Overview

overview

10

Static

static

1

RNSM00441.7z

windows10-2004-x64

10

Resubmissions

24-10-2024 20:28

241024-y8ymjashkr 10

24-10-2024 19:39

241024-ydabfsscpe 1

Analysis

  • max time kernel
    95s
  • max time network
    236s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00441.7z

  • Size

    53.5MB

  • MD5

    1f07deb824d20334eca9d63413320f1f

  • SHA1

    56067bd17bbe30dfde1b4105924688227931f668

  • SHA256

    adc85b9fc63f672336e015658cfa59663940299f1c7e7cb3c867423606f85c5a

  • SHA512

    2aa3e8aa6df2a4832c22c92b4e8f78725296e201b777ffed0ef6ffccdd53f09eb82ec6e40b0e67cf9dfff869af156e6136832ddf9948d3a090c6bba977fd7bd4

  • SSDEEP

    1572864:PW+3Sr6Ioq3gdUBA1cE6K7HPLmgk3CRlTRCrwb9Zs3:PWSsoqwWAYCvnkyPlCrw9Zs3

Score
10/10
avaddonconticrimsonratgandcrabagilenetbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

107.175.1.103

Extracted

Path

C:\Program Files\Common Files\DESIGNER\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://24cduc2htewrcv37.onion/?ZQXPGDPQ 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://24cduc2htewrcv37.onion/?ZQXPGDPQ

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- FQ6C1V320lsGoEpDS1i4SFkTzLnOQ9vSXpwMwYdsE7CL2myTZeHVHuuqtzHQGOpB ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Extracted

Path

C:\Users\Admin\3D Objects\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ARvYCcVKXzdOG1jPY6J2vGLV
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 13WuXpIeNbLTcxrRjcD9bvTWxFG
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Contacts\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NC7HL15RDD32VNVTP9eHm6c3KPUZAu
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * wYRrLdRs
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Jg3hgpEg4fuo
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 9IA411XzuHcsKWB
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 1 IoCs
  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Disables service(s) 3 TTPs
    evasionexecution
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (3859) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00441.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2768
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2532
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:36940
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4460
      • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "a" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\a.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3560
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "a" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\a.exe"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:5888
        • C:\Users\Admin\AppData\Roaming\a.exe
          "C:\Users\Admin\AppData\Roaming\a.exe"
          4⤵
            PID:36636
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe
          3⤵
          • Executes dropped EXE
          PID:1808
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe
          HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe
          HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $source = 'C:\Users\Public\Libraries\DATA';$archive = 'C:\Users\Public\Libraries\';$Name = [Environment]::MachineName+'DATA.zip';$destination = 'C:\Users\Public\Libraries\';$ArchiveFile = Join-Path -Path $archive -ChildPath $Name;MD $archive -EA 0 | Out-Null;If(Test-path $ArchiveFile) {Remove-item $ArchiveFile}Add-Type -assembly 'system.io.compression.filesystem';[io.compression.zipfile]::CreateFromDirectory($Source, $ArchiveFile);Copy-Item -Path $ArchiveFile -Destination $destination -Force;
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            dw20.exe -x -s 1460
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe
          HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "win" /t REG_SZ /d "C:\Users\Admin\Desktop\win.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4484
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "win" /t REG_SZ /d "C:\Users\Admin\Desktop\win.exe"
              5⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:5788
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe
          HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe
          3⤵
          • Executes dropped EXE
          PID:4288
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe
          HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4128
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe
          HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4180
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe
          HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill" /F /IM RaccineSettings.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4004
          • C:\Windows\SysWOW64\reg.exe
            "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2984
          • C:\Windows\SysWOW64\reg.exe
            "reg" delete HKCU\Software\Raccine /F
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:5292
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /DELETE /TN "Raccine Rules Updater" /F
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5752
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config Dnscache start= auto
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2380
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config FDResPub start= auto
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3888
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SSDPSRV start= auto
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2320
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5144
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config upnphost start= auto
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:5708
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLTELEMETRY start= disabled
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:5344
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
            4⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:5308
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLWriter start= disabled
            4⤵
            • Launches sc.exe
            PID:7560
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SstpSvc start= disabled
            4⤵
            • Launches sc.exe
            PID:7624
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM mspub.exe /F
            4⤵
            • Kills process with taskkill
            PID:8580
          • C:\Windows\SysWOW64\taskkill.exe
            "taskkill.exe" /IM firefoxconfig.exe /F
            4⤵
            • Kills process with taskkill
            PID:45532
        • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
          HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2832
          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
            HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
            4⤵
              PID:7584
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 820
              4⤵
              • Program crash
              PID:36660
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 820
              4⤵
              • Program crash
              PID:36820
          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
            HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4228
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe" "C:\Users\Admin\Desktop\00441\NWCcBCAt.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2972
            • C:\Users\Admin\Desktop\00441\NWCcBCAt.exe
              "C:\Users\Admin\Desktop\00441\NWCcBCAt.exe" -n
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:5216
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nVz4NKPr.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
              4⤵
                PID:7512
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nVz4NKPr.bmp" /f
                  5⤵
                    PID:27920
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
                    5⤵
                      PID:13948
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
                      5⤵
                        PID:14024
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yUvNt6ON.vbs"
                      4⤵
                        PID:7540
                        • C:\Windows\SysWOW64\wscript.exe
                          wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yUvNt6ON.vbs"
                          5⤵
                            PID:20464
                      • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe
                        HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2540
                      • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe
                        HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe
                        3⤵
                        • Executes dropped EXE
                        PID:1732
                      • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe
                        HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1620
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete
                          4⤵
                            PID:5372
                            • C:\Windows\System32\wbem\WMIC.exe
                              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete
                              5⤵
                                PID:4396
                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe
                            HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1992
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 416
                              4⤵
                              • Program crash
                              PID:4620
                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe
                            HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe
                            3⤵
                            • Executes dropped EXE
                            • Drops desktop.ini file(s)
                            • Enumerates connected drives
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            PID:3172
                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
                            HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
                            3⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Enumerates connected drives
                            • System Location Discovery: System Language Discovery
                            • System policy modification
                            PID:4512
                            • C:\Windows\SysWOW64\Wbem\wmic.exe
                              wmic SHADOWCOPY DELETE /nointeractive
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5480
                            • C:\Windows\SysWOW64\Wbem\wmic.exe
                              wmic SHADOWCOPY DELETE /nointeractive
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:5788
                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe
                            HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe
                            3⤵
                            • Executes dropped EXE
                            PID:2632
                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-2278b4445d6c307b1c489a36dc4876b390979c891588f741765d37d93af52f21.exe
                            HEUR-Trojan-Ransom.Win32.Generic-2278b4445d6c307b1c489a36dc4876b390979c891588f741765d37d93af52f21.exe
                            3⤵
                              PID:28180
                            • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-742ffc85a18a899481c67d95d0e2bc7efed10a09a8ee08987ac03368db172e95.exe
                              HEUR-Trojan-Ransom.Win32.Generic-742ffc85a18a899481c67d95d0e2bc7efed10a09a8ee08987ac03368db172e95.exe
                              3⤵
                                PID:12088
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3464
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1992 -ip 1992
                            1⤵
                              PID:3176
                            • C:\Windows\system32\wbem\wmic.exe
                              wmic SHADOWCOPY DELETE /nointeractive
                              1⤵
                              • Process spawned unexpected child process
                              PID:5392
                            • C:\Windows\system32\wbem\wmic.exe
                              wmic SHADOWCOPY DELETE /nointeractive
                              1⤵
                              • Process spawned unexpected child process
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5408
                            • C:\Windows\system32\wbem\wmic.exe
                              wmic SHADOWCOPY DELETE /nointeractive
                              1⤵
                              • Process spawned unexpected child process
                              PID:5448
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 2832
                              1⤵
                                PID:8792
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:29776
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
                                  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
                                  1⤵
                                    PID:26136
                                    • C:\Windows\SysWOW64\Wbem\wmic.exe
                                      wmic SHADOWCOPY DELETE /nointeractive
                                      2⤵
                                        PID:29716
                                      • C:\Windows\SysWOW64\Wbem\wmic.exe
                                        wmic SHADOWCOPY DELETE /nointeractive
                                        2⤵
                                          PID:12356
                                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                                          wmic SHADOWCOPY DELETE /nointeractive
                                          2⤵
                                            PID:9400
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                          1⤵
                                            PID:13988
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:16968
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:14360
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:16728
                                                • C:\Windows\system32\wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  PID:6668
                                                • C:\Windows\system32\wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  PID:9684
                                                • C:\Windows\system32\wbem\wmic.exe
                                                  wmic SHADOWCOPY DELETE /nointeractive
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  PID:16896
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:32296
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:15444
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:9204
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:15848
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:29556
                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                            1⤵
                                                              PID:18988
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:24516
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:10624
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                    PID:23888
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                      PID:11864
                                                                    • C:\Windows\System32\rundll32.exe
                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                      1⤵
                                                                        PID:10216
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:6336
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:8392
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:5180
                                                                            • C:\Windows\System32\rundll32.exe
                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                              1⤵
                                                                                PID:19244
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:22028
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:21268
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:27104
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:31632
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:13228
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:32188
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:14444
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                              1⤵
                                                                                                PID:15908
                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                1⤵
                                                                                                  PID:16276
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:25980
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                    1⤵
                                                                                                      PID:28588
                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                      1⤵
                                                                                                        PID:25708
                                                                                                      • C:\Windows\explorer.exe
                                                                                                        explorer.exe
                                                                                                        1⤵
                                                                                                          PID:37836
                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                          1⤵
                                                                                                            PID:38032
                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                            1⤵
                                                                                                              PID:38148
                                                                                                            • C:\Windows\explorer.exe
                                                                                                              explorer.exe
                                                                                                              1⤵
                                                                                                                PID:39100
                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                1⤵
                                                                                                                  PID:39280
                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                  1⤵
                                                                                                                    PID:39420
                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                    explorer.exe
                                                                                                                    1⤵
                                                                                                                      PID:40460
                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                      1⤵
                                                                                                                        PID:40752
                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                        1⤵
                                                                                                                          PID:40884
                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                          explorer.exe
                                                                                                                          1⤵
                                                                                                                            PID:41516

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Reconnaissance

                                                                                                                          Resource Development

                                                                                                                          Initial Access

                                                                                                                          Execution

                                                                                                                          System Services

                                                                                                                          1
                                                                                                                          T1569

                                                                                                                          Service Execution

                                                                                                                          1
                                                                                                                          T1569.002

                                                                                                                          Windows Management Instrumentation

                                                                                                                          1
                                                                                                                          T1047

                                                                                                                          Persistence

                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                          1
                                                                                                                          T1547

                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                          1
                                                                                                                          T1547.001

                                                                                                                          Create or Modify System Process

                                                                                                                          1
                                                                                                                          T1543

                                                                                                                          Windows Service

                                                                                                                          1
                                                                                                                          T1543.003

                                                                                                                          Privilege Escalation

                                                                                                                          Abuse Elevation Control Mechanism

                                                                                                                          1
                                                                                                                          T1548

                                                                                                                          Bypass User Account Control

                                                                                                                          1
                                                                                                                          T1548.002

                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                          1
                                                                                                                          T1547

                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                          1
                                                                                                                          T1547.001

                                                                                                                          Create or Modify System Process

                                                                                                                          1
                                                                                                                          T1543

                                                                                                                          Windows Service

                                                                                                                          1
                                                                                                                          T1543.003

                                                                                                                          Defense Evasion

                                                                                                                          Abuse Elevation Control Mechanism

                                                                                                                          1
                                                                                                                          T1548

                                                                                                                          Bypass User Account Control

                                                                                                                          1
                                                                                                                          T1548.002

                                                                                                                          Impair Defenses

                                                                                                                          1
                                                                                                                          T1562

                                                                                                                          Disable or Modify Tools

                                                                                                                          1
                                                                                                                          T1562.001

                                                                                                                          Indicator Removal

                                                                                                                          1
                                                                                                                          T1070

                                                                                                                          File Deletion

                                                                                                                          1
                                                                                                                          T1070.004

                                                                                                                          Modify Registry

                                                                                                                          4
                                                                                                                          T1112

                                                                                                                          Credential Access

                                                                                                                          Credentials from Password Stores

                                                                                                                          1
                                                                                                                          T1555

                                                                                                                          Credentials from Web Browsers

                                                                                                                          1
                                                                                                                          T1555.003

                                                                                                                          Unsecured Credentials

                                                                                                                          4
                                                                                                                          T1552

                                                                                                                          Credentials In Files

                                                                                                                          4
                                                                                                                          T1552.001

                                                                                                                          Discovery

                                                                                                                          Peripheral Device Discovery

                                                                                                                          2
                                                                                                                          T1120

                                                                                                                          Query Registry

                                                                                                                          6
                                                                                                                          T1012

                                                                                                                          System Information Discovery

                                                                                                                          7
                                                                                                                          T1082

                                                                                                                          System Location Discovery

                                                                                                                          1
                                                                                                                          T1614

                                                                                                                          System Language Discovery

                                                                                                                          1
                                                                                                                          T1614.001

                                                                                                                          Lateral Movement

                                                                                                                          Collection

                                                                                                                          Data from Local System

                                                                                                                          3
                                                                                                                          T1005

                                                                                                                          Command and Control

                                                                                                                          Exfiltration

                                                                                                                          Impact

                                                                                                                          Inhibit System Recovery

                                                                                                                          1
                                                                                                                          T1490

                                                                                                                          Service Stop

                                                                                                                          1
                                                                                                                          T1489

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini
                                                                                                                            Filesize

                                                                                                                            129B

                                                                                                                            MD5

                                                                                                                            a526b9e7c716b3489d8cc062fbce4005

                                                                                                                            SHA1

                                                                                                                            2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                                            SHA256

                                                                                                                            e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                                            SHA512

                                                                                                                            d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe
                                                                                                                            Filesize

                                                                                                                            209KB

                                                                                                                            MD5

                                                                                                                            b982d99e3ca0b987a77189c01ac57d54

                                                                                                                            SHA1

                                                                                                                            dbdcd2b7ddc8e764fda7a28fa145e983f42ca66e

                                                                                                                            SHA256

                                                                                                                            0e6c18e2f32d6c50a04a0c3b1675d968e83a7250f49629f1307ff8cd83938c30

                                                                                                                            SHA512

                                                                                                                            0b0cb7450a294d57a00442047ede7beb3ade14a14b9e347d93c4587aa7b83d54932862d304793c534503ea356a46eb8cf0f6ff3d4afd4408b68c1d7b6a51db25

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files (x86)\readme.txt
                                                                                                                            Filesize

                                                                                                                            866B

                                                                                                                            MD5

                                                                                                                            78a15c814df271551d3e0d882a7caae6

                                                                                                                            SHA1

                                                                                                                            65a43e6eac21105afaf62f534bc066c8f460122d

                                                                                                                            SHA256

                                                                                                                            c5543d9ed561efd53666d18ce7e6fcc8bc500c8e90ee873aae1ea8615ca0405b

                                                                                                                            SHA512

                                                                                                                            9cca3a336d30b324eeab100d87f812e5ff2459de1177f9b4fab7513b8f1de2d0d01521f01c539b497ee498a095a807c47ff816b775b3d8095f7d7fc673dba269

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip.chm
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            1690518fa34e9db95dd083f72590dbae

                                                                                                                            SHA1

                                                                                                                            955fabc673478aec7db1e5de8145a1eafe94a9bc

                                                                                                                            SHA256

                                                                                                                            314db20b5b5a1692bcff789e8c1785fdb65b7cffc7912b53b17cc1c215076336

                                                                                                                            SHA512

                                                                                                                            071eb1a9404854cf076f673880548ad952549111836e2f0ed3650b6e7807e282b75bd2ca9c74ce3fff7958f4cf64cccb7424a108d9ce47d4f6050f6786cfaea5

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip.chm.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            1e4d134ae88f60d0d0e4252e159ecca1

                                                                                                                            SHA1

                                                                                                                            46fecfadee49e5c7416bbe602a3bc92b774d81c1

                                                                                                                            SHA256

                                                                                                                            b0a962d2d989e47d7513ff68b2ec544b114626c62edcfbbe2e30e4f848f31b1b

                                                                                                                            SHA512

                                                                                                                            047a65710d91d562442b8a94034439e0b3b60bbb8cd4d8debf5f09385d128566d7b069e17f76163a393b2a10b42927054b07420312ea5da36ac3e77cc5a331c1

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip.chm.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            e46a69aeacf106f03f7f4fb6b2d0270a

                                                                                                                            SHA1

                                                                                                                            d41a7ab6436ca07a0b7ba1b5c237a60413900745

                                                                                                                            SHA256

                                                                                                                            9b37aa3552cc0190d67613396c38beb14397a88a69b6d66c2d0b73d8b13aec17

                                                                                                                            SHA512

                                                                                                                            454565c2ebc1c9c8548f91529f77824b504171ec9af441ffbf990d7fad2950c59d5169cd3c78d77ff04ecfc8d82ee24bde276e39c35c48c56796ab3be85d5fcd

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip.dll.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            050df8332d669a244a2aaa65283001b0

                                                                                                                            SHA1

                                                                                                                            136685645a919d9ec4a99fc92fdd41880d35afe5

                                                                                                                            SHA256

                                                                                                                            acd35536058ba1044a6c83453ade422c456e2d4ffe1b043a3d29bb8fcb35e360

                                                                                                                            SHA512

                                                                                                                            2a02d3db7ae2e63be60e2bb594a96567e0e46022dbde48535353aa7d9076b7067ca42cf38bcbf1ce51636387ac68e3ef86e95f24d466cd6d0007bb2fb9e9f789

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip32.dll
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            e4a6f75ab2e7e832297b3badf9188b5a

                                                                                                                            SHA1

                                                                                                                            0b01388fa39c0d74c708f31e221f14befe87c91a

                                                                                                                            SHA256

                                                                                                                            0c2ae8f94feafd341ae93012e61651a7af7441fdf97ec9cd7b5fd5706110ee13

                                                                                                                            SHA512

                                                                                                                            081bb2f7b3fe72480296ea5f9d47ace0a4c7d25a6a8019f4d92b75c578fdb1b84b640884705ae7d0a8de078b10f14afb8fa908c807a6c97c50993fbad5ac7b13

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7-zip32.dll.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            b72e54c7d0daf30ae432ab586b3355ba

                                                                                                                            SHA1

                                                                                                                            9039f97a512fcbf995e96429da6e85d6b7d35d43

                                                                                                                            SHA256

                                                                                                                            6b2eadd934f24fc5be0649b09cbdaf24ec0d3ebd0d58e38ef948d1c5e4bca608

                                                                                                                            SHA512

                                                                                                                            0dee13da7ce81f727aa4e2c90c2de861800a9efe597ed910e6ba658589b8a1553a0172233bfeb0fdf8c7e8dd3e182dc4830b48752000695ff4b6ffe43f13d5ec

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7z.dll
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            2d6885cf032ba8e71b74df07820a9cbf

                                                                                                                            SHA1

                                                                                                                            b418440c37b67ebee4acd414253404adf3b8934b

                                                                                                                            SHA256

                                                                                                                            8f67aa74cfe5a2b613a0a964d895a2587d34f399ae16691d42b1c97b04a64dfa

                                                                                                                            SHA512

                                                                                                                            dfa709c4b41f183074b9aa80b9a988c51e47dee50f27962e3b6bf2a417a382ba187f8ac1990d65cd8171d96c43370bc7673eec78ef09e859de4defb5206f6d16

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7z.dll.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            6553da596cecfca0deeab733aa61b3d2

                                                                                                                            SHA1

                                                                                                                            ce285c56d988befc7042199d720a6915e02061bf

                                                                                                                            SHA256

                                                                                                                            2fda5fb97d2cc51852b905a5ab089d4035fa1505e8dddbcc3f86e2d0c0d469ef

                                                                                                                            SHA512

                                                                                                                            b0a0561a103a0a649c2becc11168248a83e60ac02141b7f30097737ea16ce8b8db3cfdd591fbcfab4c647b06335b41fcb6aa7c389a533682c958cbe55148dfe8

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7z.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            2d7617a9b4f471ea3d6f3f33b0f908ac

                                                                                                                            SHA1

                                                                                                                            efea81c20f02109d2fdb16e65e3be0df5b2488de

                                                                                                                            SHA256

                                                                                                                            d03f0f2fcdc26e0e4cdccfefc83d4118c754f4b4cac1bf55eca40b822846e8e7

                                                                                                                            SHA512

                                                                                                                            90a350cc0791db67e3a672344c32c024d3078f7b02c33a431bc30319d533cf3b0fbc9c0529626410b0db8b991389442a91d2ba6f4befdb7c0da0cc3241e185f2

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\7-Zip\7z.exe.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            f642259e36ad0f4ae382fb0fb0921258

                                                                                                                            SHA1

                                                                                                                            a78dc7f00ae27c1437200b9fb76be1a291303d68

                                                                                                                            SHA256

                                                                                                                            b7fbc0b11920b0091948ed1e77ef3a284dfc4ab8b0ea51b5b4eb37f25f1c7279

                                                                                                                            SHA512

                                                                                                                            dec44b43c4587d15eaa268732cb55ec790ed0f191cd969f3c867fce0c61ba456de7d5830c3314c328945912906a425ef23722e87f597a50aed16107b71786122

                                                                                                                            Download Submit

                                                                                                                          • C:\Program Files\Common Files\DESIGNER\Read_Me.txt
                                                                                                                            Filesize

                                                                                                                            816B

                                                                                                                            MD5

                                                                                                                            31722d5c1bb830a5fc281b72ec1887d6

                                                                                                                            SHA1

                                                                                                                            f595305fbc8832f7cda09045b508f0687d7b3752

                                                                                                                            SHA256

                                                                                                                            dc0ab4e1ac4ec0fa85702c90cf34c80627dada52f553b7294626992f2054c1dd

                                                                                                                            SHA512

                                                                                                                            37fa6597e45c77d7b92ce536d93203b823ec63f0d1cdc57f9e9529983c6d9b14ee1f1aea59817372334fd4f8b003a2a737be2d92dd6dcbb3715a8c0f5aa0244b

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\3D Objects\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            c5e6a78c061e63ea695e12d4d4137ed0

                                                                                                                            SHA1

                                                                                                                            5e027bcb329639aae46a089848a3281e925c797f

                                                                                                                            SHA256

                                                                                                                            db4a4d957350f18e5eb0bea136b485e082a67ec18335b49012510ff6c508ef01

                                                                                                                            SHA512

                                                                                                                            832740bf3ec3e85acf8310c2508f22444343022be5fb94f9d748f74fae0fa8f6e84014f6d48437cb5c2c85df7eaf3ba437a11e3dd3ce3efae6f74905ba6162d0

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                            Filesize

                                                                                                                            64KB

                                                                                                                            MD5

                                                                                                                            d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                            SHA1

                                                                                                                            2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                            SHA256

                                                                                                                            b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                            SHA512

                                                                                                                            c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                            Filesize

                                                                                                                            4B

                                                                                                                            MD5

                                                                                                                            f49655f856acb8884cc0ace29216f511

                                                                                                                            SHA1

                                                                                                                            cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                            SHA256

                                                                                                                            7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                            SHA512

                                                                                                                            599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                            Filesize

                                                                                                                            944B

                                                                                                                            MD5

                                                                                                                            6bd369f7c74a28194c991ed1404da30f

                                                                                                                            SHA1

                                                                                                                            0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                            SHA256

                                                                                                                            878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                            SHA512

                                                                                                                            8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                            Filesize

                                                                                                                            53KB

                                                                                                                            MD5

                                                                                                                            a26df49623eff12a70a93f649776dab7

                                                                                                                            SHA1

                                                                                                                            efb53bd0df3ac34bd119adf8788127ad57e53803

                                                                                                                            SHA256

                                                                                                                            4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                                                                                                            SHA512

                                                                                                                            e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P124P4F8\microsoft.windows[1].xml
                                                                                                                            Filesize

                                                                                                                            97B

                                                                                                                            MD5

                                                                                                                            b01077afcc7309996bdc74624ad0b668

                                                                                                                            SHA1

                                                                                                                            39a646c7252af9904880deb549a4b796ad018625

                                                                                                                            SHA256

                                                                                                                            5cc33f0d7c169665e3cbe1e871be2adadb3a11f56a7852f2d3e9ae0b074c0d76

                                                                                                                            SHA512

                                                                                                                            b9c686fa01a921dcb418430e0e552ada9c830c71491e81225b06bac2a1488284b06710475dc8f41773860a3c20dd1e761a119b1e9351e4a797f71bf1ed6485fd

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
                                                                                                                            Filesize

                                                                                                                            9KB

                                                                                                                            MD5

                                                                                                                            4863907481fbee4da66e163e51ba8a06

                                                                                                                            SHA1

                                                                                                                            7db2d5abd0f1a33c354db3d06d82ddc53de2312e

                                                                                                                            SHA256

                                                                                                                            ead1f57948a2eb4d8e752620edadb3f99aa7fd025a2df37ee570d6ae220ba845

                                                                                                                            SHA512

                                                                                                                            0262e50badac0b5b9b2c556b37c36f29c9f56644855022b1ea07be7523fe6ff95d8fdd851caa8500f926cac0aeab208a0d677a1dd33888460aa768f41149b646

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                                                                                                            Filesize

                                                                                                                            13KB

                                                                                                                            MD5

                                                                                                                            a5477e2c35780fa02259f147b85197af

                                                                                                                            SHA1

                                                                                                                            8adb077471d1bf812fc923f36b6f4b8335cd235d

                                                                                                                            SHA256

                                                                                                                            8f6bf5aa906f7e7fbfdb4fda63f1a8e96b7dc6974448cfcee274926c0f39d8a0

                                                                                                                            SHA512

                                                                                                                            1f44fadff19a6d5e356e7a0e3fbd351854523b567204cb78bd76de8f75527e67b8b65334cf828caf3dc29ae1008acdf9a37d00c95d3ecf4a4d937f37d7908d72

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nqqr1js.lrn.ps1
                                                                                                                            Filesize

                                                                                                                            60B

                                                                                                                            MD5

                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                            SHA1

                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                            SHA256

                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                            SHA512

                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\nsxCA23.tmp\System.dll
                                                                                                                            Filesize

                                                                                                                            11KB

                                                                                                                            MD5

                                                                                                                            55a26d7800446f1373056064c64c3ce8

                                                                                                                            SHA1

                                                                                                                            80256857e9a0a9c8897923b717f3435295a76002

                                                                                                                            SHA256

                                                                                                                            904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

                                                                                                                            SHA512

                                                                                                                            04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Contacts\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            99ee3f5b5461a108b708c38c2c1085e5

                                                                                                                            SHA1

                                                                                                                            67cb7b75661de8667652b20a9a8a1d99e765d3be

                                                                                                                            SHA256

                                                                                                                            c677879f232cf49161d0db4a1e9448dbf337fe1fc379148b40870808297d3ce5

                                                                                                                            SHA512

                                                                                                                            a2d12e958f9f17067c9549a058cfe28d1e9d7e4dbe245868893f2a99258fbf54ade31f0ab877222cae046df03f6fdb565c86676c311836761c3c430c5fb52f15

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            4600bcce644a99a68eef5fb61a592471

                                                                                                                            SHA1

                                                                                                                            a705de7066825a4d074ac8d9afdd54c63b263112

                                                                                                                            SHA256

                                                                                                                            0a398f1291a2c4d1f188bf0f024f06bbaeabe82831abda5add1dd9a6b07443d5

                                                                                                                            SHA512

                                                                                                                            11af86cea752c57823b67769c71c01ffae20cd62d2007a28a1d09941b6eab4cbff03ae5b21ac530a86f0cb3dae7482982dfb701397a5fb441c4a0e6d35d1d007

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            14fcbaed4d74479effe6d6a9daf4c8e7

                                                                                                                            SHA1

                                                                                                                            1a0aade5eb089a0d7a4ef096f1b0b79bd9ec3c65

                                                                                                                            SHA256

                                                                                                                            dea3bd1e13d8d851158964c1e27acd90414fb2bd2720b065e3622df90ca51d89

                                                                                                                            SHA512

                                                                                                                            3decf9e268bff1e1c72cabaa4f5164363288986cf4a0bb380da22170bae877b2fcf72bb7b3edb28ec8711c0118fe8a08a2833f33dd0bab4939d416cf661bf066

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            a4f16b4688cb1d4636fafe203d309c18

                                                                                                                            SHA1

                                                                                                                            bb74f3305cb0cf2c9644602b89af1b5b0d520eab

                                                                                                                            SHA256

                                                                                                                            d16dc13412a378490aaa9788b65a5e261b44a7f286b07aac115624cc4d4737e3

                                                                                                                            SHA512

                                                                                                                            33760d4486814c8611be641b22efe8458ba7d43971f30a8a507609c4a3979f5637d5c5dcc90dfc653f2cfc8f20aaa1375211c50ff90eef6b9ca461a72b65fac2

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe
                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                            MD5

                                                                                                                            c92fc0008625d3ae4fa141676a603ea8

                                                                                                                            SHA1

                                                                                                                            744c2ea42461d865ca022c458f21db65fec0e8ab

                                                                                                                            SHA256

                                                                                                                            5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9

                                                                                                                            SHA512

                                                                                                                            2280d7058c2272d1942ce8d7406327460a8fcc2e7dc2819c94f0caa6d85767d1b0d3e5d502abe957391877fa142d24387d27023277cfb088b37f1c58047cd1ab

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe
                                                                                                                            Filesize

                                                                                                                            2.6MB

                                                                                                                            MD5

                                                                                                                            e5f20155b45d9b23b2a50de3a11a2f22

                                                                                                                            SHA1

                                                                                                                            33bb37d7a2649c2ae0cf9e5140f35e31b0792baa

                                                                                                                            SHA256

                                                                                                                            aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda

                                                                                                                            SHA512

                                                                                                                            cd19cb501fb44471b84937f8783cf3dca20087bdf16bfc41aa375808ba14fcb5e2a9690daa273e775d7c40dc7a27e1839294b1942bf4b9518405adedcd5c9b79

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe
                                                                                                                            Filesize

                                                                                                                            219KB

                                                                                                                            MD5

                                                                                                                            31b04ddc50c5dd682537520ab71eb0ca

                                                                                                                            SHA1

                                                                                                                            ceb088dc7c9c4f79e1074a87cec34a010318af9e

                                                                                                                            SHA256

                                                                                                                            ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf

                                                                                                                            SHA512

                                                                                                                            9e16ba91730764d3ee0c6d9aa74a4812c2d442e4673339122fb90ea235bffcad8fcb0e59d1720728b86a125511720ec73ada986a26d1690328045d8292eaa8af

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe
                                                                                                                            Filesize

                                                                                                                            2.0MB

                                                                                                                            MD5

                                                                                                                            1dd4d466023c4066e76e8633926091da

                                                                                                                            SHA1

                                                                                                                            39f7e01e1dcd8bab130ef279a57b86b2ff990bda

                                                                                                                            SHA256

                                                                                                                            faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c

                                                                                                                            SHA512

                                                                                                                            d212c02be8e395029278b0c65a8e72ca34e410b727b1fe3cd05ce38953fcabdc81242946dbf43cb988f6b9946d4773ed0221611d31af7c75eb7424892fe915f9

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe
                                                                                                                            Filesize

                                                                                                                            89KB

                                                                                                                            MD5

                                                                                                                            9ef43dd22fb681fe42507ac0c5a742e3

                                                                                                                            SHA1

                                                                                                                            248ffeda9c1ca94d744f17a448c5fd602b7dc97d

                                                                                                                            SHA256

                                                                                                                            84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d

                                                                                                                            SHA512

                                                                                                                            670adbcf0f8e69cc775cc777d9a9b2002e61f9bef11e5de05c2241fda9409e83e6102e700169f14a1da198ea298347033f2f2c2e06b735517e9008a577a3b258

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe
                                                                                                                            Filesize

                                                                                                                            1.1MB

                                                                                                                            MD5

                                                                                                                            137b99d5d4617d3b7d95e3ca7253f0ca

                                                                                                                            SHA1

                                                                                                                            bcd46c016d0a439aa40d24196ac9c31fb3e882c4

                                                                                                                            SHA256

                                                                                                                            a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7

                                                                                                                            SHA512

                                                                                                                            1432db38caebb53c2e2a3b2602b3d6d409c7a38153eff8579671483eaa91914bae3bb9a49e0e63c54c3fa67358b49b5628e3dbc7e5528906ea2f6fe156c17f84

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe
                                                                                                                            Filesize

                                                                                                                            186KB

                                                                                                                            MD5

                                                                                                                            077dc2448eaff618f08269f80e5a98f3

                                                                                                                            SHA1

                                                                                                                            cc3d143f9509f4c0d36f56bc3a4a98f1e17c1853

                                                                                                                            SHA256

                                                                                                                            f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9

                                                                                                                            SHA512

                                                                                                                            c35376a37cb3f82c78f9a7350e3a81ae6fea0260f214af92f86ed247973734a72b6003e3cbda243539b78cf424f99a71aceff4fbcdbdd3c1db91fa55aeaca9e3

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe
                                                                                                                            Filesize

                                                                                                                            9.2MB

                                                                                                                            MD5

                                                                                                                            eae4474c646b0f3feecd690cfad0a46c

                                                                                                                            SHA1

                                                                                                                            3e8f4e99808e0761cc8f31c535492dc7c82661c2

                                                                                                                            SHA256

                                                                                                                            ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077

                                                                                                                            SHA512

                                                                                                                            57ad0c86100e21d404f77d75ecb5d3454f478aaa3bc486779c338f95fb89e89abb3f94f6ed01d588a90f1177cdc593dab653b8a029166d69dca81a90ed674d97

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe
                                                                                                                            Filesize

                                                                                                                            171KB

                                                                                                                            MD5

                                                                                                                            d3d0035a769e6ef98b1433160b2c8333

                                                                                                                            SHA1

                                                                                                                            be1d0aed32308166721d4756e2216dc44c2d0baa

                                                                                                                            SHA256

                                                                                                                            6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f

                                                                                                                            SHA512

                                                                                                                            b86b1ab9ad2c4c851c8712d0e49321cd3f9671815592bd4228664d236093cbb904f091dc7ad60815a56da5f9face2ce11fbd84790afca4d480ae17fa76dcb229

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe
                                                                                                                            Filesize

                                                                                                                            124KB

                                                                                                                            MD5

                                                                                                                            ef8f64e484ef31030ffbf2f03a71ddeb

                                                                                                                            SHA1

                                                                                                                            b3a7ebf8df8cd174c711bc57de25dfa8e096246d

                                                                                                                            SHA256

                                                                                                                            5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19

                                                                                                                            SHA512

                                                                                                                            ccf7d1c6f93d9d139ed4d419fcfe55cdc931fc7236d0a6920c15d638afd095e8a65b7cf720430d81a07a04a0b61e51d9f78b589b28597215656ada1d61b031a3

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
                                                                                                                            Filesize

                                                                                                                            896KB

                                                                                                                            MD5

                                                                                                                            d68bab79bd15f2bab8cb4b0dc754078e

                                                                                                                            SHA1

                                                                                                                            0f9c22610f734cd2e1f6d697339e992fe2515cbf

                                                                                                                            SHA256

                                                                                                                            0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193

                                                                                                                            SHA512

                                                                                                                            dfbe98700c951a255261384c099dc2417d7f171544ae0fa72a6e35c21d65e00b31eb9f530e1a2f1fa46dbb2b50a5ee70c8d516fce5f6ce875129b9a1f8bebb71

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            MD5

                                                                                                                            7bedd0c5e4d5c7a6f5ad69898598b526

                                                                                                                            SHA1

                                                                                                                            c0263f12b942d370260cf23eddcbd34abaf8b08e

                                                                                                                            SHA256

                                                                                                                            5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

                                                                                                                            SHA512

                                                                                                                            68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe
                                                                                                                            Filesize

                                                                                                                            400KB

                                                                                                                            MD5

                                                                                                                            724709fe112bfd162e0faece458a393a

                                                                                                                            SHA1

                                                                                                                            b04ef2a413ef4558c1a65e2148b0c5bff97a9052

                                                                                                                            SHA256

                                                                                                                            8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac

                                                                                                                            SHA512

                                                                                                                            6e2d821ff7f46bb87b1e64fbcf87067f1436aeb63814de9245231b183a0678a37392062a2db1e1bab8c6f0802edb01f3a499e5babf57c7788e6cc60cd42a12e8

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            1e2822fc3ab38f1823be6f44cc4d32ef

                                                                                                                            SHA1

                                                                                                                            9514cbe4c8859e906fa7c700117f21b19c09cc2f

                                                                                                                            SHA256

                                                                                                                            c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c

                                                                                                                            SHA512

                                                                                                                            d8b1b22a3463ea5dcbc0126f71a1c845a30be248f804b199df67989ba42001590698f339074cb3f2f444e07713185e04c2c43ed4da5478df56c880b561ab5d98

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe
                                                                                                                            Filesize

                                                                                                                            191KB

                                                                                                                            MD5

                                                                                                                            7b729dd2b94eea3331db75581e40f9a8

                                                                                                                            SHA1

                                                                                                                            33b2c1cee2d77323a6689a2ce353ce31b03fe4b9

                                                                                                                            SHA256

                                                                                                                            8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230

                                                                                                                            SHA512

                                                                                                                            d48aa58844767f469ffa56af7b2b8e956956cbe21b5b5c939d462bd27c08900466f083d2c76a1e3c370473f8c43d0b37f42c95c2786abc484444e0393eff41c1

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe
                                                                                                                            Filesize

                                                                                                                            328KB

                                                                                                                            MD5

                                                                                                                            d85643300b7b9e82a4eaec9b27b1d444

                                                                                                                            SHA1

                                                                                                                            263bff7e0f9279314e974f4a0e82ebf0f6fcddbd

                                                                                                                            SHA256

                                                                                                                            63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0

                                                                                                                            SHA512

                                                                                                                            7c221e4bc3926f994129a86466cf3ed11ffd0a6e048e4f2bcb155a10d27e3ce6173e0a7fa070e62603643cc232e0e510bc7287472f68acb71b570edb17efa236

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe
                                                                                                                            Filesize

                                                                                                                            105KB

                                                                                                                            MD5

                                                                                                                            1ac059a4890e421a3953484b4694bfb3

                                                                                                                            SHA1

                                                                                                                            a1d7833fe32b5bc55b5296292543a3506f015731

                                                                                                                            SHA256

                                                                                                                            da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb

                                                                                                                            SHA512

                                                                                                                            31eb86b4f49dc025cf4074aefd3426f4d29ab1347ded42cb0bd8eaf08c0d80fc9070ca23bba390b5a93d305174bbd81794be910ee0398dd34a285acb8a97df3e

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
                                                                                                                            Filesize

                                                                                                                            775KB

                                                                                                                            MD5

                                                                                                                            0b486fe0503524cfe4726a4022fa6a68

                                                                                                                            SHA1

                                                                                                                            297dea71d489768ce45d23b0f8a45424b469ab00

                                                                                                                            SHA256

                                                                                                                            1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

                                                                                                                            SHA512

                                                                                                                            f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-192755b8ee32be12341e15433c980e62f83a6af8c0c7003afc0e81a378e7ae97.exe
                                                                                                                            Filesize

                                                                                                                            379KB

                                                                                                                            MD5

                                                                                                                            5cdbfe533a3dec1c10a7df26bbe3526e

                                                                                                                            SHA1

                                                                                                                            9688611c83c5e8d3d80380e144d456fd9cd3b35d

                                                                                                                            SHA256

                                                                                                                            192755b8ee32be12341e15433c980e62f83a6af8c0c7003afc0e81a378e7ae97

                                                                                                                            SHA512

                                                                                                                            2fb24c94545904959ffe953caf0edb6e9301978225c511928452dff9054759f300ef5a8dc911d95c766331680f1ac9a1484c430e2015229159e1b2ba1b19cca3

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe
                                                                                                                            Filesize

                                                                                                                            1.1MB

                                                                                                                            MD5

                                                                                                                            4574e6057b1a245c5c0efd98447e06ad

                                                                                                                            SHA1

                                                                                                                            d348160819be98d0f931216dfd1481ec4d1b4814

                                                                                                                            SHA256

                                                                                                                            1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0

                                                                                                                            SHA512

                                                                                                                            8eb81da534a90afba9ac4a36a5e55f80b25b6e793555bbff14e4f71ee1f5f15e421becde6f7fbf34154800eef2e6b17f5e2cb40e83e03812c1eef509b3cf2b3c

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Desktop\ClearRegister.sql.TaRRaK
                                                                                                                            Filesize

                                                                                                                            675KB

                                                                                                                            MD5

                                                                                                                            ae4f7175954afe71c8ff5cd986a3ae99

                                                                                                                            SHA1

                                                                                                                            7cf5799d185ce5e41e9ee7aec80b985128be2870

                                                                                                                            SHA256

                                                                                                                            c3f8706ea22734a622bb1a2d048231e589c18818234038fd4011f5d9028e8b22

                                                                                                                            SHA512

                                                                                                                            9e2750eb37a940e5f22283ae8cbea974092af4131f296355f11499691b8f60998340e1d6bc078ffba5580c2152e5c097b3260602d6724ce76696987be7e042fc

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Documents\AddSwitch.xlsb.TaRRaK
                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            MD5

                                                                                                                            3be9094c4cd53a399ba45b421a0a5176

                                                                                                                            SHA1

                                                                                                                            5d7c265c043d56de16756d65adf427f8a544f463

                                                                                                                            SHA256

                                                                                                                            57d2b9230eaa6f3f5ba61fce9b10031508d8283f70ace389df13959c2f955191

                                                                                                                            SHA512

                                                                                                                            60316e73cf8aae2fb5e93d9c921c1806963fb6af8b2e6ffbf72aaf15ff134aa8cd7abe7501573c2df8ade0b29d3758bf1d4fcb7e01dcb321541430b036e465df

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Documents\OneNote Notebooks\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            5e4f95337446ea40c9fa47d2e4d4fc59

                                                                                                                            SHA1

                                                                                                                            313d3a583b9c6ba4ac637e5cf2a5d74e17366330

                                                                                                                            SHA256

                                                                                                                            b6aa92b921cb8189deea3f784d4b687abf414ea56ca805db41490d833783f00c

                                                                                                                            SHA512

                                                                                                                            732f1fd08409757eef140b342e8d8dbf7f880ac447b4f12a3d1b2c5f0e4d69bb57d0fbbb25ef6093dcad0cf2fc9de867ec9c46841644f606d4770c93aecf5540

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Downloads\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            6f147c8d652075ce1ed1d2c8c2c8209e

                                                                                                                            SHA1

                                                                                                                            41150340358d56608e1a3c115168f5d617595cde

                                                                                                                            SHA256

                                                                                                                            7ffcbf2ad55e3819b08b693fb717ab05df0f667b01921c8e8d99b0c908db3b1c

                                                                                                                            SHA512

                                                                                                                            a67f9435f94206ddfb47e04fd17543aaac816b4d226586d13e61f36c4f38fb249f8c105eb04ac6f2e85cbe37f70f98cef995d5f9b24693a474f8fdf0a640d7a1

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Links\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            a0e6f4d32911df133341a3e073eb5bf0

                                                                                                                            SHA1

                                                                                                                            0a887717defaabd855e0f5ca3a7533de367dab40

                                                                                                                            SHA256

                                                                                                                            7d5219d5808b9a3f3f245e210a2a6be0c4c43c6a425b499b0256f2fc5efc1c11

                                                                                                                            SHA512

                                                                                                                            5a7deb5b1628ce1b5f355afd44be4ebc198c269868bfe2799c3ef994041dd3a8e37f3133d55a7c6d810172d8885698c9a691af9e3a7ab33576f38b1571e76116

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Links\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            b65fda5bc6504178513b9d9fff6340b5

                                                                                                                            SHA1

                                                                                                                            2f33f5245d2eec14248295c698de424fe3d6d463

                                                                                                                            SHA256

                                                                                                                            a4bc79f36fd5c16b5539cb7fad64cf104e26b02e0bed03364279954dbed77969

                                                                                                                            SHA512

                                                                                                                            7092c6b25ba1f62a750b23e6cc67ac22cf5732b5d96a55b7595705428eb9197c12ab5704f481039c8172624e5b57e5cec406104180a09094c83ac3137fb53b0e

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Admin\Pictures\6iMSN88k_readme_.txt
                                                                                                                            Filesize

                                                                                                                            3KB

                                                                                                                            MD5

                                                                                                                            caa137dc5bed1051b2f808e9778f1437

                                                                                                                            SHA1

                                                                                                                            b12c5954be01bab3152404d457c7576147d90441

                                                                                                                            SHA256

                                                                                                                            4c0afcbc58b3bd8cd98b01cc9542c99f9e4d7a48ed3736582b4cf1bbae4be05b

                                                                                                                            SHA512

                                                                                                                            ce49d96572efb42c90d57897bec09ffa16a57eb5a4a6ebb5b642b50f0dbb04fd47dbff2480f9bc8b9b009d205c1ecddf75ed472d11ad9d8d6f1c6ee22acc479c

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\DebugUndo.xls
                                                                                                                            Filesize

                                                                                                                            945KB

                                                                                                                            MD5

                                                                                                                            1823ce7b09540b78965be2d95e5daa3f

                                                                                                                            SHA1

                                                                                                                            9dd4a69e5e33d42173c28d9c54cb2bdb4fcc057a

                                                                                                                            SHA256

                                                                                                                            dcd514e4f0f9b2f3180af6b64e23773d1bd10ace2f44b48a47955a3c776ebf8c

                                                                                                                            SHA512

                                                                                                                            9ac859a069d8c566013ce9b1fe21b85211c8ff50e5916fbafcaaddfe71a8b32d26145cb985e2e43a97ce079ffa8791c75f6a87fd9c50785468f859fa2c32a042

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\PopShow.xlsx
                                                                                                                            Filesize

                                                                                                                            10KB

                                                                                                                            MD5

                                                                                                                            1b12eb93551e76e5a7b5462fd4ab864c

                                                                                                                            SHA1

                                                                                                                            72b48483621c28235827bd2db33470b5d2e84eb4

                                                                                                                            SHA256

                                                                                                                            dc41ac82532281ee64cb203124625b8bec2cf91656cec977d1b06ca4b1c19232

                                                                                                                            SHA512

                                                                                                                            886e8649584f2774e6019f04015f183d97abaf49e663f59eb34df761fe19d1c136301b8f7153e1c007c1c0aa9a150451207562e71ee5044ae22e48a334bfeb49

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\RepairApprove.docx
                                                                                                                            Filesize

                                                                                                                            15KB

                                                                                                                            MD5

                                                                                                                            85089bffd58868eca802c7bd2a206702

                                                                                                                            SHA1

                                                                                                                            a5d5adf076ae6d2d3ed5f35b870fac49a2102650

                                                                                                                            SHA256

                                                                                                                            5fd57471ca1d27a487491d8b1ba1c7fc9595b3376bc73240d4cb511887bf1045

                                                                                                                            SHA512

                                                                                                                            9fce6259eafc55cf77bfecf60ac100cd72cc29657cdb5bc80fe5286b57081bb8c28a48a4f95fb8bcd7b52be2776c8908d2222e0b61db7d4ac7c97f6fce3be6a0

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\SetCopy.docx
                                                                                                                            Filesize

                                                                                                                            1.0MB

                                                                                                                            MD5

                                                                                                                            8434cfac04cf2847f375c4311584c2b8

                                                                                                                            SHA1

                                                                                                                            78bd3f551e56bc217057038c636bae049b27f50f

                                                                                                                            SHA256

                                                                                                                            cd41d26d5242976decd58fd811ee406443a2cbf8a411799e95a215ddbeeea66d

                                                                                                                            SHA512

                                                                                                                            df15702180a1dd18094307b4361744eede77edcf20ee46cb13753e9f7a6720783188f35792d3df78389e24a244bffba5bad52d8a8a1ba20a2dbb05712aa7016b

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\StartAdd.docx
                                                                                                                            Filesize

                                                                                                                            15KB

                                                                                                                            MD5

                                                                                                                            24b108b252cf4dd71a7574b64ac6802f

                                                                                                                            SHA1

                                                                                                                            adfce4f8601c4317aff455d8e366d7fa3b52e23c

                                                                                                                            SHA256

                                                                                                                            cca9e8d66265506e01510b9173badf65c848d9056c0da0fb5f7cbaa2dba0450c

                                                                                                                            SHA512

                                                                                                                            b7e35cbf450c60ba3208c2ee29c479e667e9123a77bc2ece724561dc2fbb37d9cd72bf89b2909d2304cb08f318be422020fc270479a3d8b4a2e779bbe5ed0615

                                                                                                                            Download Submit

                                                                                                                          • C:\Users\Public\Libraries\DATA\Desktop\SwitchConnect.xlsx
                                                                                                                            Filesize

                                                                                                                            14KB

                                                                                                                            MD5

                                                                                                                            4566eddb399dfeab1b4f6872121fea22

                                                                                                                            SHA1

                                                                                                                            1bdcbce942a068dc330f8efedcc98369c1b4977a

                                                                                                                            SHA256

                                                                                                                            03b036c419f969c6f6547e355332f9b677812f98f6cd87fcd2a148734b5093b1

                                                                                                                            SHA512

                                                                                                                            f54a2fd38211e23cd791534525fd1adc599df8d6fb7c754ac32ca2a041f0e178f2551163bab50c106816bf2413f52c0109120ad2d28f4f0368d3951e545800d0

                                                                                                                            Download Submit

                                                                                                                          • memory/1256-391-0x000002077CD10000-0x000002077CD1A000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            40KB

                                                                                                                            Download

                                                                                                                          • memory/1256-392-0x000002077CD40000-0x000002077CD52000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            72KB

                                                                                                                            Download

                                                                                                                          • memory/1732-442-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            Download

                                                                                                                          • memory/1732-352-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            Download

                                                                                                                          • memory/1732-29103-0x0000000000400000-0x00000000005BB000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.7MB

                                                                                                                            Download

                                                                                                                          • memory/1808-223-0x000000001C7E0000-0x000000001CD08000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.2MB

                                                                                                                            Download

                                                                                                                          • memory/1808-203-0x0000000000700000-0x000000000073E000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            248KB

                                                                                                                            Download

                                                                                                                          • memory/1808-308-0x0000000002880000-0x0000000002888000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            32KB

                                                                                                                            Download

                                                                                                                          • memory/1992-373-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            384KB

                                                                                                                            Download

                                                                                                                          • memory/1992-381-0x0000000000710000-0x0000000000727000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            92KB

                                                                                                                            Download

                                                                                                                          • memory/1992-380-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            384KB

                                                                                                                            Download

                                                                                                                          • memory/2452-313-0x0000000000650000-0x0000000000676000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            152KB

                                                                                                                            Download

                                                                                                                          • memory/2532-169-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-161-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-172-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-173-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-171-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-170-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-168-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-163-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2532-162-0x000002681E4C0000-0x000002681E4C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/2540-9036-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            428KB

                                                                                                                            Download

                                                                                                                          • memory/2540-431-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            428KB

                                                                                                                            Download

                                                                                                                          • memory/2568-213-0x0000000004DF0000-0x0000000005144000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            3.3MB

                                                                                                                            Download

                                                                                                                          • memory/2568-209-0x0000000005260000-0x0000000005804000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.6MB

                                                                                                                            Download

                                                                                                                          • memory/2568-204-0x0000000000050000-0x00000000002F0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.6MB

                                                                                                                            Download

                                                                                                                          • memory/2568-211-0x0000000004D50000-0x0000000004DE2000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            584KB

                                                                                                                            Download

                                                                                                                          • memory/2568-328-0x0000000006810000-0x0000000006838000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            160KB

                                                                                                                            Download

                                                                                                                          • memory/2568-217-0x0000000005810000-0x00000000058AC000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            624KB

                                                                                                                            Download

                                                                                                                          • memory/2632-844-0x000000001BFF0000-0x000000001C4BE000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.8MB

                                                                                                                            Download

                                                                                                                          • memory/2632-845-0x000000001C560000-0x000000001C5FC000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            624KB

                                                                                                                            Download

                                                                                                                          • memory/2832-432-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            276KB

                                                                                                                            Download

                                                                                                                          • memory/2832-344-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            276KB

                                                                                                                            Download

                                                                                                                          • memory/3008-188-0x00000196BAC00000-0x00000196BAC76000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            472KB

                                                                                                                            Download

                                                                                                                          • memory/3008-190-0x00000196BAB80000-0x00000196BAB9E000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            120KB

                                                                                                                            Download

                                                                                                                          • memory/3008-187-0x00000196BAB30000-0x00000196BAB74000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            272KB

                                                                                                                            Download

                                                                                                                          • memory/3008-177-0x00000196A18D0000-0x00000196A18F2000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            136KB

                                                                                                                            Download

                                                                                                                          • memory/3764-159-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-148-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-154-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-155-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-149-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-160-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-156-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-158-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-157-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3764-150-0x00000280FA9C0000-0x00000280FA9C1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/3988-242-0x0000000000F60000-0x0000000000F6E000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            56KB

                                                                                                                            Download

                                                                                                                          • memory/3988-243-0x000000001B7F0000-0x000000001B896000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            664KB

                                                                                                                            Download

                                                                                                                          • memory/4180-306-0x0000000000C00000-0x0000000000C32000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            200KB

                                                                                                                            Download

                                                                                                                          • memory/4228-9035-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/4228-14701-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/4228-430-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/4452-212-0x0000000000E90000-0x0000000000E96000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            24KB

                                                                                                                            Download

                                                                                                                          • memory/4452-208-0x00000000006C0000-0x00000000006FA000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            232KB

                                                                                                                            Download

                                                                                                                          • memory/4460-339-0x0000000008020000-0x0000000008042000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            136KB

                                                                                                                            Download

                                                                                                                          • memory/4460-210-0x00000000002E0000-0x000000000077C000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.6MB

                                                                                                                            Download

                                                                                                                          • memory/4460-214-0x0000000005010000-0x0000000005076000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            408KB

                                                                                                                            Download

                                                                                                                          • memory/4460-327-0x0000000004910000-0x000000000492A000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            104KB

                                                                                                                            Download

                                                                                                                          • memory/4460-216-0x0000000005080000-0x0000000005092000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            72KB

                                                                                                                            Download

                                                                                                                          • memory/4460-215-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            40KB

                                                                                                                            Download

                                                                                                                          • memory/4460-225-0x0000000005270000-0x00000000052BC000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            304KB

                                                                                                                            Download

                                                                                                                          • memory/4460-224-0x00000000051C0000-0x000000000521E000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            376KB

                                                                                                                            Download

                                                                                                                          • memory/4460-222-0x0000000005110000-0x00000000051C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            704KB

                                                                                                                            Download

                                                                                                                          • memory/4460-324-0x0000000007AE0000-0x0000000007F2A000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4.3MB

                                                                                                                            Download

                                                                                                                          • memory/4696-383-0x0000000006F80000-0x0000000006FA2000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            136KB

                                                                                                                            Download

                                                                                                                          • memory/4696-241-0x00000000009F0000-0x0000000000B10000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.1MB

                                                                                                                            Download

                                                                                                                          • memory/5216-29084-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/5216-1562-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/5216-14709-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/5216-20479-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/5216-29159-0x0000000000400000-0x0000000000558000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.3MB

                                                                                                                            Download

                                                                                                                          • memory/15444-30485-0x0000000004930000-0x0000000004931000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30487-0x0000019399C00000-0x0000019399D00000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30488-0x0000019399C00000-0x0000019399D00000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30486-0x0000019399C00000-0x0000019399D00000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30491-0x000001939AB40000-0x000001939AB60000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30499-0x000001939AB00000-0x000001939AB20000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/15848-30510-0x000001939AF90000-0x000001939AFB0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/16728-30277-0x00000000047F0000-0x00000000047F1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download

                                                                                                                          • memory/16968-30293-0x000001662F610000-0x000001662F710000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/16968-30298-0x0000016630680000-0x00000166306A0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/16968-30321-0x0000016630BD0000-0x0000016630BF0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/16968-30309-0x0000016630640000-0x0000016630660000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/24516-30738-0x0000019F74800000-0x0000019F74820000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/24516-30734-0x0000019F74840000-0x0000019F74860000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            128KB

                                                                                                                            Download

                                                                                                                          • memory/24516-30729-0x0000019F73820000-0x0000019F73920000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/24516-30730-0x0000019F73820000-0x0000019F73920000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1024KB

                                                                                                                            Download

                                                                                                                          • memory/29556-30728-0x0000000002E80000-0x0000000002E81000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            Download