030fd1f98b

SHA256
2c0ab72612ebd67af3d373a9cee1a438b855c25906124d4f94f3e8d260409276

SHA512
d9376c84fb14455fbbb23d4c1d83410a821dca057735ca444642718ed7874bfe5cdb88c36de58768e2e9c3b71e327889610ef3bec4911e6a8664f22eb426fdd8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671148703052.txtopcodes

Filesize
65KB

MD5
9b1a52dc0ce3d6e62c34d882d2a1dbd0

SHA1
479ccdee0c17c266024ec90c7e9ca26f9dee3f23

SHA256
5dcd976bbab0388a0635e6c11d77cef3f1cb2253df64f945e632f3bd30d9683c

SHA512
46b845fc7a0898d3c6c9b3e85bbb07c93e74be4bd97b84f6ba0ae5030345516e6d6ce22973d2068def00be2a966c9e3cb94b2a22aab031c307d48965dd5cd6e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727695133490697.txtopcodes

Filesize
74KB

MD5
4ace06581ef93f1c7527eb6498b258cd

SHA1
88b8980144a7fc753521b23aac0992b8d092cb22

SHA256
532633469994c37e49f57a11de742eae99f3f136d128e4e609eb4c660998a66e

SHA512
af0a70a8d965f1e15e26aa8584bcbc0bd8e4b1bf507dfb0216a3fcbe160ee217fc698a3c0e474896f387dfb8595be4d1f83f5e88eff1a3635708d90bcb48016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
64KB

MD5
17271095b8917c2aedb61cb5ba6374bd

SHA1
a6d36d848abb9a8578ef5a633a6457f178ee9717

SHA256
6e0c5531a993d2eb711005b1236399ae7fb94be3cdba248fd60f66b805bbde7f

SHA512
a3c02790089796cb81ac77e9374c676e4db8d4737208cf8661986513fce4ad267a3fcc3420632cc1af42c2346542745316b5ef431e66b0731123de6cb5bb8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k14ow0nb.pk3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_setup.exe

Filesize
322KB

MD5
d17923cd38af7889ee41b58b229b0829

SHA1
0df469b1887395e186d93a27ec31b9ecf2e93471

SHA256
343d8e39ab2ac748426282ecf480779e3c71ef44d9d32d87e5faaa090a780681

SHA512
d253f96a85719cfcab830d732d01f050408608f73444ac8fa4f189d9f607c6083342f35e6cbf67b6869e32826df6ed67cfb0b1cd0156066b70404cc437f6044e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\downloads\packages\codec_x3.zip

Filesize
140KB

MD5
04d866de5fc84252e307ef42cc08fd8e

SHA1
8f24f7edda7979fe69c89f7fd90f41f309dabdd1

SHA256
a4d9ecab2496d5ccf721b996432a4aadc6406e2de49e179d349246e07c8ec15c

SHA512
2c5638de044fa96de9c81936f77af6444bac4884540ead83d5bac83c30ca891d6752b273bbe8423717326d78318eb991f7c8c1921545fdc3fc7a33f9b38510b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\inetc.dll

Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3D01.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oof2aump.exe

Filesize
111KB

MD5
17a2564bda8ec94004266e90ae620937

SHA1
84910b1d8c306f4b4b2eacbd74c3e13d37768130

SHA256
f9788ca182b0754299da35e1619675df74b431814b67241854f8b30fc563d0fa

SHA512
d1be86d15424dbc2963509a9b0d812d026336d15333840697dce782427bfd4fae2a73b24940532786cf603c1df96faa95d14dd5ec34bc1558f591e0c5ff38ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rar

Filesize
302KB

MD5
d65dcf49ca61fb226d2fca92827f5a2a

SHA1
36c02c056c21209a38e85bd5615f4f5c21802008

SHA256
799e3e1d0e757790b89267749832b7c85a1e801e812eda1248b6f053f1c68407

SHA512
4c3a208bdee5be7fccb905eab4685c7f0d68edd437841051e8c5e6791cc2df92d41774c1b77add96b7589aa4eca55cb2eddcbffd08ea08005f8a65ae4116f132

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctDB6.tmpopcodes

Filesize
63KB

MD5
92b810865c88c7395ba4de95b4d0fa16

SHA1
8ef18ec53c1094c5ef7e672b6f293a20e5b2a7ac

SHA256
c6f0c4cb4282dbd8fe0bf707ca396aabfb639f2f9686558cd5e7cedc92a8b646

SHA512
e8d5287cf8fcd7fbd18e3a15b10626743cea0f0fb03674d79cddb661cfb1f1aa9f6401f85415144f00db4ebe8ad5e25267d61546e49d5bc4a01b098bdddb5819

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmopcodes

Filesize
32KB

MD5
94e1bd8f84a611771eda22cad1785ad4

SHA1
d4783f01e16cbdc6e01f6277e724c1bcc4dff572

SHA256
0191374a26b3618525db04766a40b1188e9ac7ef1477da3b4b6604e2480516ac

SHA512
30fca1c6ea7aa5b2bf62ebe63dac2a07d0880964d9c8b278a299975471c970d08b59dae2912f1dbbdf0fdf6d9654dcf24cfa76759e2aa923efa81976d38f2448

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteopcodes

Filesize
48KB

MD5
a01ab7db12a323f663886e8221df6a8b

SHA1
a4e48e2b0615c7cd16855642c87a564c73de2506

SHA256
2672149dff557cc04fb5cbfbb888257b1b00e3ddc7216ac9f7d5152be3da4238

SHA512
a345cb37f5bc7ffd07c2a54287f641049368c04f717c3ca0c8ac57e73910643ea3fd210449b34c5a94119e75b42d1c8d88c9ff5838022aac2382029ec9f67e1e

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

Filesize
63KB

MD5
9565fc830645dd077f6791303bb4bf9a

SHA1
ddc52365e1ef13b39ff4aa0b29d51d6f8efe4234

SHA256
3472f0575ba3f9df08504eff3c75593a9ed6c666cc6177a8008242173d23eb88

SHA512
b69021afb8a37bb386d41f23785a28d93815a4e0bc07037f1136dca0d88bae9f1069c7be46c0ee02760cf47879741837fc0fbd27cfea32afa1b5e1327deb4d61

Download Submit
C:\Users\Admin\AppData\Roaming\updates.exe

Filesize
755KB

MD5
b870a5c7da7455325ab3e8341a040694

SHA1
1f3a5fea70cd4797f3500c472fb24419522f99fe

SHA256
002847149ecf732c063cc9a14e74d815679fe61f6520bf31a162b727431bd611

SHA512
e814f85276fb1f83dbc2d6a0e0caed9ccca7b9f400b1048c59b0fce5d659e39ed93c2eff1cbb2b97689321149ea39a0b199cc4c1d8139b7c015b6360bef7312b

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab.exe

Filesize
736KB

MD5
e22dcc01c6037301a0b437468f2bbedd

SHA1
97f02cf5ec84e6737118d344f11b5a07955439c3

SHA256
0fc0a4fc582e02f63aa2546db0d60b5ede5e7ec409a95bb29ad16670a93800ab

SHA512
0a692fcfa1a1d4290dc9a44896cb1c1d15cc13805895117179064495c52e0a7a0b1dfde65428f9ae7936104a2d3ad6061de678268f389084d52d42e21a0a1145

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc.exe

Filesize
408KB

MD5
d99cf83377a02c7d478a12a51acd80a5

SHA1
4900e8a1bbe64983b1cfc5bf849809a36b82348e

SHA256
315294b4de371ff482b57daa0dca953de9b650433c454a06fb2c95c52448b0dc

SHA512
2296f9c912876788e8344bd994b5bee92d750978874a8189f5f562deb49e0590eb0e3425a590a19f87eaee123bfb0c11c04e534f6649f32059d835d712630b82

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027.exe

Filesize
443KB

MD5
2eeb6bf9ce9af702e165d9de21120cfe

SHA1
995eea0c1e10851a7224c367ea42e1d97e30691f

SHA256
b15a3e8f72f0ac3e883056c31f40b6bfc946d4b6b47df5c7db8d78e0c5040027

SHA512
19677ff12a4e41d0119e6965dee63b98185c97fc62eac16728c790a76dd676addc8d171849432b1c75a4a3bc4f8c90ec8f0467d076b071b42d0bcf5f7bbc0b2d

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf.exe

Filesize
2.0MB

MD5
0dbb9386e714d61d09d35e9d801f9931

SHA1
77e756208010fae1f4fd0109a0fa0e75f784e5e2

SHA256
bb77d832bc2e5b52bd03b37bb5091db86e3f9f3e93b434a833afa8db3b3bc9bf

SHA512
af4240cc9b7e905ffea5c234be498194c41316e08d2f1bb3c8edea188a5da5c9a1e7a3887000ed9fdfd131ab6b7623d3236d2905440364fde17d239f9ef0d7dd

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51.exe

Filesize
439KB

MD5
0c06128556d7825f35faa448e5613641

SHA1
22d3ddcc2daabf44d0a134563fffefa3ab63a83c

SHA256
e7a1a784d5391c3405a735fe5e8a885d6b4f6e23eb0ec6ac6894b7ef3b144e51

SHA512
cd44ceca5d33351806ab2b519508ccd1e384085f1ab527430fecaa8ffaf3a321934061279475541ae113dff059763b9dfa2ee80c4e93779a9108f9b8f78b8952

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05.exe

Filesize
14.4MB

MD5
38390f5375d63b75040c1b4c2614e6b5

SHA1
3be152da61961e43e57618d09d502b51c98abfc1

SHA256
e7c08fbb860cc0b1ba79a1fd66af2b41201cee22ac93802906dd4fc1fc517f05

SHA512
5c76698714544cb7cc3c1ffd87e9a40b02fb7f1933d3539a14f2413471e25f72bbbc225d43a1fc4ba604eabbdbdb1dbb5fafe26d595e7ec9f40be37f93481645

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Encoder.gen-9a916febed4382b4a866f016305fc60955650c1b0b1765f89baa733ce14b6121.exe

Filesize
322KB

MD5
3a2b979c96edd0bb2eb6bf712fc4dd78

SHA1
3bf883dbff8867c4f48948ba5724c50ab4c66ca5

SHA256
9a916febed4382b4a866f016305fc60955650c1b0b1765f89baa733ce14b6121

SHA512
0d065fade10c564b41b1c555fb695eaca0b97c1beb495dcaaeb59943016f71653d7dda3580ce969a64e08b531ffa3b9e88bcab23e5908710d1ccc63de040764c

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Foreign.gen-31fb2562fb02909b66a419aecf13a91e67e1182e50d175ac567c6e96b8d481f0.exe

Filesize
55KB

MD5
999e0a951badc2eeae0ee7d87cf86a75

SHA1
ae7c3aa10368464daf6702f02da9fb2ac791af29

SHA256
31fb2562fb02909b66a419aecf13a91e67e1182e50d175ac567c6e96b8d481f0

SHA512
ed20a5476646057b8c3f88bbc9c6d1926b1bf7beea00787f485cd9bc433678fb7d246bd7e0a8d021c49842790b6bcf906212bea35617dc87e884a061432f2053

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Gen.gen-a3bc02793e389eca1d2d3eab3ad4925b50ad90d64d66e418789b62144a5f8f74.exe

Filesize
228KB

MD5
8c1344abfab3ca04edc09823d638791c

SHA1
b45968fef318759b3f82ae7759d0e284099e5617

SHA256
a3bc02793e389eca1d2d3eab3ad4925b50ad90d64d66e418789b62144a5f8f74

SHA512
9ded3851cb4ee2649639f19b2c2e882c4fecab4fa98114241dacc082d52d268c793ff082463395b8e57af8ccc69da46e016757b676d025c50e74b71da960622c

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Gen.gen-ae3009c41ce889c28f9b229cb15277a86175c13fea39846db32e8f979ed2eb82.exe

Filesize
12.9MB

MD5
9a663d078c5d96e2ca15af0880cbe111

SHA1
f9ef0425289c39390b5f5919da8bd31acb0e5d22

SHA256
ae3009c41ce889c28f9b229cb15277a86175c13fea39846db32e8f979ed2eb82

SHA512
c33c6c1be2c9c099ff254b84f50125bb470eb4a4666582c7e2e8e9e7cce76a6c0cbb38f1ed80bdb20c7852bd41bac652d8af4dff0b57c8557a2c1d07958d4b20

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Thanos.gen-66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2.exe

Filesize
108KB

MD5
731797d30d8ff6eaf901e788bd4e6048

SHA1
9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0

SHA256
66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2

SHA512
ecb89742be1e524d0abf25fcc4d0a5a4df5e3fa357b2179289efe1569da32dd7372226bba955837c84900ec389568db76d70787a141456a3885b71b1e6e8243b

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.MSIL.Trumper.gen-181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5.exe

Filesize
197KB

MD5
f7bbc60071623219f622b4e17e1f9cdc

SHA1
cb11c5dc4a18271b5c1317d5117e6da8346975fc

SHA256
181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5

SHA512
3e0839d7c273da6283689769cab4ac1e0def92fbfbbc428dddbdc6cb7615c4232e9b59fe5e22a8d501cd66db9cc1ff8bbad55a5d46e76f8aabe203b16ed1bd75

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Agent.gen-c9e55d0d04f850fccf1b71904ca20bbfbe11e606bc5fdd8fbaf61fcfc810e1c2.exe

Filesize
2.0MB

MD5
98109943300b9c3aeec65c912be7ebdf

SHA1
81e32e1883d7c26622b16dbdc2932438d839e0e3

SHA256
c9e55d0d04f850fccf1b71904ca20bbfbe11e606bc5fdd8fbaf61fcfc810e1c2

SHA512
877f3bb395275c85f92ec1bbbbdb3bf5231086f66678b6bd493d4ee2563f80c8c1e534d6b8e37d7a40e1eaba2ed2f614cdb67e1a8a7f5691ca177485717798ed

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-9c0254a54fe0f73249d0447e4deb60459ea3c7f39bcf5305593977fe13bc0bb9.exe

Filesize
1.8MB

MD5
51b1c0f58429cf613ed2eda056c6f15d

SHA1
99128acdf65a8952dbb7a36ec21c0f19d16a8466

SHA256
9c0254a54fe0f73249d0447e4deb60459ea3c7f39bcf5305593977fe13bc0bb9

SHA512
1a4cac57435efbd933d178ed53ac771330fcf491ad4c8ea690699db49743a541a227f18434960e19130aa9e7012c4962df462461257abd1c0bf4a80babe5fd7a

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Cryptor.gen-01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f.exe

Filesize
402KB

MD5
de6152b2b3a181509c5d71a332a75043

SHA1
d62c0ad2ec132065c5807c0fe7a4cabcba34cf29

SHA256
01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f

SHA512
99df08f8c0d966c1ca866cc414939ee9ff23a044496497edd5c64fb83a7011718183272f9001dec97111a8e8387218632c7ef6a9f00644e01363540002f5b0d4

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-30ccdb8b209993e704303f2771d22d9d7812d8a6c71dc9cb6abdaf46180ddb8d.exe

Filesize
1.0MB

MD5
dba618b1860f4c2d03fcbddf9f65d760

SHA1
424092dad83f789c8daa00374f77f2bde5bbde86

SHA256
30ccdb8b209993e704303f2771d22d9d7812d8a6c71dc9cb6abdaf46180ddb8d

SHA512
7553ba57e3987eeed2e09f5e8ec4db54f503b44e1352402d3f5a5be8468bac9000946a48e9a4ccb8e9bef7fcb630636a038fdad16103239a1b16478229b1f88a

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-5f54b2a37a8012cf3d023b9ec9f08081239eadebb0615f6de365595b8d429437.exe

Filesize
1.5MB

MD5
5e61c83c0d07cf1d33f36bf59521a321

SHA1
20872c47d53a607290b32e1af19dfe9906cf661a

SHA256
5f54b2a37a8012cf3d023b9ec9f08081239eadebb0615f6de365595b8d429437

SHA512
fbf13b4be173c7c6b682ffa3e1e8ba9c4e56fb289d62aabb916e69341cc8a40838fac90e2ca82c5655e06603a2a48d636a42834bfc0cae0b8a90cb087f1102d2

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a.exe

Filesize
937KB

MD5
008aae84c66a89c54d78acbdf0938fd8

SHA1
9f085813214bf536d55dc143f5b3b99dbbc1350b

SHA256
79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a

SHA512
5b12b2988c8cc147dd3d7a535a11689dd63b5643687e9f7656832b0f6af686199b661eb7df7e8a781c20009bd7cb06677eb0cbd46aaaf48dabe0e5e7ca5c7630

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Generic-fa2c56fde9e9006a859c409ed90594d4422bebf9eccc64fd70ac296eea2e47ac.exe

Filesize
61KB

MD5
8910b2027972c981e85da40f9869b5c2

SHA1
db400e592c40874f66a12b19d8e5a04ec3edf424

SHA256
fa2c56fde9e9006a859c409ed90594d4422bebf9eccc64fd70ac296eea2e47ac

SHA512
9895ce3f1456cd2825a81046ce8d9072e1db2df7d5d5f44ee3452e3de4be60961b1d0150ea1236dd17fd9886638666a0a7550121c940dd3b8285c605e29a0f2a

Download Submit
C:\Users\Admin\Desktop\00457\HEUR-Trojan-Ransom.Win32.Stop.gen-0482b585b08be2da8287964cb8a966b34d138c956ce908aee0ae73fe2cd6797f.exe

Filesize
4.5MB

MD5
9c009e205a1830fa973ba2a1102d6c9a

SHA1
fe6286c459b935ac088b58f2c0a78b93f1ee13fc

SHA256
0482b585b08be2da8287964cb8a966b34d138c956ce908aee0ae73fe2cd6797f

SHA512
7ae79769c8bc9e81ac63eb45d90964a142baa23a4ad7a3be70c49b82036e077fd8498d5eed9b96b398c08d13315919dc8a79450abe8ad9763c8552ee2fd35c8d

Download Submit
C:\Users\Admin\GET_YOUR_FILES_BACK.txt

Filesize
913B

MD5
0237b63f764204e00d7242cc4d908271

SHA1
9d88e59463e2a963bea95d6a2cc5383e922f2f27

SHA256
7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857

SHA512
0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e

Download Submit
\??\c:\users\admin\desktop\00457\heur-trojan-ransom.win32.agent.gen-659a1a605a6aece70fd1906c5b4856475aa292c37f0dfd6299d1d1cb38849faf.exe

Filesize
538KB

MD5
eebf3896e987f502ce73d20bc180b544

SHA1
20f4813b39c650ca9c2eb88578a0154b05d1e6a3

SHA256
659a1a605a6aece70fd1906c5b4856475aa292c37f0dfd6299d1d1cb38849faf

SHA512
121dfae8770d686e0a4a53f39301a097793841240dfa5976bd284f17fb6ee6b9ee35f0f3be6ac943b85580ff42ffc87a0fd06e268d06dc4fe372e5c6e8500997

Download Submit
memory/64-409-0x000002B2A0A80000-0x000002B2A1206000-memory.dmp

Filesize
7.5MB

Download
memory/64-486-0x000002B2A20F0000-0x000002B2A21AC000-memory.dmp

Filesize
752KB

Download
memory/64-506-0x000002B2A2280000-0x000002B2A2310000-memory.dmp

Filesize
576KB

Download
memory/64-500-0x000002B2A2230000-0x000002B2A227A000-memory.dmp

Filesize
296KB

Download
memory/64-496-0x000002B2A0A40000-0x000002B2A0A58000-memory.dmp

Filesize
96KB

Download
memory/64-300-0x000002B285870000-0x000002B286568000-memory.dmp

Filesize
13.0MB

Download
memory/64-499-0x000002B2A21B0000-0x000002B2A2230000-memory.dmp

Filesize
512KB

Download
memory/64-410-0x000002B2A0990000-0x000002B2A0A06000-memory.dmp

Filesize
472KB

Download
memory/372-262-0x0000000000CB0000-0x0000000001B1A000-memory.dmp

Filesize
14.4MB

Download
memory/512-2725-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/772-433-0x00000000069C0000-0x00000000069E8000-memory.dmp

Filesize
160KB

Download
memory/772-2615-0x0000000007430000-0x0000000007444000-memory.dmp

Filesize
80KB

Download
memory/772-250-0x0000000000910000-0x000000000097C000-memory.dmp

Filesize
432KB

Download
memory/772-257-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/772-1074-0x0000000006990000-0x00000000069B2000-memory.dmp

Filesize
136KB

Download
memory/772-2621-0x0000000007590000-0x0000000007596000-memory.dmp

Filesize
24KB

Download
memory/772-434-0x0000000006B80000-0x0000000006D10000-memory.dmp

Filesize
1.6MB

Download
memory/772-436-0x0000000006A90000-0x0000000006B02000-memory.dmp

Filesize
456KB

Download
memory/1000-206-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-201-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-211-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-210-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-200-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-199-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-209-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-208-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-207-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1000-205-0x000001F43B140000-0x000001F43B141000-memory.dmp

Filesize
4KB

Download
memory/1380-1410-0x0000000000890000-0x0000000000A52000-memory.dmp

Filesize
1.8MB

Download
memory/1380-1313-0x0000000000890000-0x0000000000A52000-memory.dmp

Filesize
1.8MB

Download
memory/1396-2543-0x0000000003320000-0x000000000334D000-memory.dmp

Filesize
180KB

Download
memory/1416-840-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

Filesize
64KB

Download
memory/1416-693-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1416-797-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

Filesize
64KB

Download
memory/1416-627-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1416-626-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1416-628-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1416-637-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

Filesize
64KB

Download
memory/1560-267-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/1744-255-0x0000000004990000-0x0000000004A22000-memory.dmp

Filesize
584KB

Download
memory/1744-253-0x0000000000010000-0x0000000000082000-memory.dmp

Filesize
456KB

Download
memory/1940-2731-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/1940-2767-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-2728-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1940-2729-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/1940-2730-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/2124-2622-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-293-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/2200-325-0x0000000005CF0000-0x0000000005D12000-memory.dmp

Filesize
136KB

Download
memory/2200-333-0x0000000005FE0000-0x0000000006334000-memory.dmp

Filesize
3.3MB

Download
memory/2200-330-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/2200-331-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/2200-292-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download
memory/2224-989-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2224-1450-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2328-270-0x0000000000810000-0x0000000000824000-memory.dmp

Filesize
80KB

Download
memory/2328-271-0x00000000074B0000-0x00000000074BA000-memory.dmp

Filesize
40KB

Download
memory/2328-272-0x00000000027E0000-0x00000000027EA000-memory.dmp

Filesize
40KB

Download
memory/2328-276-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/2596-3762-0x00000000002C0000-0x0000000000308000-memory.dmp

Filesize
288KB

Download
memory/2616-1123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2816-246-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/2816-245-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/2884-277-0x0000000000D00000-0x0000000000D3E000-memory.dmp

Filesize
248KB

Download
memory/2900-2687-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/2900-2691-0x0000000001440000-0x0000000001460000-memory.dmp

Filesize
128KB

Download
memory/3012-414-0x0000000000DE0000-0x0000000000E02000-memory.dmp

Filesize
136KB

Download
memory/3440-1113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4400-1946-0x0000000002630000-0x000000000264E000-memory.dmp

Filesize
120KB

Download
memory/4400-2077-0x0000000002660000-0x0000000002674000-memory.dmp

Filesize
80KB

Download
memory/4400-710-0x0000000004B10000-0x0000000004B86000-memory.dmp

Filesize
472KB

Download
memory/4400-687-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/4752-251-0x00000000002F0000-0x0000000000366000-memory.dmp

Filesize
472KB

Download
memory/4776-1090-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/4776-1089-0x0000000006C20000-0x0000000006CB6000-memory.dmp

Filesize
600KB

Download
memory/4776-902-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/4776-1162-0x0000000008940000-0x0000000008FBA000-memory.dmp

Filesize
6.5MB

Download
memory/4776-937-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/4804-230-0x000001E12E3D0000-0x000001E12E3EE000-memory.dmp

Filesize
120KB

Download
memory/4804-226-0x00007FFF30543000-0x00007FFF30545000-memory.dmp

Filesize
8KB

Download
memory/4804-185-0x000001E12DEA0000-0x000001E12DEC2000-memory.dmp

Filesize
136KB

Download
memory/4804-227-0x00007FFF30540000-0x00007FFF31001000-memory.dmp

Filesize
10.8MB

Download
memory/4804-198-0x000001E12E430000-0x000001E12E4A6000-memory.dmp

Filesize
472KB

Download
memory/4804-195-0x00007FFF30540000-0x00007FFF31001000-memory.dmp

Filesize
10.8MB

Download
memory/4804-197-0x000001E12E360000-0x000001E12E3A4000-memory.dmp

Filesize
272KB

Download
memory/4804-196-0x00007FFF30540000-0x00007FFF31001000-memory.dmp

Filesize
10.8MB

Download
memory/4804-184-0x00007FFF30543000-0x00007FFF30545000-memory.dmp

Filesize
8KB

Download
memory/5104-252-0x0000000000470000-0x000000000052E000-memory.dmp

Filesize
760KB

Download
memory/5104-254-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/5104-260-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/5300-1132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5332-1444-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5408-1330-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5444-1148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5636-1164-0x0000000000640000-0x0000000000730000-memory.dmp

Filesize
960KB

Download
memory/5760-1700-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5816-1234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5992-1228-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/6048-1198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/8748-2302-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9172-2521-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9736-2113-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/9788-2723-0x0000000000400000-0x000000000325A000-memory.dmp

Filesize
46.4MB

Download
memory/9908-2393-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9908-2109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9912-2625-0x0000000000400000-0x000000000326C000-memory.dmp

Filesize
46.4MB

Download
memory/9932-1954-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9960-1800-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/9976-2528-0x0000000000400000-0x000000000367B000-memory.dmp

Filesize
50.5MB

Download
memory/10008-1935-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/10096-2055-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/10096-2626-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/10096-2051-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/10204-3521-0x0000000000410000-0x0000000000590000-memory.dmp

Filesize
1.5MB

Download
memory/10248-4056-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/10316-3646-0x0000000002900000-0x0000000002906000-memory.dmp

Filesize
24KB

Download
memory/10316-3636-0x0000000002870000-0x0000000002896000-memory.dmp

Filesize
152KB

Download
memory/10316-3606-0x0000000002860000-0x0000000002866000-memory.dmp

Filesize
24KB

Download
memory/10316-3600-0x00000000007D0000-0x0000000000802000-memory.dmp

Filesize
200KB

Download
memory/10368-2841-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/10368-2840-0x0000000000BD0000-0x0000000000BE8000-memory.dmp

Filesize
96KB

Download
memory/10416-2595-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/10576-2685-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/10744-3903-0x00000000008A0000-0x00000000008DE000-memory.dmp

Filesize
248KB

Download
memory/10744-3915-0x00000000075A0000-0x000000000760A000-memory.dmp

Filesize
424KB

Download
memory/10744-3934-0x0000000005320000-0x0000000005372000-memory.dmp

Filesize
328KB

Download
memory/10752-3185-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/10984-2775-0x00000000008D0000-0x00000000009A6000-memory.dmp

Filesize
856KB

Download
memory/10984-2832-0x0000000005590000-0x00000000055A6000-memory.dmp

Filesize
88KB

Download
memory/10984-2786-0x00000000055B0000-0x0000000005606000-memory.dmp

Filesize
344KB

Download
memory/11084-2605-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/11116-3251-0x0000000000040000-0x0000000000098000-memory.dmp

Filesize
352KB

Download