Overview

overview

10

Static

static

1

RNSM00430.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    404s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00430.7z

  • Size

    25.3MB

  • MD5

    f64fdcf697c25f9db959e055e05a440b

  • SHA1

    afcee1ea932aafbf2dac520fcea835cc3548ee4b

  • SHA256

    4c659f57dcbdbcffb9c0d0d06b2d02a74ee2d306c52300a3892e4418c0d1c863

  • SHA512

    c1b3d40bd0255833ddded8ade13739cce94d69387b7c6949d65d489c2fd949848fe38f2992808d6fdd4eeb50a0a0a7ff825dfbc9dc287a4dfe3c2bfd6141a88e

  • SSDEEP

    786432:bLPIJ4PoBXVOi8Zh+OBOjX/GRBduIekAbl7jR:bLPIMoBlOFT+4Ojk/uIrAbv

Score
10/10
clopconticrimsonratfickerstealergandcrabjormungandmodiloaderbackdoordefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwarerattrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

185.136.169.155

122.216.201.108

Extracted

Family

fickerstealer

C2

lukkeze.best:80

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- SveULrMg1EtF3ckFRyPzvr0v78M7RL64mRMCe9qPWWCeJwYAuNWV8R6NGPs5PFBS ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Extracted

Path

C:\Users\ReadMe.hta

Ransom Note
<html><head><meta charset='UTF-8'><title>recovery tool</title><HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'>window.moveTo(50,50);window.resizeTo(screen.width-100,screen.height-100);</script><script>function countdown(dateEnd){var timer,days,hours,minutes,seconds;dateEnd=new Date(dateEnd);dateEnd=dateEnd.getTime();if(isNaN(dateEnd)){return;}timer=setInterval(calculate,1000);function calculate(){var dateStart=new Date();var dateStart=new Date(dateStart.getUTCFullYear(),dateStart.getUTCMonth(),dateStart.getUTCDate(),dateStart.getUTCHours(),dateStart.getUTCMinutes(),dateStart.getUTCSeconds());var timeRemaining=parseInt((dateEnd-dateStart.getTime())/1000);if(timeRemaining>=0){days=parseInt(timeRemaining/86400);timeRemaining=(timeRemaining%86400);hours=parseInt(timeRemaining/3600);timeRemaining=(timeRemaining%3600);minutes=parseInt(timeRemaining/60);timeRemaining=(timeRemaining%60);seconds=parseInt(timeRemaining);document.getElementById("days").innerHTML=parseInt(days,10);document.getElementById("hours").innerHTML=("0" + hours).slice(-2);document.getElementById("minutes").innerHTML=("0"+minutes).slice(-2);document.getElementById("seconds").innerHTML=("0"+seconds).slice(-2);}else{return;}}function display(days,hours,minutes,seconds){}}countdown('10/31/2024');</script><script language="VBScript">Sub RunUTOX( ) set sh = CreateObject("Wscript.shell") sh.Run "%windir%\utox.exe",1 End Sub</script> <style type='text/css'>body {font:15px Tahoma;margin:10px;line-height:25px;background:#000000;color:#FFF} .bold {font-weight:bold;} .mark {color:#ffd731;padding:2px 5px;} img {display:block;margin:auto;} .header {text-align:center;font-size:30px;line-height:50px;font-weight:bold;margin-bottom:20px;} .info {background:#000000;border-left:10px solid #000000;} .alert {background:#FF0000;border-left:10px solid #FF0000;} .private {border:1px dashed #000;background:#FFFFEF;} .note {height:auto;padding-bottom:1px;margin:15px 0;} .note .title {font-weight:bold;text-indent:10px;height:30px;line-height:30px;padding-top:10px;} .note .mark {background:#A2A2B5;} .note ul {margin-top:0;} .note pre {margin-left:15px;line-height:13px;font-size:13px;}.countdown{width:100%;float:left;margin:20px auto}.timer{font:72px Courier;color:#fff;text-align:center}</style></head><body><img src='data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/4QBmRXhpZgAATU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAZKGAAIAAAAxAAAALAAAAABQcm9jZXNzZWQgQnkgZUJheSB3aXRoIEltYWdlTWFnaWNrLCB6MS4xLjAuIHx8QjIAAP/bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUHBgcHBwYHBwgJCwkICAoIBwcKDQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAFAATAMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP5/6KK9Q/ZS/ZO8Tfta/EIaRodtdRaZYmOTV9VSyluodKhYkBikYLPI2GCRjBYqxJVFd0mUlFc0thxi27I850XRbzxHq1tp+n2l1f315IsNvbW0TSzTuxwqoiglmJ4AAya+tPgT/wAEa/iJ8SJdOuvFuq6H4D0jUrtLa3eSUapeXivI0IlhS3JgCeeoj3T3EAZm+UuRiv1F/Zc/4J3fD3/gnRZeF9S8XeBbSb+1pbi50q80nVI9V8aXUuVe1nW4VYIrazmMU3lzoULLFbjyEkkuGfo9X/a81bR/ButaTpOoQ+F/Dup373si6MyQa2yu6yRxf2mRHI8qOgMbYRplJTy0dCp+dxWdSb5cOvn/AF+R6tHL42vUPnL4a/8ABtB4Fn8P/Ztc1L48a5r9vZy38507w3/ZEc0SSon7qGe3mGf3qDBnJbYzAAHavnX7RX/Bvr4V06xt2+HXizxxpcdvf32nalq3jbSZbfS7ee1MaLHvW1if9/JIwRgrDEDY371x9g/EGfxrJY+DPGereKPEXiDxJ4g1LUvDel3lh471OLVIvJg+1zRx7l8iJJvs6lkgnCl4Y/8AWkDbzPhX9pLWP+Fda3pOn+LdTj0HVjNcanpo199esrlppPMklvzciWLEjHLQoC8xZgcbufLhj8Wnz89/np+R2fVaLWyPya/aL/4Jd/Fb9mzULuPVrHSNQtbUSObiy1KH/Vqdqko7K4d23IseDI0iMgUtgH591XSrrQtUubG+trizvbOVoLi3njMcsEikqyOpwVYEEEHkEV/Q9YfHzQfjN8RdLt/HVtd+DbGKO4gN34N0+KwMt7JKqpcajp+9rS6iVBcJNGsa8XLRv9pAlEPy5+25/wAE3/BPxQ+Hmn+ONdg/4RVtQs7+9tfFGlWK21p4qFnbtFLcYYyFZy1sbh7a8khl3OIN0bmW4b1sLnnvcldfM462Xpq9M/Hyiu4/aI/Z28VfsufFK+8I+MNOksdSsyWik2OsN9EHZBNEXVWKFkdSGVXR0eN1SRHReHr6CMlJc0djypRadmXvDXh288X+I9P0nT4lm1DVLmO0to2kWMSSyMEQFmIVcsQMsQB1JAr9wP8Agnl+zBZ/sHfAXQde8TeDNP8AH2j6k+paZbRXd3HJZazrd1FZma4+ySyAXekww28cJ3RRu9yyLjyn+0L+Yv8AwTK+E+peL/ixrniqztNekj8F6YzR3GmIjGG7u2+zRKw3iYkxPcugtklmLxLtik5Wv1j/AGotQ8Oa78UtQ0nwdq+p33gHSlu4dGTVb6Sayt7OBI11BrWKfcILZ7gLHJBGmR5qo0M0Ii2eFnGInzKjDbdnqZfRVvaMlu7TQNU8JNqWtfEjwbZw3+mSXa2uoT3d5ueadY47eaV0kUWpQF5AFdYreFFaGaPy44s/xr4p0nwD4d8cal4M+LVhrWvLoupwaK+lJeQakUgVJZr4hi3kxb12xvLJJK7F5AyGSQScHbeINdstD8W2um+JtV8EeINY0ryrXWLW4uFn065e7tpsedbmSVS8cLxl0Z1mMgKvK28J5n+0f4Z+LPwZ0vwnqHjT4rfEzxfaeMEvprCPV9c1Pa0cMVm7SmK4ncPFNDqEDLvVSyu4ZAOviU8PeSV7eXfqehUrcquexaP8UfE3iP8AZoXxe2peNodY1TwhCup+JLG9uIZr94PEIQxS3KFSZPLj2ncx3R4U8cVbN5qfiL4KfDzxnJrjeJ9Z1Kzj09rG1jm1LWbKe2h8lb6aRt7tJII/LjkDB43bc394eafstfsZ3X7VXgePW9D1m302aR1W/gaW20+CyaTULixiy002WZmgaRjDCxVM5BO0Nxfxm+CN58FNRX+0YY761uJBE91dWKwTDE9xCJ4mVn+0WkklrcolzEwLPA6yRxboDPtGjHmcE9U72M/aNx5mj17wRrVjc69p0zR6fNZx3MG+P7U8Ns8KuVKrKoLoqBXBJUuEViuXW4jb1i71TSPAnxx1TwtraeLpPhsNXkkl0TSPETSyoWj22uo2k9s4SW7hAElvMuTII2WRQ6xrN8+/s6avrnxI+KOk+G5pNQ1y/W+sX+3oYZL2a0eeKJmJmZVmubdjA0RZvMmRREd7w2fl+rfGnU7PxN8ZfFWtadNodzpWqarczfa9NszZ6feK7GT7SIpFIVZUUzSEoyCS2uAd48u3bKWHvOxrGStoeH/ta/sGS/tMeD9V03zNS8Pt4Y02PXvAtq9tDZW2q2+plhY3T+ZdLbBL1bW2gZ1aSWJI4JJ7hxbTI35J1++k3iiHxj8BdY8Ual4ij1jQ/hNfRaLqmiT6Xl5NE1OaNb1A86+fLdQyJcfuXZl+z6tJG8qreSs34+/8FE7Bbv8Aag1bxPbWN1Z6b47hj1+2lu9U/tG61GRi0F5dzyl2bzpb6C8dwQg3sxSNIjGo9vJ68rulLZfh5fO9/vPNzCirKovmfY3/AAbpfC/xxe/FOx8TeCNS8Lrd/wDCTLFJpOs6xf2NrqhtLKW4RZlt4JVKAykq/LI/YEoH+jrnXDrWtf2jfXf2q91i7it76aBCsn9oozSi7QKMq8oucSBT84RAdwxXyr/wQZ8XeCT4pt/D+vjxH4Za88TLBrnjDRrq6sbrTdNu7N4IoI7q3VjDuuEJLSbQPk2nJbH0/wCJvEC61oxn8K3K3usM8Wr2MVjvto7+9vGUQW1s26NoXWCDzC6shg3RMxjwM8GYKX1uWnRdP1/Q6cNJexjYoat4b13xpqEHh3QLfOtanNc2OyGNHlM5nRPMso2R9zTR+aJYNjxMXjzG0ZleHj/2+bTxNo/wE+HOmeK9D0/w/rvhPWdT0WSzg0+a1ZYJtK0GS3klWUeY0ri1lJkZndwqhmbBx0n7J/xLt/EP7R3w3bT/ABAsNreavBthfQ7dVuICg2tFG9uzMkiyxlVEaiMSxbbe2XZCut/wVosLuPQda86LVPI0nxH4UFs17pgsBKLvRtdSXZbfZbUR/NYR5YW6hztIZ8ZGNOo44mFKS8/xsVUi3SlM8u/Zg+PXgX4Y/B6GDX9R1q38cWFzex6M3/CMnWdKe3uLiOVzcIxEc2AjbUbhWO7Dg4C/Gj483XxYt0sYDcSaaotIbi5vLSGyxHamVobW0s4mMGnWoluJpmggwHkkQscRKKq/sD6d4L17wvptr4uuvC+g2V54o1u0m1y78K2WuXUfl6RpUtjaRmaNplV52nI8pgqmSQtjcDX1N4/+DH7Od5ZahoMGseI9c8YXt5a6dodhZ+CTomoPLPeWsKyRzmBXceXdwssLf6PI7Lu3gkJeIqUqeIas/uYUY1J0lseV/sP+J9H8DfHTwa2jatpMMtzrVveeIbzUr6bSp9C0uzSeUCJlZGuI5Z2gmmktpHKC2iVo4497y63jrxPb32ua5Dp8sM732s6lawtazOyssGoSfZJjIGWdVCiWKAF4nIF1IHR4t6fJ/i3X9U+Gl3qV5pWpW8Op+E5J72yv7Fy8CXVqX2TQtkkxM0YYBiQ6MA24E5/QD9nPQ/h78LP2jda0fXdC1PTX8P8AiHVbGCTW7e01XSrSFZZo3t7aAwvNFFB5cMSyTbyXgIfzIrYLBliLU/3t7/8AD/8ABNaEXO0UtTD+BHwR0r4leL7Lw9qum6xLY3ytJKJfClrcI8sY3J/pLXMMMWMDAR0T5SERchB3Hw//AOCXH7Pv7S0esah8QvhW3iLUvDuq3GhWNzZ395o8SWkRDhPLguoxI3myzM0rbyzOwV3jWM133xx8dW63/gHxF4H0u1XxFYtqdtf3egR2di8Ucn2JYjhY0iuEdhdFW2ggFz+73Fa5Lwl/wUG+An7J39paT8dvGTeE/F/iG+fXba31PStS1a5urORVhEzNZ20kUQM8Fwoi3ZURg4AYVxQq1qr5qF7vte/4HVUjCEf3iXz2/E/D7/gnJ8bta+Fnx4h0fRrmOC88YPbWWnNc6nNZWdrqsdzHNYXLhAyOyyqYR5yNEFupPM/dl8/rF+07rur+ML/S/i1daHpmgaL8Slu7+0s7fUJPIsELIt9aTSTx25gkEkSS3HmBWULG0rwxBwfwj03U7jRtRt7yzuJrS8tJFmgnhcxyQupBV1YcqwIBBHIIr9WP2Af2xPDv7QPw18XN460rxJs0nQZLk3+nXrXEfh3V02yT36WMKokcOoMfMuCVkKtal0CpbuH+qzLD6qtFeT72/qx4GEraezb9D0S98L2mofDI6hZR2p8XJ4ms4dPuBO+la1GscUihQCsZmhzKIpoV8qSxcxKot3uXLeL/ALXP7VXhweCPFnwl0/7brPiDwr46nXUPHuoanHDe+LP7Mm1G1sy1snywxItzOIlRgFWXGCeR75430PxH+zJ4T1TwH4q07xh4T8Q6fq9l4gsbdLq0+w2jxxbTIHyEjmjV8i4guDDIFVSI1RnOT8LPjaukfEfTL7xdcaPd+FEvZp9eF54ajvZY7dY2Vokjg+yXMbpMUUrITM0kgQqrK6p5MZKMnUavbVf1b8Dvs5R5b2ufM/7L/wC1zYfs+eGNa0i58I2fimHXJ3u7adrpLWTSJmtzbm4ty9vOv2hFEbpLj5XRSVcAg+heAv2mPEnxRsf7G8EeFfEFxeTRtbyyW8cuta5PFIW3Rr9kt4Y4w/zKZIYI5mUFTIVAA9p+Bvhnxl+zn+2V8ffE0nhrxp4U0GbXdG1Sz1W00+50uxlY+I7GdoYLgpHC6iO4mJiVsFEbjCHEX7Nnwo8bfATSv2k/C+qeGdb0XRPE3jTSbDTLfVdKktbXXbFW8QpJLaCcKksa5siJIw6qZos4WUBlialOSlK3SL37pflcvCwqJqCflt/XY89+C3wWHhfx/p974tj0WH+w5U1GXw9NIl1M/luGjGpRQufstrvCq9tIyXMw3QpEu/zB7l47k8bweC9S8YaJ4d1zWdUa9ih1G+PlTzWVzdOzQrKg2ma7nfcziKNgZ3Lv5SGP7V3Ph680eK/kvpvAnw3svtF9Dqf2bTtNOn6farGhWGNUSRVWMEyMXZt7bCjOQkhPX2sPhLWdG0228Uaj4f8AAmi6ek83mx2IW41m5mlIEYjndUnuNxdUhJUIokHlpGjpXhVsfzytJHtQy+pCN47/AInneufC+0074M6ZYTf2x/wse9kttSvPE2q3cyaPo+k+XdK94qzMbea2mlimjKpExeO3E22P7O8kf4x/t+fF3TfjJ+1N4kv9B1LW9S8MacyaZo51O4SZ4YIlAcR+XJJEI3nM8o8ptjecXAUuRX6Jf8Ffv+CgHiH4ZWdzYXN14Zb4i+JoxB5OnefGfD1osBijuLGVSGjUSmfY++OVykRKmPzI5PyHr6rIMO+T28uux89nFZc3sU7tbhXS/CP4q6p8FvH1j4i0j7LJc2bESW91H5ttexNw8MyZG6N1yCAQR1UqwDDmqK+haTVmeKm07o/WD9gj9v8A8MftK+MNP8H+LvDviDxwtxoyaFpGl3euiPXvDEdqzSRPpt0kSQymVpQ8im3CxLBK4EMcRF16V4V/Z4svHmmfDz/hCfHHg/xZ4v8AGUNvCugadeLpGpWk62rSOsBml/eW6bXj+0RPOsS7FQbnZj+Kteij9qzx1P8ADnT/AAffawuqeF9MkEsGn3ltFIoZRKELSbRK23zW2guQMIBwigeRXyu8uai+Xy6f16W9T0KeO0/eK/mftv8As7/C34qfs5/FqOSP4QeMPGniTwdsllsYrZls9OW4UtGrSrG8lwsipN/y1yCoyeNpk8D/AAH8Ta34P8K69a+G7nS/Dusw6dpelXmoxxW1rBA0KLbnI2xS20giBJYjLbQrDKqfza+Fv/BXvTfh0qyD4c+IrW8lltbm7bQPiFfaLDdSxCTflI4mPlsZNqxszCKOONFOFJat43/4K+Le+B7PRfD/AMN1WC2t4rHyfFXiW48QWsdukVxGwiUJBLHJIJoy7GVlP2WHaikMT49bJsTOd7L10/K7PWoZpRp7P8/8j9bI/DvhvwprOraJrFxrfjDVJo7aLST4Uv0isJJ7rzI97anMnkqYpIlG+PecBGfLRKW+P/22f+Cytj4E8KWlhNfab4z+JNro7WFro+m6Z9j8L+DZGaJJoWgMzOLlXicSAtJv8qNSVT735ufEb9ur4rfE/wAIQ+HdQ8Zapa+Hbe0/s9NL04iyt2tf3mIJfKCtOg82Qfv2kJ3tkkkk+SKCxwOSeAB3rowvDcIvmru/kgxXEU5K1JWfd9PRGr438c6x8SvFV5rniDU77WNY1BxJc3l3MZZpiAFGWPOAoCgdAAAMAAVlUrKUYqwKspwQe1JX06SSsj5pybd2f//Z'><div class='header'><div>YOUR FILES ARE ENCRYPTED</div></div><div class='bold'>Your PC security is at risk</span></div><div class='bold'>All your files were encrypted and important data was copied to our storage</span></div><div class='bold'>If you do not need your files, then the private key will be deleted within 5 days</span></div><div class='bold'>If you want to restore files and return important data,<input type="button" value="start UTOX" onclick="vbscript:RunUTOX ( )"/> application, contact the operator and enter YOUR ID </span><font color=Lime> MUYKSRQK7</font></div><div class='bold'>ID of your personal operator </span><font color=Blue> 204E91D375BADE81DC528EFCC105A5D046DB92FCC4B75F08E151053DCD8D5025DA55D689165D</font></div></div><div class='bold'>If the Operator did not respond within 24 hours or encountered any problem then send an email to our support </span><font color=Blue>[email protected]</font></div><div class='bold'>In the header of the letter, indicate your ID and attach 2-3 infected files for the decryption tool</span></div><div class='bold'>Files should not have important information and should not exceed the size of more than 5 MB</span></div><div class='bold'>As our guarantees, we will return your files restored</span></div><div class='note alert'><div class='title'>Attention!</div><ul><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</div></li><div class='countdown'><p class='timer'><span id='days'></span>:<span id='hours'></span>:<span id='minutes'></span>:<span id='seconds'></span></p></div></ul></div></body></html>
Emails

color=Blue>[email protected]</font></div><div

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README

Ransom Note
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note
############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/85a561daffd57e8d98486ad0647dcbb578c2a6d0f0269a4c4f9acce1798ade42/ This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/546838a4129734c99d8356153e220af78e7863cf49ac908304b07cd97192508f * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorthm and you can harm your files by using 3rd party decryption software.
URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/85a561daffd57e8d98486ad0647dcbb578c2a6d0f0269a4c4f9acce1798ade42/

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/546838a4129734c99d8356153e220af78e7863cf49ac908304b07cd97192508f

Extracted

Path

C:\Program Files\READ-ME-NOW.txt

Family

jormungand

Ransom Note
Attention! infortrend!!!!!!! --------------------------------- What happened? We are Jormungand ransomware Your project source code and customer information. Important information has been downloaded. If you do not redeem it as soon as possible, it will be exposed and you will be responsible for the consequences. --------------------------------- How to get my files back? --------------------------------- The only way to recover the file is to contact us to buy the private key. Please contact us with your Unique Identifiler Key --------------------------------- What about guarantees? --------------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer ! --------------------------------- Our email address: [email protected] ----------------- Your Unique Identifiler Key: XE/lY3wguit770mqqppKldgd3myB5kod75sPptGcJhn5FHPqm2+emgolFv5m4Kq7iS1X0nm8jBZVdDHcCPf0HZVQkHrT32xfslh68ISa2/VDXtl+u0Qsi+RGe0CCJIVHIeDuColSjUMG9f8oEGBAkvz/saN4rJZgxYIUo7oh+/g=

Signatures

  • Clop family
    clop
  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Conti family
    conti
  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Fickerstealer family
    fickerstealer
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Jormungand Ransomware

    Ransomware family first observed in March 2021.

    ransomwarejormungand
  • Jormungand family
    jormungand
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modiloader family
    modiloader
  • clop

    Ransomware discovered in early 2019 which has been actively developed since release.

    ransomwareclop
  • Clears Windows event logs 1 TTPs 64 IoCs
    evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 41 IoCs
    evasion
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1432
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\rwjfk.bat" "
        2⤵
          PID:1592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wevtutil.exe el
            3⤵
              PID:4768
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe el
                4⤵
                  PID:5160
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe cl "AMSI/Debug"
                3⤵
                • Clears Windows event logs
                PID:5564
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe cl "AirSpaceChannel"
                3⤵
                • Clears Windows event logs
                PID:5740
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe cl "Analytic"
                3⤵
                • Clears Windows event logs
                PID:5920
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe cl "Application"
                3⤵
                  PID:6064
                • C:\Windows\system32\wevtutil.exe
                  wevtutil.exe cl "DirectShowFilterGraph"
                  3⤵
                    PID:5264
                  • C:\Windows\system32\wevtutil.exe
                    wevtutil.exe cl "DirectShowPluginControl"
                    3⤵
                      PID:5468
                    • C:\Windows\system32\wevtutil.exe
                      wevtutil.exe cl "Els_Hyphenation/Analytic"
                      3⤵
                      • Clears Windows event logs
                      PID:5516
                    • C:\Windows\system32\wevtutil.exe
                      wevtutil.exe cl "EndpointMapper"
                      3⤵
                      • Clears Windows event logs
                      PID:5844
                    • C:\Windows\system32\wevtutil.exe
                      wevtutil.exe cl "FirstUXPerf-Analytic"
                      3⤵
                      • Clears Windows event logs
                      PID:6480
                    • C:\Windows\system32\wevtutil.exe
                      wevtutil.exe cl "ForwardedEvents"
                      3⤵
                        PID:6548
                      • C:\Windows\system32\wevtutil.exe
                        wevtutil.exe cl "General Logging"
                        3⤵
                          PID:6732
                        • C:\Windows\system32\wevtutil.exe
                          wevtutil.exe cl "HardwareEvents"
                          3⤵
                            PID:6812
                          • C:\Windows\system32\wevtutil.exe
                            wevtutil.exe cl "IHM_DebugChannel"
                            3⤵
                            • Clears Windows event logs
                            PID:6892
                          • C:\Windows\system32\wevtutil.exe
                            wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
                            3⤵
                              PID:6936
                            • C:\Windows\system32\wevtutil.exe
                              wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
                              3⤵
                                PID:6984
                              • C:\Windows\system32\wevtutil.exe
                                wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
                                3⤵
                                • Clears Windows event logs
                                PID:7156
                              • C:\Windows\system32\wevtutil.exe
                                wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
                                3⤵
                                • Clears Windows event logs
                                PID:6484
                              • C:\Windows\system32\wevtutil.exe
                                wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
                                3⤵
                                  PID:6816
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:7128
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "Internet Explorer"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:6320
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "Key Management Service"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:6828
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:7120
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:7192
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "MF_MediaFoundationFrameServer"
                                  3⤵
                                  • Clears Windows event logs
                                  PID:7236
                                • C:\Windows\system32\wevtutil.exe
                                  wevtutil.exe cl "MedaFoundationVideoProc"
                                  3⤵
                                    PID:7288
                                  • C:\Windows\system32\wevtutil.exe
                                    wevtutil.exe cl "MedaFoundationVideoProcD3D"
                                    3⤵
                                    • Clears Windows event logs
                                    PID:7344
                                  • C:\Windows\system32\wevtutil.exe
                                    wevtutil.exe cl "MediaFoundationAsyncWrapper"
                                    3⤵
                                      PID:7400
                                    • C:\Windows\system32\wevtutil.exe
                                      wevtutil.exe cl "MediaFoundationContentProtection"
                                      3⤵
                                      • Clears Windows event logs
                                      PID:7460
                                    • C:\Windows\system32\wevtutil.exe
                                      wevtutil.exe cl "MediaFoundationDS"
                                      3⤵
                                        PID:7548
                                      • C:\Windows\system32\wevtutil.exe
                                        wevtutil.exe cl "MediaFoundationDeviceProxy"
                                        3⤵
                                        • Clears Windows event logs
                                        PID:7636
                                      • C:\Windows\system32\wevtutil.exe
                                        wevtutil.exe cl "MediaFoundationMP4"
                                        3⤵
                                          PID:7744
                                        • C:\Windows\system32\wevtutil.exe
                                          wevtutil.exe cl "MediaFoundationMediaEngine"
                                          3⤵
                                            PID:7844
                                          • C:\Windows\system32\wevtutil.exe
                                            wevtutil.exe cl "MediaFoundationPerformance"
                                            3⤵
                                            • Clears Windows event logs
                                            PID:7920
                                          • C:\Windows\system32\wevtutil.exe
                                            wevtutil.exe cl "MediaFoundationPerformanceCore"
                                            3⤵
                                            • Clears Windows event logs
                                            PID:8020
                                          • C:\Windows\system32\wevtutil.exe
                                            wevtutil.exe cl "MediaFoundationPipeline"
                                            3⤵
                                            • Clears Windows event logs
                                            PID:8120
                                          • C:\Windows\system32\wevtutil.exe
                                            wevtutil.exe cl "MediaFoundationPlatform"
                                            3⤵
                                              PID:7424
                                            • C:\Windows\system32\wevtutil.exe
                                              wevtutil.exe cl "MediaFoundationSrcPrefetch"
                                              3⤵
                                              • Clears Windows event logs
                                              PID:7584
                                            • C:\Windows\system32\wevtutil.exe
                                              wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
                                              3⤵
                                                PID:7668
                                              • C:\Windows\system32\wevtutil.exe
                                                wevtutil.exe cl "Microsoft-AppV-Client/Admin"
                                                3⤵
                                                • Clears Windows event logs
                                                PID:7872
                                              • C:\Windows\system32\wevtutil.exe
                                                wevtutil.exe cl "Microsoft-AppV-Client/Debug"
                                                3⤵
                                                  PID:8164
                                                • C:\Windows\system32\wevtutil.exe
                                                  wevtutil.exe cl "Microsoft-AppV-Client/Operational"
                                                  3⤵
                                                  • Clears Windows event logs
                                                  PID:7192
                                                • C:\Windows\system32\wevtutil.exe
                                                  wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
                                                  3⤵
                                                    PID:7856
                                                  • C:\Windows\system32\wevtutil.exe
                                                    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
                                                    3⤵
                                                    • Clears Windows event logs
                                                    PID:7752
                                                  • C:\Windows\system32\wevtutil.exe
                                                    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
                                                    3⤵
                                                      PID:7236
                                                    • C:\Windows\system32\wevtutil.exe
                                                      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
                                                      3⤵
                                                      • Clears Windows event logs
                                                      PID:8840
                                                    • C:\Windows\system32\wevtutil.exe
                                                      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
                                                      3⤵
                                                        PID:8948
                                                      • C:\Windows\system32\wevtutil.exe
                                                        wevtutil.exe cl "Microsoft-IE/Diagnostic"
                                                        3⤵
                                                          PID:9072
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:9200
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8080
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8300
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8540
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8708
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:7472
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8252
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8340
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:9500
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:9860
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:9932
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:8332
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:9328
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:4892
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
                                                          3⤵
                                                          • Clears Windows event logs
                                                          PID:2940
                                                        • C:\Windows\system32\wevtutil.exe
                                                          wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
                                                          3⤵
                                                            PID:3524
                                                          • C:\Windows\system32\wevtutil.exe
                                                            wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
                                                            3⤵
                                                              PID:5204
                                                            • C:\Windows\system32\wevtutil.exe
                                                              wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
                                                              3⤵
                                                              • Clears Windows event logs
                                                              PID:5288
                                                            • C:\Windows\system32\wevtutil.exe
                                                              wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
                                                              3⤵
                                                              • Clears Windows event logs
                                                              PID:5460
                                                            • C:\Windows\system32\wevtutil.exe
                                                              wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
                                                              3⤵
                                                                PID:5620
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:6296
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:7356
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:9476
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:4892
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:6512
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
                                                                3⤵
                                                                • Clears Windows event logs
                                                                PID:8804
                                                              • C:\Windows\system32\wevtutil.exe
                                                                wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
                                                                3⤵
                                                                  PID:10052
                                                                • C:\Windows\system32\wevtutil.exe
                                                                  wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
                                                                  3⤵
                                                                  • Clears Windows event logs
                                                                  PID:5208
                                                                • C:\Windows\system32\wevtutil.exe
                                                                  wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
                                                                  3⤵
                                                                  • Clears Windows event logs
                                                                  PID:7120
                                                                • C:\Windows\system32\wevtutil.exe
                                                                  wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
                                                                  3⤵
                                                                    PID:9896
                                                                  • C:\Windows\system32\wevtutil.exe
                                                                    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
                                                                    3⤵
                                                                    • Clears Windows event logs
                                                                    PID:6528
                                                                  • C:\Windows\system32\wevtutil.exe
                                                                    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
                                                                    3⤵
                                                                    • Clears Windows event logs
                                                                    PID:7676
                                                                  • C:\Windows\system32\wevtutil.exe
                                                                    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
                                                                    3⤵
                                                                    • Clears Windows event logs
                                                                    PID:9656
                                                                  • C:\Windows\system32\wevtutil.exe
                                                                    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
                                                                    3⤵
                                                                    • Clears Windows event logs
                                                                    PID:5740
                                                                  • C:\Windows\system32\wevtutil.exe
                                                                    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
                                                                    3⤵
                                                                      PID:908
                                                                    • C:\Windows\system32\wevtutil.exe
                                                                      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
                                                                      3⤵
                                                                      • Clears Windows event logs
                                                                      PID:9160
                                                                    • C:\Windows\system32\wevtutil.exe
                                                                      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
                                                                      3⤵
                                                                        PID:5912
                                                                      • C:\Windows\system32\wevtutil.exe
                                                                        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
                                                                        3⤵
                                                                          PID:5552
                                                                        • C:\Windows\system32\wevtutil.exe
                                                                          wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
                                                                          3⤵
                                                                          • Clears Windows event logs
                                                                          PID:12804
                                                                        • C:\Windows\system32\wevtutil.exe
                                                                          wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
                                                                          3⤵
                                                                            PID:6052
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
                                                                            3⤵
                                                                              PID:11448
                                                                            • C:\Windows\system32\wevtutil.exe
                                                                              wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
                                                                              3⤵
                                                                                PID:10476
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
                                                                                3⤵
                                                                                • Clears Windows event logs
                                                                                PID:6640
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl "Microsoft-Windows-AppSruProv"
                                                                                3⤵
                                                                                • Clears Windows event logs
                                                                                PID:4000
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
                                                                                3⤵
                                                                                • Clears Windows event logs
                                                                                PID:11408
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
                                                                                3⤵
                                                                                • Clears Windows event logs
                                                                                PID:11292
                                                                              • C:\Windows\system32\wevtutil.exe
                                                                                wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
                                                                                3⤵
                                                                                  PID:11684
                                                                                • C:\Windows\system32\wevtutil.exe
                                                                                  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
                                                                                  3⤵
                                                                                  • Clears Windows event logs
                                                                                  PID:17240
                                                                                • C:\Windows\system32\wevtutil.exe
                                                                                  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
                                                                                  3⤵
                                                                                    PID:6696
                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
                                                                                    3⤵
                                                                                    • Clears Windows event logs
                                                                                    PID:5400
                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
                                                                                    3⤵
                                                                                      PID:13436
                                                                                    • C:\Windows\system32\wevtutil.exe
                                                                                      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
                                                                                      3⤵
                                                                                        PID:3652
                                                                                      • C:\Windows\system32\wevtutil.exe
                                                                                        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
                                                                                        3⤵
                                                                                        • Clears Windows event logs
                                                                                        PID:15412
                                                                                    • C:\Windows\system32\OpenWith.exe
                                                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                                                      2⤵
                                                                                        PID:5580
                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                        2⤵
                                                                                          PID:3916
                                                                                        • C:\Windows\explorer.exe
                                                                                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                          2⤵
                                                                                            PID:10176
                                                                                          • C:\Windows\System32\rundll32.exe
                                                                                            C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                                                            2⤵
                                                                                              PID:10836
                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
                                                                                              2⤵
                                                                                                PID:15760
                                                                                              • C:\Windows\System32\vdsldr.exe
                                                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                2⤵
                                                                                                  PID:16304
                                                                                                • C:\Windows\System32\rundll32.exe
                                                                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                  2⤵
                                                                                                    PID:8940
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                  1⤵
                                                                                                    PID:408
                                                                                                  • C:\Program Files\7-Zip\7zFM.exe
                                                                                                    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00430.7z"
                                                                                                    1⤵
                                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                    PID:3844
                                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                                    "C:\Windows\system32\taskmgr.exe" /4
                                                                                                    1⤵
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:4152
                                                                                                    • C:\Windows\system32\taskmgr.exe
                                                                                                      "C:\Windows\system32\taskmgr.exe" /1
                                                                                                      2⤵
                                                                                                      • Checks SCSI registry key(s)
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                      PID:4492
                                                                                                      • C:\Windows\explorer.exe
                                                                                                        "C:\Windows\explorer.exe"
                                                                                                        3⤵
                                                                                                          PID:13824
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                      1⤵
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:2044
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        "C:\Windows\system32\cmd.exe"
                                                                                                        2⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:468
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
                                                                                                          HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4444
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe
                                                                                                          HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3260
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe
                                                                                                          HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe
                                                                                                          3⤵
                                                                                                          • Modifies WinLogon for persistence
                                                                                                          • Executes dropped EXE
                                                                                                          • Sets desktop wallpaper using registry
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4744
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe
                                                                                                          HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:612
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Drops file in Windows directory
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:1592
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe
                                                                                                          3⤵
                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                          • Checks BIOS information in registry
                                                                                                          • Executes dropped EXE
                                                                                                          • Identifies Wine through registry keys
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2448
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4056
                                                                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                                                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
                                                                                                            4⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:4172
                                                                                                            • C:\Windows\System32\wbem\WMIC.exe
                                                                                                              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
                                                                                                              5⤵
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2228
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:1892
                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
                                                                                                            HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:2028
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1600
                                                                                                        • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe
                                                                                                          HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:2424
                                                                                                          • C:\Windows\SysWOW64\grpconv.exe
                                                                                                            C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe
                                                                                                            4⤵
                                                                                                              PID:4392
                                                                                                              • C:\Windows\SysWOW64\iexpress.exe
                                                                                                                /cfg "C:\Users\Admin\AppData\Local\Temp\880B.tmp" /crypt "*"
                                                                                                                5⤵
                                                                                                                  PID:5868
                                                                                                            • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe
                                                                                                              HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe
                                                                                                              3⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1480
                                                                                                            • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe
                                                                                                              HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe
                                                                                                              3⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2444
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 484
                                                                                                                4⤵
                                                                                                                • Program crash
                                                                                                                PID:4444
                                                                                                            • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Generic-4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99.exe
                                                                                                              HEUR-Trojan-Ransom.Win32.Generic-4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99.exe
                                                                                                              3⤵
                                                                                                                PID:7788
                                                                                                              • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Agent.aztk-430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9.exe
                                                                                                                Trojan-Ransom.Win32.Agent.aztk-430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9.exe
                                                                                                                3⤵
                                                                                                                  PID:1504
                                                                                                                  • C:\Windows\SysWOW64\mode.com
                                                                                                                    mode con cp select=125 vssadmin delete shadows /all
                                                                                                                    4⤵
                                                                                                                      PID:1492
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im msaccess.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:5680
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqlagent.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:10852
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mspub.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:12076
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im ocssd.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11588
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im tbirdconfig.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:6680
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqlbrowser.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:10940
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mydesktopqos.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:13176
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im dbsnmp.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11772
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im thebat64.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:12912
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im thunderdird.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:9904
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqbcoreservice.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:12380
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im encsvc.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:7600
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im winword.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:628
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im dbeng50.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11336
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im ocomm.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:9928
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im ocautoupds.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:10124
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im visio.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11468
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im firefoxconfig.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:9304
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqlservr.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11632
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im infopath.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:12740
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im thebat.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:9540
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im excel.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:8048
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im outlook.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11076
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mysqld.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:12236
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im notepad.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:5708
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqlserver.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:6416
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im powerpnt.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11380
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im msftesql.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:6408
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im xfsssvccon.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:7272
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im onenote.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:4152
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im notepad++.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:8828
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im synctime.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:10096
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im agntsvc.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:1304
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im sqlwriter.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11504
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mysql-nt.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:852
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im wordpad.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:10848
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im isqlplussvc.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:9424
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mydesktopservice.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:11464
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im oracle.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:13228
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im steam.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:8624
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill.exe /f /im mysql-opt.exe
                                                                                                                      4⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:3756
                                                                                                                    • C:\Windows\SysWOW64\mode.com
                                                                                                                      mode con cp select=125 vssadmin delete shadows /all
                                                                                                                      4⤵
                                                                                                                        PID:14960
                                                                                                                    • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Babuk.a-f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683.exe
                                                                                                                      Trojan-Ransom.Win32.Babuk.a-f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683.exe
                                                                                                                      3⤵
                                                                                                                        PID:4036
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
                                                                                                                          4⤵
                                                                                                                            PID:12908
                                                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                                                              vssadmin.exe delete shadows /all /quiet
                                                                                                                              5⤵
                                                                                                                              • Interacts with shadow copies
                                                                                                                              PID:12348
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
                                                                                                                            4⤵
                                                                                                                              PID:4208
                                                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                                                vssadmin.exe delete shadows /all /quiet
                                                                                                                                5⤵
                                                                                                                                • Interacts with shadow copies
                                                                                                                                PID:3676
                                                                                                                          • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.goxb-cb1b3b9b288a43eb267a75615da401aa7aef23624aeab21757707a7aea461728.exe
                                                                                                                            Trojan-Ransom.Win32.Blocker.goxb-cb1b3b9b288a43eb267a75615da401aa7aef23624aeab21757707a7aea461728.exe
                                                                                                                            3⤵
                                                                                                                              PID:11420
                                                                                                                            • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exe
                                                                                                                              Trojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exe
                                                                                                                              3⤵
                                                                                                                                PID:7472
                                                                                                                              • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.lckf-6d516f7d8af7bd535416236e60299dbcaad38f490716de3eae65c641f08b941b.exe
                                                                                                                                Trojan-Ransom.Win32.Blocker.lckf-6d516f7d8af7bd535416236e60299dbcaad38f490716de3eae65c641f08b941b.exe
                                                                                                                                3⤵
                                                                                                                                  PID:4176
                                                                                                                                • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exe
                                                                                                                                  Trojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exe
                                                                                                                                  3⤵
                                                                                                                                    PID:7128
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      "C:\Windows\system32\cmd.exe"
                                                                                                                                      4⤵
                                                                                                                                        PID:3872
                                                                                                                                        • C:\Windows\system32\vssadmin.exe
                                                                                                                                          vssadmin delete shadows /all /quiet
                                                                                                                                          5⤵
                                                                                                                                          • Interacts with shadow copies
                                                                                                                                          PID:1700
                                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                          wmic shadowcopy delete
                                                                                                                                          5⤵
                                                                                                                                            PID:1676
                                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                                            5⤵
                                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                                            PID:13892
                                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                                            bcdedit /set {default} recoveryenabled no
                                                                                                                                            5⤵
                                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                                            PID:1320
                                                                                                                                          • C:\Windows\system32\wbadmin.exe
                                                                                                                                            wbadmin delete catalog -quiet
                                                                                                                                            5⤵
                                                                                                                                            • Deletes backup catalog
                                                                                                                                            PID:11368
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          "C:\Windows\system32\cmd.exe"
                                                                                                                                          4⤵
                                                                                                                                            PID:4764
                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                              netsh advfirewall set currentprofile state off
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                              PID:10708
                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                              netsh firewall set opmode mode=disable
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                              PID:1464
                                                                                                                                        • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.DoppelPaymer.bo-dada1919d1be39ad2a5edaa90e0ae2b45aa9550cd705628e30314d71cb3525d9.exe
                                                                                                                                          Trojan-Ransom.Win32.DoppelPaymer.bo-dada1919d1be39ad2a5edaa90e0ae2b45aa9550cd705628e30314d71cb3525d9.exe
                                                                                                                                          3⤵
                                                                                                                                            PID:4080
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 152
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:8296
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 152
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:10984
                                                                                                                                          • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Encoder.mbm-9e4addf136a3502fabc6a54723f08dc3e3ba50f5116e25a9027aef140788eb92.exe
                                                                                                                                            Trojan-Ransom.Win32.Encoder.mbm-9e4addf136a3502fabc6a54723f08dc3e3ba50f5116e25a9027aef140788eb92.exe
                                                                                                                                            3⤵
                                                                                                                                              PID:1740
                                                                                                                                            • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Encoder.qfn-8f3ce22b16c07fff1a586feb9eea8ccb5aa06e918657a0ae4a3f41b14de83995.exe
                                                                                                                                              Trojan-Ransom.Win32.Encoder.qfn-8f3ce22b16c07fff1a586feb9eea8ccb5aa06e918657a0ae4a3f41b14de83995.exe
                                                                                                                                              3⤵
                                                                                                                                                PID:3444
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                  4⤵
                                                                                                                                                    PID:7728
                                                                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                                                                              C:\Windows\system32\vssvc.exe
                                                                                                                                              1⤵
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3100
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2444 -ip 2444
                                                                                                                                              1⤵
                                                                                                                                                PID:4460
                                                                                                                                              • C:\Windows\SysWOW64\werfault.exe
                                                                                                                                                werfault.exe /h /shared Global\8c7d1a4dee1642599ba3b43bb8d92150 /t 2208 /p 1480
                                                                                                                                                1⤵
                                                                                                                                                  PID:8080
                                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:10320
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4080 -ip 4080
                                                                                                                                                    1⤵
                                                                                                                                                      PID:10980
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                      1⤵
                                                                                                                                                        PID:15692
                                                                                                                                                      • C:\Windows\system32\wbengine.exe
                                                                                                                                                        "C:\Windows\system32\wbengine.exe"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:9684
                                                                                                                                                        • C:\Windows\System32\vds.exe
                                                                                                                                                          C:\Windows\System32\vds.exe
                                                                                                                                                          1⤵
                                                                                                                                                            PID:6140

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                          Reconnaissance

                                                                                                                                                          Resource Development

                                                                                                                                                          Initial Access

                                                                                                                                                          Execution

                                                                                                                                                          Command and Scripting Interpreter

                                                                                                                                                          1
                                                                                                                                                          T1059

                                                                                                                                                          Windows Management Instrumentation

                                                                                                                                                          1
                                                                                                                                                          T1047

                                                                                                                                                          Persistence

                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                          2
                                                                                                                                                          T1547

                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                          1
                                                                                                                                                          T1547.001

                                                                                                                                                          Winlogon Helper DLL

                                                                                                                                                          1
                                                                                                                                                          T1547.004

                                                                                                                                                          Create or Modify System Process

                                                                                                                                                          1
                                                                                                                                                          T1543

                                                                                                                                                          Windows Service

                                                                                                                                                          1
                                                                                                                                                          T1543.003

                                                                                                                                                          Privilege Escalation

                                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                                          2
                                                                                                                                                          T1547

                                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                                          1
                                                                                                                                                          T1547.001

                                                                                                                                                          Winlogon Helper DLL

                                                                                                                                                          1
                                                                                                                                                          T1547.004

                                                                                                                                                          Create or Modify System Process

                                                                                                                                                          1
                                                                                                                                                          T1543

                                                                                                                                                          Windows Service

                                                                                                                                                          1
                                                                                                                                                          T1543.003

                                                                                                                                                          Defense Evasion

                                                                                                                                                          Direct Volume Access

                                                                                                                                                          1
                                                                                                                                                          T1006

                                                                                                                                                          Impair Defenses

                                                                                                                                                          1
                                                                                                                                                          T1562

                                                                                                                                                          Disable or Modify System Firewall

                                                                                                                                                          1
                                                                                                                                                          T1562.004

                                                                                                                                                          Indicator Removal

                                                                                                                                                          4
                                                                                                                                                          T1070

                                                                                                                                                          Clear Windows Event Logs

                                                                                                                                                          1
                                                                                                                                                          T1070.001

                                                                                                                                                          File Deletion

                                                                                                                                                          3
                                                                                                                                                          T1070.004

                                                                                                                                                          Modify Registry

                                                                                                                                                          3
                                                                                                                                                          T1112

                                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                                          2
                                                                                                                                                          T1497

                                                                                                                                                          Credential Access

                                                                                                                                                          Discovery

                                                                                                                                                          Peripheral Device Discovery

                                                                                                                                                          1
                                                                                                                                                          T1120

                                                                                                                                                          Query Registry

                                                                                                                                                          5
                                                                                                                                                          T1012

                                                                                                                                                          System Information Discovery

                                                                                                                                                          4
                                                                                                                                                          T1082

                                                                                                                                                          System Location Discovery

                                                                                                                                                          1
                                                                                                                                                          T1614

                                                                                                                                                          System Language Discovery

                                                                                                                                                          1
                                                                                                                                                          T1614.001

                                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                                          2
                                                                                                                                                          T1497

                                                                                                                                                          Lateral Movement

                                                                                                                                                          Collection

                                                                                                                                                          Command and Control

                                                                                                                                                          Exfiltration

                                                                                                                                                          Impact

                                                                                                                                                          Defacement

                                                                                                                                                          1
                                                                                                                                                          T1491

                                                                                                                                                          Inhibit System Recovery

                                                                                                                                                          4
                                                                                                                                                          T1490

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads

                                                                                                                                                          • C:\Program Files (x86)\desktop.ini.NSACS
                                                                                                                                                            Filesize

                                                                                                                                                            2KB

                                                                                                                                                            MD5

                                                                                                                                                            a033f65cc101fd273b4ee1d2fb85ea91

                                                                                                                                                            SHA1

                                                                                                                                                            2e775653a05d96bdc98f1f396ae76f3fc1fb3d04

                                                                                                                                                            SHA256

                                                                                                                                                            f7fa9c61717882b40fc0bbec40b23a5014d1670e2dc643bb14a795e4031e87b9

                                                                                                                                                            SHA512

                                                                                                                                                            977d1c84b6f4a33c75a827ef3f7d986b41b20016b8c270f62848cb3d900cbdfe2618895d411aedd18bf86db3d2f64c1e1f79bd1c960ca722341d32f08f0bb6db

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\CheckpointDebug.jfif.NSACS
                                                                                                                                                            Filesize

                                                                                                                                                            414KB

                                                                                                                                                            MD5

                                                                                                                                                            c0a1c5419506619e4764cb1be97a4ffc

                                                                                                                                                            SHA1

                                                                                                                                                            61307d112b790022bb1defa18e3c34fd4a1dbff3

                                                                                                                                                            SHA256

                                                                                                                                                            60caa59b542f0b6389dca76801c597fabed42892a92ceba3fed42361394fda43

                                                                                                                                                            SHA512

                                                                                                                                                            920a55362f9f0d0ab4fb891f92a2b4663568278ace63d1c565c625d99f8d4121bf578881e3cfc6e4005bfe1cb077d6879af70f0ca071bb9263261ee0d839dc83

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll MUYKSRQK7.waiting.pysa MUYKSRQK7.waiting.id[AF2E6DA0-2822].[[email protected]].eight
                                                                                                                                                            Filesize

                                                                                                                                                            2.7MB

                                                                                                                                                            MD5

                                                                                                                                                            65db2a9e41d0e182344387be7a8daa31

                                                                                                                                                            SHA1

                                                                                                                                                            bb15627d815d80974c2846414c9fa88fcb19cfe0

                                                                                                                                                            SHA256

                                                                                                                                                            888efe60e57f7ef7d6d1868422e819e161b0f97e18c37fbeb0b6e9e7a382488c

                                                                                                                                                            SHA512

                                                                                                                                                            85a7aef73130e9e85e0e0b7c4de605fe12f6510e3ea80b774c17f81931b669de6211643c1caf63d17620e851423b179619e13033dcb66bbc0141cc374e333612

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\CompleteUnblock.search-ms.NSACS
                                                                                                                                                            Filesize

                                                                                                                                                            271KB

                                                                                                                                                            MD5

                                                                                                                                                            03545770455830124100063b157b6ce8

                                                                                                                                                            SHA1

                                                                                                                                                            9e22484d696e3f7adea8f5776af666eb87d5aa27

                                                                                                                                                            SHA256

                                                                                                                                                            8f0adc41e562326932299aa5881681361115ecee36d534e5a142a76363f7b600

                                                                                                                                                            SHA512

                                                                                                                                                            9440653bd70a1bb0b5716b7fe60f2025c0fd84298f7940337bf66bc2b39644d8296bb1e3e30353584958232efc929751af25af3d7e09aad5ea784f3165684a68

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.NSACS MUYKSRQK7.waiting
                                                                                                                                                            Filesize

                                                                                                                                                            59KB

                                                                                                                                                            MD5

                                                                                                                                                            120deffe491179676c1adee2477fae06

                                                                                                                                                            SHA1

                                                                                                                                                            67b4867c41815cf5eaf7aeb6bf8b0410131f4141

                                                                                                                                                            SHA256

                                                                                                                                                            b3bb9805ee3342e307fd5f385ce9311c250aaa47bfc36bdf0c25e08e06fee0e2

                                                                                                                                                            SHA512

                                                                                                                                                            100d58820d52eb833e1a3f2a18f09618d4738e6500546d7ebe2ed4ecb57cc72a88cf24643d732c953221864676339d3f90ecb715a4be930bce7db70900df6e1c

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\READ-ME-NOW.txt
                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            c55489c93b312a00aafd632fbb9f07ea

                                                                                                                                                            SHA1

                                                                                                                                                            d55b00a1fde3e2db257c9179125a99ca07eaa9b2

                                                                                                                                                            SHA256

                                                                                                                                                            23bf2a149a35162c2caeaebe24a1d9c9fa3b61f215437422528ff4e75a662ee6

                                                                                                                                                            SHA512

                                                                                                                                                            664cf177c915552739a330b21cc34a500ce97d3a578786b6b56cd56638d8a72f26b6c3afd03c9b84efce08462992a2d127436fda664c84a50f399dd8e70778ec

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3227495264-2217614367-4027411560-1000-MergedResources-0.pri MUYKSRQK7.waiting
                                                                                                                                                            Filesize

                                                                                                                                                            7KB

                                                                                                                                                            MD5

                                                                                                                                                            f68787570eccb3939e761812312dbc7e

                                                                                                                                                            SHA1

                                                                                                                                                            3fe0c160f89557bff32b58fac12795adb9c00ad9

                                                                                                                                                            SHA256

                                                                                                                                                            e15cef222252b3f016aeb6be99942a14da13d7f6e02f8a298207b9f4fdd05ebd

                                                                                                                                                            SHA512

                                                                                                                                                            b6c5dbc46efec3e6950d9409b7d93f233e1205b71a7630c9aac3eb26463bbc4b959a1f12ede97139650230c41bdc333a3d3149fc5bbf27e2c35d1dc29601ba00

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3227495264-2217614367-4027411560-1000-MergedResources-0.pri MUYKSRQK7.waiting
                                                                                                                                                            Filesize

                                                                                                                                                            131KB

                                                                                                                                                            MD5

                                                                                                                                                            67b5b1f499e71f80044f70ddfbe65415

                                                                                                                                                            SHA1

                                                                                                                                                            6d7c4bf5ceaec6e1b70c2c13e7b2b34a1c5f48b6

                                                                                                                                                            SHA256

                                                                                                                                                            84ccc1a0a4aa5ae3015e3722f09fbc55e14d38c323589937d1838134b8e52540

                                                                                                                                                            SHA512

                                                                                                                                                            ccec7b7067e6ce730c2304e69099f9b750622a9f5672dd31a01aa14599c4f637a765bc2c2ebb212053634589911aaea1d7948a3a9cff58286b6b845f9c1ff6b1

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ReadMe.hta.pysa MUYKSRQK7.waiting
                                                                                                                                                            Filesize

                                                                                                                                                            12KB

                                                                                                                                                            MD5

                                                                                                                                                            f07cd84d83ca4dc1f76cc9e286b14b50

                                                                                                                                                            SHA1

                                                                                                                                                            35ca52af4309edb144220c75a60515c38215477a

                                                                                                                                                            SHA256

                                                                                                                                                            76bd279a5144c5147935185301835662504489d1a8d059fe8c1823e0bbb59ef7

                                                                                                                                                            SHA512

                                                                                                                                                            f51b992a56a2b5fc74abf58025545b55fc7b9511651b7f44afa6e4f3dddec6378e2b00377ab9e152dc86295abab487e20cf38d79d8c17788908f783c059b8d72

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Trojan-Ransom.Win32.Blocker.mwcs-97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e.exe
                                                                                                                                                            Filesize

                                                                                                                                                            137KB

                                                                                                                                                            MD5

                                                                                                                                                            a34ceb9c75ceaceb5998ca0af804c50a

                                                                                                                                                            SHA1

                                                                                                                                                            944c5d84adf205ec927aa7d31b083dc49dcb7cc3

                                                                                                                                                            SHA256

                                                                                                                                                            97c559034eff5287d2a74db45e5e3d9014d322697729504960b313531727cd5e

                                                                                                                                                            SHA512

                                                                                                                                                            893e070cbd6a7ddd04e66bb19ee5c5658429aba76185922c3c0813e349ed7646381b400975c6d3193b0dbe137c86ec3b3a51a0538184a772647470e8da5173ad

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\ProgramData\gw\emcilrr.sfm
                                                                                                                                                            Filesize

                                                                                                                                                            6KB

                                                                                                                                                            MD5

                                                                                                                                                            ab8de01b82ba7b66ca05e5cdc2a770f3

                                                                                                                                                            SHA1

                                                                                                                                                            513800aaab2994632de43bebcc5caf71aba87c5c

                                                                                                                                                            SHA256

                                                                                                                                                            8ffa53207f59fcaba6e27363469db61cbd283c1d9fac96480cbbbe6824a41599

                                                                                                                                                            SHA512

                                                                                                                                                            481c81f422f916bbd1f75b4fa1ec6ba8e66cb28ec4d08cff12efa1a04b87421d7920dc3050986795701dedbd654a9e4628b65705a1ebcbfbc694ee7939c62134

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\ProgramData\kaosdma.txt
                                                                                                                                                            Filesize

                                                                                                                                                            13B

                                                                                                                                                            MD5

                                                                                                                                                            17bcf11dc5f1fa6c48a1a856a72f1119

                                                                                                                                                            SHA1

                                                                                                                                                            873ec0cbd312762df3510b8cccf260dc0a23d709

                                                                                                                                                            SHA256

                                                                                                                                                            a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

                                                                                                                                                            SHA512

                                                                                                                                                            9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\ProgramData\kaosdma.txt
                                                                                                                                                            Filesize

                                                                                                                                                            547B

                                                                                                                                                            MD5

                                                                                                                                                            9697603eeb04802ee78ff9be2e5bf21c

                                                                                                                                                            SHA1

                                                                                                                                                            0cfbd0208e0370a67ecb9c8d7a74ad14287ce15c

                                                                                                                                                            SHA256

                                                                                                                                                            17546cb99dee8dc6adce9423383ca1ff5b2d59ad0717899dc26c2fbe8cb9a681

                                                                                                                                                            SHA512

                                                                                                                                                            7252caa45705d18e1e88059df53481406c908dbbdac8ac0651fabf6154ef100095c967d7181c703257ba2c28009bf6b9c38d1408c69c73e4ca57cd42b54c5caf

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\ProgramData\readme.txt
                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            bbb9819791a10c933a1e75bcace17373

                                                                                                                                                            SHA1

                                                                                                                                                            57cdbc1e9df14cb0a5a1d2bdff746ca0200f06a2

                                                                                                                                                            SHA256

                                                                                                                                                            47cfbbcacb8ac8bc75aa21b3e65aa61f2db207e7bee00c64543e2346feb0f1f9

                                                                                                                                                            SHA512

                                                                                                                                                            7f29ae4075d00d1c9268d57298f1bce676ef94ae4d78d1c6ce003ebeb06ef3dd659d2c668324bf7524db851319dfe2ab261a9711603b3642aae6b8493990a005

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                                            Filesize

                                                                                                                                                            7KB

                                                                                                                                                            MD5

                                                                                                                                                            d4bbfded6e00ad21ed03ff918b0ba76d

                                                                                                                                                            SHA1

                                                                                                                                                            ba14c3f3007c340421c1e4e0ee7b58574b585e43

                                                                                                                                                            SHA256

                                                                                                                                                            421c96c4a3fc845662f15f6b618050f6f5f34df85e89f05056547a0d720299bf

                                                                                                                                                            SHA512

                                                                                                                                                            f18ee8187ada6e77b5d5606aef00c72fd339456abb250ca6a60ecd30e7c8103604daada153fc6a7d0fb399f95d7cc70aa090c0e8e6ebd076dd2fd334e269e3e5

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                                            Filesize

                                                                                                                                                            64KB

                                                                                                                                                            MD5

                                                                                                                                                            d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                                                                            SHA1

                                                                                                                                                            2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                                                                            SHA256

                                                                                                                                                            b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                                                                            SHA512

                                                                                                                                                            c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                                            Filesize

                                                                                                                                                            4B

                                                                                                                                                            MD5

                                                                                                                                                            f49655f856acb8884cc0ace29216f511

                                                                                                                                                            SHA1

                                                                                                                                                            cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                                            SHA256

                                                                                                                                                            7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                                            SHA512

                                                                                                                                                            599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                                            Filesize

                                                                                                                                                            944B

                                                                                                                                                            MD5

                                                                                                                                                            6bd369f7c74a28194c991ed1404da30f

                                                                                                                                                            SHA1

                                                                                                                                                            0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                                                                            SHA256

                                                                                                                                                            878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                                                                            SHA512

                                                                                                                                                            8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000068.bin.partially.aes MUYKSRQK7.waiting
                                                                                                                                                            Filesize

                                                                                                                                                            5KB

                                                                                                                                                            MD5

                                                                                                                                                            ca6752c456bba4d797b1e1bb82eb13a6

                                                                                                                                                            SHA1

                                                                                                                                                            71257311b8c24ee38a53ecc41e649cb524b0f5a3

                                                                                                                                                            SHA256

                                                                                                                                                            f273ce5751a88048f59cbbae5f5830e8db28fa50c437250bcc2d7ea310d8044b

                                                                                                                                                            SHA512

                                                                                                                                                            0823d2cc89f80a76833767148f6eda1e46d5bd30b0dae0d61b28b95549a75e20b9e637535d9614b7771fde7e4700e7fdacb004a83ea4b2e9afd1de32a4fad49e

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini
                                                                                                                                                            Filesize

                                                                                                                                                            174B

                                                                                                                                                            MD5

                                                                                                                                                            7a0207dd7569c94f65dae87a53b04abe

                                                                                                                                                            SHA1

                                                                                                                                                            74fa2d2ae2e1f4520310d423cd94261612bc8fed

                                                                                                                                                            SHA256

                                                                                                                                                            075e73157d59a2b725619315d6b66d3aac434238aa080d53954c0d5e72901741

                                                                                                                                                            SHA512

                                                                                                                                                            ec3b7327d8f017f76bceae5d2bc3a3be8d647d8ad1dd9718387acc14261d1d91472f0efbd11c73f478bbade1ed271bbc60bff1d13d5cc8a657e9a445f9dd61b2

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\readme.txt
                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            1024b18a84933715b346c8d0a20624f7

                                                                                                                                                            SHA1

                                                                                                                                                            6b73e35fe9d0f20c7de06bfa1223613127c98d02

                                                                                                                                                            SHA256

                                                                                                                                                            1037144a0b7c06523ef7025038154df3c659877a6b0cde2d1190f0766adf40c9

                                                                                                                                                            SHA512

                                                                                                                                                            01fefc285b2490b62704778ab9fce38e54f662f92aed904065a6f171327adb7392714e26374e8fae8541088c299b7c9bee8edd0e351a71513bc1c7df0a6e55ca

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                            MD5

                                                                                                                                                            f5b7412faab6ae4ed7f3ab8dbba8e437

                                                                                                                                                            SHA1

                                                                                                                                                            200f4cb8f76e5bd9408fa20af9f893d0a0214818

                                                                                                                                                            SHA256

                                                                                                                                                            149d35f6dc91ea3117b7e49148a116481e37d0f540a24f954213c99c9c5ba18a

                                                                                                                                                            SHA512

                                                                                                                                                            c07da75f5ad2430bac9386470853590ca8ef136cc84634b6703d8d14cd6c8fcedbd8153a95ec94f4c7491bb8dd2c3dfbf27badc981ee4d17752e788005cd7859

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
                                                                                                                                                            Filesize

                                                                                                                                                            36KB

                                                                                                                                                            MD5

                                                                                                                                                            af56de276c71c3a4a25f1efa8f147de8

                                                                                                                                                            SHA1

                                                                                                                                                            af3d36fb24702776bff6998064e5658b8c9020bd

                                                                                                                                                            SHA256

                                                                                                                                                            fccb8aac8f20f98c649ff0372481e80d749e3228d6aac3b013b925ffcabfcc34

                                                                                                                                                            SHA512

                                                                                                                                                            122c6b1f1949a259432dfd7c4e48234b766f1bfb77982929da8f7fee1315ec3ba2a7f762ae61440d951031b79078434699d1094211c8791c64eaee76410a1e62

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                                                                                                                                                            Filesize

                                                                                                                                                            36KB

                                                                                                                                                            MD5

                                                                                                                                                            1dc0f879e2a49917350b4c7b6abf9c0f

                                                                                                                                                            SHA1

                                                                                                                                                            f758378f8841309c9b1b151dfeb4038b84a7ae85

                                                                                                                                                            SHA256

                                                                                                                                                            966b4e27a700c58754a5658d8cb3021b7c1e95eecaaaee1d910cc1c09c3ce289

                                                                                                                                                            SHA512

                                                                                                                                                            9da8dab2e0b606d04e42f1d6ab3d46a738f612e969b47f14df6cd6f47810f171a03a5d6ceb5b5c9180cbc0678054733316e108cd956cad90fe3c1458d09c2042

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url
                                                                                                                                                            Filesize

                                                                                                                                                            36KB

                                                                                                                                                            MD5

                                                                                                                                                            bf0d52d439d0eb26012195513854edca

                                                                                                                                                            SHA1

                                                                                                                                                            ff24a2b387bd9b1a192c0aeaed4171b5792ef339

                                                                                                                                                            SHA256

                                                                                                                                                            bafb223d62f5138e0ac6ffb4b0a8a41e95f8033938cc08df1544dcd275a159f0

                                                                                                                                                            SHA512

                                                                                                                                                            808b8bec7acb3c312b8b45adeb7524470fb333d0d470092033859bfc241d1b11213cad0974650afe16b3f2e430d64d3d2d9fff1f44152d7c47923330e7332a77

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe
                                                                                                                                                            Filesize

                                                                                                                                                            36KB

                                                                                                                                                            MD5

                                                                                                                                                            1a4225cf01f8fa4988f19de6b64a8415

                                                                                                                                                            SHA1

                                                                                                                                                            942ea70fbc1f37da024ce31db1ae4bbd6a313003

                                                                                                                                                            SHA256

                                                                                                                                                            5bb9e54f296d62fa0cf09f7e4f87e623d5ed351f9a92a033d1979542bb9eead5

                                                                                                                                                            SHA512

                                                                                                                                                            53dd8d989691f69ef00beb968cba0067c308d55a2b6c5731784acec32c03560a07c5276a8bc1b1ab42037e22f799c63c8dddd5b536aec7171342de0700176d6f

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\0.1.filtertrie.intermediate.txt
                                                                                                                                                            Filesize

                                                                                                                                                            5B

                                                                                                                                                            MD5

                                                                                                                                                            6c6ded8e7989aee1e3d530433063c05f

                                                                                                                                                            SHA1

                                                                                                                                                            84580f52e49cc537cf36074808dd8eec67475a4b

                                                                                                                                                            SHA256

                                                                                                                                                            423770d76d4809a8ce01e6749df9abed066ef318f6c44f9604682ee26714671c

                                                                                                                                                            SHA512

                                                                                                                                                            aa0a6eae661a7f89a84304cc4e3bdd2afa0203787d15629806e38bf8cd947fb6557d73b4dd02acddf45d6e48952d2096c00b123767e9883fc33ff1d18c3f0fe6

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\0.2.filtertrie.intermediate.txt
                                                                                                                                                            Filesize

                                                                                                                                                            5B

                                                                                                                                                            MD5

                                                                                                                                                            0f6ce70311a12d9a275da7943dbfceca

                                                                                                                                                            SHA1

                                                                                                                                                            fdf4d24925ef25686a08814df7feac8995b4591a

                                                                                                                                                            SHA256

                                                                                                                                                            2ec39cda54c74f5d7d584951a6fa63984df3635c66c011627a7f642ec0936ea3

                                                                                                                                                            SHA512

                                                                                                                                                            6e72271baf6d1db28a6b0b081137bec0ebad9c0636cec3de5f4bc7fc142e799846228751f6d1eb71d3c5d7d94cebf34da44e54cb6c449b5c8bb06080dee4db77

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{effa0606-8acb-413d-aea6-39359a1bc261}\Apps.index
                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                            MD5

                                                                                                                                                            88b44bd9703f2c9e479fd7322448d4ad

                                                                                                                                                            SHA1

                                                                                                                                                            9af24549869fbae0a88599d40028727cc687711a

                                                                                                                                                            SHA256

                                                                                                                                                            1dd4dd0779a6bad373ebdeba56a05380fcdd358e30cf0d70fbfd957a807580aa

                                                                                                                                                            SHA512

                                                                                                                                                            4128113af2bff9d1a909b2c6d6f06308e9037b56ea186413943b96f2a6f12d1aff60cfe695903e7105492e3aac3d4f667b772e644dad3885bfab5beb61fa3de8

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656226049089.txt
                                                                                                                                                            Filesize

                                                                                                                                                            77KB

                                                                                                                                                            MD5

                                                                                                                                                            47cb265d93248bab1a8f0b35c6c59ca7

                                                                                                                                                            SHA1

                                                                                                                                                            91372d90d38ac17d084b0df2d31455c80dfd9ac6

                                                                                                                                                            SHA256

                                                                                                                                                            b74ac3385a2fb67d1ba7a603d0acba6a1976c33375f6889e4a9016a6763f97ab

                                                                                                                                                            SHA512

                                                                                                                                                            d488ec4482d09d594c882d8783e7a3d976d52d4bb3fb7f8b324f20ad340a9c761b49b2d0909249da4cbfdeecd796f1eb455527efe254081a70e945658f2b815b

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656623420834.txt
                                                                                                                                                            Filesize

                                                                                                                                                            47KB

                                                                                                                                                            MD5

                                                                                                                                                            80e813b17c241c6926575e82ffcb810f

                                                                                                                                                            SHA1

                                                                                                                                                            fe11dc450c2ae0aeaa9418bcf8cf166bc628df9a

                                                                                                                                                            SHA256

                                                                                                                                                            6490092d9ed143371558e53edceae4fffdaaccb46efa6bc57a21e7943ad192e9

                                                                                                                                                            SHA512

                                                                                                                                                            29931c0a3e7fb3cd98a9c6d72c85872db8be9a40da9dd62d9d42f4a256e233b9df8704e08b7dc304badabab34e9e1c9f26610626235c82b24082d65850ff50bf

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663536793873.txt
                                                                                                                                                            Filesize

                                                                                                                                                            63KB

                                                                                                                                                            MD5

                                                                                                                                                            94016bfe621814f5f12a6979ce3d2817

                                                                                                                                                            SHA1

                                                                                                                                                            0e53eb7212398e7481b11d415ce31f512b2a4328

                                                                                                                                                            SHA256

                                                                                                                                                            bb0c1a0d719308667dd8b28be8c54ca334f4ca1a52a43d2e19465740537a4597

                                                                                                                                                            SHA512

                                                                                                                                                            7e76070d5c2d8de5bee472d6c82244e36c1c870b25c82afa9d8cd374155a8ca3993067143b981e2d5e4b16911f186025501bd7ac55e35a46a8de1a1298d1e448

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt
                                                                                                                                                            Filesize

                                                                                                                                                            74KB

                                                                                                                                                            MD5

                                                                                                                                                            4f0a3dc4015eaf46572d54b7aa438b12

                                                                                                                                                            SHA1

                                                                                                                                                            19e967f4ec486b24babdb58167c19ceed828a658

                                                                                                                                                            SHA256

                                                                                                                                                            3173bca1511cc2678b66513c23390ce360b98324b3465e3afe52120b8ccdf138

                                                                                                                                                            SHA512

                                                                                                                                                            abbacc5f0207883871781313e6e4362e73f6c5f6b82a5def6c44e137b972b528692ff30becaf18088dff07c9c8026d05c9c5782e043fcebe39423db3221e0918

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jhyjd5l.uzd.ps1
                                                                                                                                                            Filesize

                                                                                                                                                            60B

                                                                                                                                                            MD5

                                                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                            SHA1

                                                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                            SHA256

                                                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                            SHA512

                                                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\nwzzpn.jnm
                                                                                                                                                            Filesize

                                                                                                                                                            5KB

                                                                                                                                                            MD5

                                                                                                                                                            699f919670390a0000346ea408390a4b

                                                                                                                                                            SHA1

                                                                                                                                                            dfeb4a168b860d1f4ed0276bf861ad0aa89081e9

                                                                                                                                                            SHA256

                                                                                                                                                            98a9850f70e63835c02106167d2b602e97c85e5a71bd54f625f59a0a48e004dd

                                                                                                                                                            SHA512

                                                                                                                                                            2b13dbffc605ba6c13701d7935c62f29a2e4ddf3d0d759f84db39cee3c4712db5cbd19b7209b0ef7f46b7ada8d90ecc5cd1e777ca7e3ea174a32f019ce6a3faf

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\wct5356.tmp
                                                                                                                                                            Filesize

                                                                                                                                                            63KB

                                                                                                                                                            MD5

                                                                                                                                                            00327a89177bfd4eff28c0e102aae8fd

                                                                                                                                                            SHA1

                                                                                                                                                            18901e5ad2e5155c37eacf2290c2da2e02484a4d

                                                                                                                                                            SHA256

                                                                                                                                                            8c30240a8521a571915c2e24a1231a48d100f1de632bbeca272ae184bbf0d2b9

                                                                                                                                                            SHA512

                                                                                                                                                            f0b259abedba18055c0707935edb86afb9ce9514e3592709b0c30952893b7879523960282e465c61c3184f3cbee764aaf2288c36d1fff1ccd9ccb78e6e37408a

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\How To Restore Your Files.txt
                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            MD5

                                                                                                                                                            0eb150c295f90b14bf7df3b237f37e27

                                                                                                                                                            SHA1

                                                                                                                                                            b672955c0ad3872e09c56966fae2163b77fc2172

                                                                                                                                                            SHA256

                                                                                                                                                            a8771351c1b3f0feea14ade74d1e32b548757680b7d87b0fcac95499011f2b7f

                                                                                                                                                            SHA512

                                                                                                                                                            861744f8397080deba9467a57af9609521316067ed3c402c74ce52f9d9d736bedd1eed16602d1ec38c765da4c3ee5608bbc7b35af7ea6c8c85240c0de822374e

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\places.sqlite-shm
                                                                                                                                                            Filesize

                                                                                                                                                            32KB

                                                                                                                                                            MD5

                                                                                                                                                            8fd1da9d29e591c1ff5fb683206a6ac8

                                                                                                                                                            SHA1

                                                                                                                                                            184b4179e206d539dfaeaf618b410f4e2d1a0029

                                                                                                                                                            SHA256

                                                                                                                                                            f0dc64fadc0f2e3e53f1e9d432aba1f0be99160f7c73879194b9523453a2dcd7

                                                                                                                                                            SHA512

                                                                                                                                                            afaac7f2a9b5ce16fc5dbc1370cccd0feb714f1a61e8a49a68aecfd3e0a45762aee1fa96fcca15f836ca1122b2a8ae4f872e103d0cf068a9a99bcd4a71084c0a

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
                                                                                                                                                            Filesize

                                                                                                                                                            281KB

                                                                                                                                                            MD5

                                                                                                                                                            729c2918dc64b8c7750a5efa59e215e5

                                                                                                                                                            SHA1

                                                                                                                                                            4ad60c973f975261924ea4bcbe3560a7dcda95b3

                                                                                                                                                            SHA256

                                                                                                                                                            4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba

                                                                                                                                                            SHA512

                                                                                                                                                            bb9c738ad0844b95de518817a942d54c5b8e7b4b1a428f7c0d6f0625a6a76efad60483c51cbd1e9317694a04535ebf5e91542f63a20a8c0153801a93d96bab6b

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Agent.gen-4bf8dae17c6df636b4a077e4cfb9f19944de098e0ea552c8cdd582437824d5ba.exe
                                                                                                                                                            Filesize

                                                                                                                                                            281KB

                                                                                                                                                            MD5

                                                                                                                                                            1e1f873a11b679457ae26b099308f270

                                                                                                                                                            SHA1

                                                                                                                                                            c793c1bc275787b3806b0b9f206b947ad5f6b365

                                                                                                                                                            SHA256

                                                                                                                                                            e57eaf250758f9834f9a87abeab5262db96e90ee72852a8f2aadbdb315b6dc7e

                                                                                                                                                            SHA512

                                                                                                                                                            dbbaee5eda2586c874c2d9f39490aa41824f149630d99ff6a6f463cf3fc66df4a444065a30a40007af9de46cafe67c0ead181f8f85ebb7f54649c68e0d1ab22c

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Blocker.gen-f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1.exe
                                                                                                                                                            Filesize

                                                                                                                                                            2.2MB

                                                                                                                                                            MD5

                                                                                                                                                            fa4ef6c0bc5393889de62ed7488cd82c

                                                                                                                                                            SHA1

                                                                                                                                                            0bc55bd395b19179c5f0ebde318d2c64388c3880

                                                                                                                                                            SHA256

                                                                                                                                                            f736e177111036ad57bcc6df830b5c4b03b0356623a30006fea1edd6b4a026c1

                                                                                                                                                            SHA512

                                                                                                                                                            4a40cce2fff0e0dddd607bcdf4427cf82585b9a528c67a08fa387d1eeb7a0a377f39c1266da3c466b952e630bf052ee35835779ba6a70820da608187a5ef6e06

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb.exe
                                                                                                                                                            Filesize

                                                                                                                                                            441KB

                                                                                                                                                            MD5

                                                                                                                                                            90f9a62dc1145821e357c795501ab1b3

                                                                                                                                                            SHA1

                                                                                                                                                            4430b9ff2ffacceb182e2cacdea530abd0174166

                                                                                                                                                            SHA256

                                                                                                                                                            84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb

                                                                                                                                                            SHA512

                                                                                                                                                            ed2943c5ad9152b810ee3fd2abae0aface3aba11257f1b1f88093e59d475ddd10733b20b547e879dadd288d7298424e6f8383bda2eef471701fad3b9ed4af37a

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.MSIL.Foreign.gen-5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c.exe
                                                                                                                                                            Filesize

                                                                                                                                                            9.7MB

                                                                                                                                                            MD5

                                                                                                                                                            4a8fdd5b9b821830f1e4a392abd1b346

                                                                                                                                                            SHA1

                                                                                                                                                            33e50a79caafb463cec6941269e3e5c764933732

                                                                                                                                                            SHA256

                                                                                                                                                            5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c

                                                                                                                                                            SHA512

                                                                                                                                                            3f91afbc9b847625489451cc8df409f4d909bce7af0433fa9070c80cbe579141d627424a3ef90b4db2d6286293e8714818e5c6bf492651da46646531c723879d

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Agent.vho-32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe
                                                                                                                                                            Filesize

                                                                                                                                                            1.2MB

                                                                                                                                                            MD5

                                                                                                                                                            f062697cd7a2257c290f6c3f19dd845d

                                                                                                                                                            SHA1

                                                                                                                                                            15bb3203c9553009e0514626f5ad129a13a557fb

                                                                                                                                                            SHA256

                                                                                                                                                            32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67

                                                                                                                                                            SHA512

                                                                                                                                                            34ff971291da6c4bc1bb2d4f59bf80502990f77c3acbf1f8b6f8b2b58c9cb124b501677d5df7dfe3f4ba2ce2535b50a9686ab06b7ed2f0deeba7066397644985

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Blocker.gen-91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c.exe
                                                                                                                                                            Filesize

                                                                                                                                                            2.8MB

                                                                                                                                                            MD5

                                                                                                                                                            a26e45334639a5a2deefb0b6d493e1e3

                                                                                                                                                            SHA1

                                                                                                                                                            2ec9d5c824f632c49152def9ccc13a77a8b39ef4

                                                                                                                                                            SHA256

                                                                                                                                                            91010c517fd39ec1273ca6d4dc8143e3cacead93d9a897e73ab1c2c62565544c

                                                                                                                                                            SHA512

                                                                                                                                                            c5bb51864d070cbe3ccb6a2a5eb4e158219805d3d215ce1fa871534cb0ba182e7e5ce509d0707c48281eb7686522d173188116ff9084b78ebba2825f6f9f4350

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Conti.gen-f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3.exe
                                                                                                                                                            Filesize

                                                                                                                                                            192KB

                                                                                                                                                            MD5

                                                                                                                                                            ae099b31ac5cfeed0fc9b7df7f97178e

                                                                                                                                                            SHA1

                                                                                                                                                            09b27c0782e3111be54164264397e104dc4f5c5b

                                                                                                                                                            SHA256

                                                                                                                                                            f7b83f07f6fec1df0fa73c935c96dc2ec8fbe0de3b17bb56f9963c92c22715c3

                                                                                                                                                            SHA512

                                                                                                                                                            d5b6acf7208621cf2efc1bf60659f6b5035cfa90c63a47d99109919c097aec41fa760f85923c238300f70b58e848337642a375c6412f1fec59f1b7544d784349

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Crypmod.gen-45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca.exe
                                                                                                                                                            Filesize

                                                                                                                                                            292KB

                                                                                                                                                            MD5

                                                                                                                                                            5c6ef834006bdc8697576a9af6cea2b6

                                                                                                                                                            SHA1

                                                                                                                                                            ffe4b0ce4d4cd098a1fc6954f1f2ebdfb78f0a1d

                                                                                                                                                            SHA256

                                                                                                                                                            45ed95c173fd2df5f05f42c2121698db4484f032344c874e552cf1592d2a88ca

                                                                                                                                                            SHA512

                                                                                                                                                            56d42ce831f794ce694251e6e032ee7c1651afb9bd572491429665d33b42e55661e9d8092adca14723e498163fab7f6ca0a3c1f780c35e445bd60318fb457199

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708.exe
                                                                                                                                                            Filesize

                                                                                                                                                            164KB

                                                                                                                                                            MD5

                                                                                                                                                            b748260b5276f53e7bb3deeb5120f796

                                                                                                                                                            SHA1

                                                                                                                                                            fcac2d6612d27decb5ed77147a58c1b1d92218b8

                                                                                                                                                            SHA256

                                                                                                                                                            ac978f6aaf36d1d90c35e6dc7ae010a19082794d3391ea0111112aed7507f708

                                                                                                                                                            SHA512

                                                                                                                                                            fac74891f90159ccf12247d99edc8ea78f5c941a01f3301e6b2f22aa88e36da59422eaa5fc05a4ac035e8975e6ca30186a94046091e9e88092f2d38d5a8ab3d9

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61.exe
                                                                                                                                                            Filesize

                                                                                                                                                            890KB

                                                                                                                                                            MD5

                                                                                                                                                            c839a6834522a00faa53b0e8873e4f22

                                                                                                                                                            SHA1

                                                                                                                                                            731b4b98b798af8b27ece271305d2359832f4c81

                                                                                                                                                            SHA256

                                                                                                                                                            e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61

                                                                                                                                                            SHA512

                                                                                                                                                            b4326c28761d5c6626f0cfb26c1e99027083b3b36e1c1793677409b0e3b9ea4376611fe87306295a6fcaa34a76fc642e91a2c6d2a522e063c6007467f46c7ae3

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Encoder.gen-ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245.exe
                                                                                                                                                            Filesize

                                                                                                                                                            1.9MB

                                                                                                                                                            MD5

                                                                                                                                                            a41b43292a307dcafea70c0e12dda90c

                                                                                                                                                            SHA1

                                                                                                                                                            559fa5315fe0954895b8d710c6e600981ca64732

                                                                                                                                                            SHA256

                                                                                                                                                            ea72ff69831e59139d6fc341f6274e738351f539db20ac0c7d461cddea440245

                                                                                                                                                            SHA512

                                                                                                                                                            8f51e443f9fdc63cd6fb1fee2e1186a5056cf11b6d1593dd3f0d9733d2d1ebfb08f86d7d671adcd983ec9f261f3d09a5f264c989e73c00e9d08379ad560ab0a2

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6.exe
                                                                                                                                                            Filesize

                                                                                                                                                            325KB

                                                                                                                                                            MD5

                                                                                                                                                            721999202b6d70043184a5138f228f12

                                                                                                                                                            SHA1

                                                                                                                                                            746c15f99988c523ba394c2dfb49ce35f0b89ff3

                                                                                                                                                            SHA256

                                                                                                                                                            517b9d1b3a1f758db6c45fd6d3b6d508c5e26690e7391f23798151d81db471f6

                                                                                                                                                            SHA512

                                                                                                                                                            ceb52be491d175b8dc0540a93c99c10a5b3d0d36b0f29e0dcd2b30d78a5ddf82b22d8aa0e85d958ec1d6351ae77a654c0df495d64de4dc991d3bbcb3fe6a1c3a

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\HEUR-Trojan-Ransom.Win32.Gen.gen-52ba4f096712966647ca4e74b654122d3741cb2b4d86b1c92d35e3788c0a05d3.exe
                                                                                                                                                            Filesize

                                                                                                                                                            1.3MB

                                                                                                                                                            MD5

                                                                                                                                                            cc2cd14ee6ad74361efdb10ba190fac1

                                                                                                                                                            SHA1

                                                                                                                                                            0849ec6ec0ce0a1b0231d4fda6d2eeecde3865e0

                                                                                                                                                            SHA256

                                                                                                                                                            52ba4f096712966647ca4e74b654122d3741cb2b4d86b1c92d35e3788c0a05d3

                                                                                                                                                            SHA512

                                                                                                                                                            7fe02261959badf9e31033ab7fdf6aa9d7962c0dde6c90f6c5aae335efc5b52c83de0c11b90a4abf67e24205701407618068adfbe0bdf915983a00edb6bed53c

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\00430\Trojan-Ransom.Win32.Blocker.jzec-6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f.exe
                                                                                                                                                            Filesize

                                                                                                                                                            397KB

                                                                                                                                                            MD5

                                                                                                                                                            39bf0b69523b2716a776103541dbdc4a

                                                                                                                                                            SHA1

                                                                                                                                                            345e29248228fdd8083bd4382f35949531b385ed

                                                                                                                                                            SHA256

                                                                                                                                                            6899e9866a8eda5acdde73e19d84777379922c4fcdc63d1d2b800f93f5684b8f

                                                                                                                                                            SHA512

                                                                                                                                                            dae39187d42daf7d2fc8ce7756e9ed4b174189f718db8f8e60c74d01ac40721a162fd5f6740e328146d830083bf75e83f74ae4a78908ce9cb8c49c18701b6b31

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\ApproveAssert.htm
                                                                                                                                                            Filesize

                                                                                                                                                            238KB

                                                                                                                                                            MD5

                                                                                                                                                            6215ffe07f04a01f0897285d10706272

                                                                                                                                                            SHA1

                                                                                                                                                            b5d42042eab75314a3865154cd5f8d27ec988191

                                                                                                                                                            SHA256

                                                                                                                                                            851b7b5a938d26c116c86fa2e0ee879217deb8a02b5e7a423aa1d64dacfbf342

                                                                                                                                                            SHA512

                                                                                                                                                            3237db19a9efd7a742484b929aafbeac6bbea197ad55669290ebf72ab77366fa44612672cda908c7b69534ce638709b9bd7172b3e1735fb753218a299df7f594

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\BlockEnter.vsw
                                                                                                                                                            Filesize

                                                                                                                                                            308KB

                                                                                                                                                            MD5

                                                                                                                                                            45635db0bf0503b935382ea9a19316dc

                                                                                                                                                            SHA1

                                                                                                                                                            c81edd72c3a5cc3fc6d76426084ee5e351b45f13

                                                                                                                                                            SHA256

                                                                                                                                                            c6dc5dcf476c861f89fe1a4e4c06ae3c8f5808d193dee419858af8d072c1fb27

                                                                                                                                                            SHA512

                                                                                                                                                            46b12537bcc6bfc4fa388ffed97c1b16f73f1ccb9badd67668b7728b420e692856670506cf5657629726a7d1b1ecfd1b8bf0f245ca01451c693846bc6fcb7638

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\ClearMeasure.wmv
                                                                                                                                                            Filesize

                                                                                                                                                            157KB

                                                                                                                                                            MD5

                                                                                                                                                            97911a70e501cba5de01043753096622

                                                                                                                                                            SHA1

                                                                                                                                                            00e2397f7126aaa51d71fcf74f0e63f00a31e1dd

                                                                                                                                                            SHA256

                                                                                                                                                            6d8092cf5ff2b157d7d5a9c095ad48fdab5559890d3a683c7e55ee3ded2289b2

                                                                                                                                                            SHA512

                                                                                                                                                            29e63072c3c149d22c7e9828f7e0a274f3a4cd3b4ebf0f5453ce80e766cabf46247c9eb7dd133f9775226ea75441e1097cd465506308708e5296a0976e4449ce

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\CompressUnblock.sql
                                                                                                                                                            Filesize

                                                                                                                                                            261KB

                                                                                                                                                            MD5

                                                                                                                                                            4615f20cf89e7c1091b0cd1e7cb49ea3

                                                                                                                                                            SHA1

                                                                                                                                                            baf494cf027a3cc69f3ff3f7faaaeebf66d06328

                                                                                                                                                            SHA256

                                                                                                                                                            d301b3835c201f698e94602bac66078a487b50143afc1b5fe485c6fb34a8eef3

                                                                                                                                                            SHA512

                                                                                                                                                            61f1ded71fb1cca15b30f0c56494a7af3ae8f3f00494f123cbfe119083b5ae706cd013780f1e6d9e200567322b109e50c09329734461f8732108f94448df7ef6

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\EditNew.xls
                                                                                                                                                            Filesize

                                                                                                                                                            273KB

                                                                                                                                                            MD5

                                                                                                                                                            a1722393937116c225a00a5141cc9c49

                                                                                                                                                            SHA1

                                                                                                                                                            43dc1a5abd83981c7fed4f2750b85647864f3b7b

                                                                                                                                                            SHA256

                                                                                                                                                            ec4993ae43074a1e80cf8663096afedbd75f00ec83e6472410ddd45e59df2f10

                                                                                                                                                            SHA512

                                                                                                                                                            8c9a0f4534362cab280497412a701d162532fcacc9a5fcb6537cbe974e315c165e84b0439cad0636e692fa646f00ce97446c4081516009f8972b727e10003db6

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\EnableAdd.dxf
                                                                                                                                                            Filesize

                                                                                                                                                            180KB

                                                                                                                                                            MD5

                                                                                                                                                            89a3f3c1b5559424ce1a1efb30b78929

                                                                                                                                                            SHA1

                                                                                                                                                            3d019e05e2be3169bfeb38d67f2e630f22c2961a

                                                                                                                                                            SHA256

                                                                                                                                                            5c44b69e728504f2f3447a52d8f6dfaa01ae80f553a1f9560c500fd0207ad115

                                                                                                                                                            SHA512

                                                                                                                                                            ab2c359ee0e8396f20f135a0301121a2e1745339d599ab50643496a50b17e2ec54b0e9190a572fe1ac3934a03ec286c9a5127d55988453ba18707f71032639f3

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\ExitInitialize.wma
                                                                                                                                                            Filesize

                                                                                                                                                            284KB

                                                                                                                                                            MD5

                                                                                                                                                            9b03918ad1352aa14a8d6d9c3848f181

                                                                                                                                                            SHA1

                                                                                                                                                            61abec5acb5d8fa61f016f0315043616f50e042c

                                                                                                                                                            SHA256

                                                                                                                                                            a07b83f191fbfa7daa6339aa4add7ab30624bbe38c3068b1c2ee4bdacd79fe31

                                                                                                                                                            SHA512

                                                                                                                                                            7f2134823d43a1d4425bb2df0c72002a9dca57f581bfde2e693beb0762b6521cb94a0a2b8ed3b16e66eeed431026dd682d625f76c354a43df841e254c7c92141

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\FormatEnable.bin
                                                                                                                                                            Filesize

                                                                                                                                                            122KB

                                                                                                                                                            MD5

                                                                                                                                                            daa687b60766afbcd67586cac258f007

                                                                                                                                                            SHA1

                                                                                                                                                            ced647e66572b6b4badf05d18064a67a83271091

                                                                                                                                                            SHA256

                                                                                                                                                            f9f12103d923f8595e5afdba7ebb94ffffb05e6796282b163cc61e73ddf4e6e6

                                                                                                                                                            SHA512

                                                                                                                                                            2b93ed9aec5d2818c13f227312ff2a0d79d9a71dfa7812df2794a4a9156cf7756dbdbda5cbce7ac8277b9ada31a97a098aeae46c33b4bede7f660a43d1cbc773

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\GetFind.rtf
                                                                                                                                                            Filesize

                                                                                                                                                            250KB

                                                                                                                                                            MD5

                                                                                                                                                            ac06f3e63c079276cf8bc503af40a76f

                                                                                                                                                            SHA1

                                                                                                                                                            32204e0761aa6da0b799fe16de297325701659fa

                                                                                                                                                            SHA256

                                                                                                                                                            e4e1d9642477014d93db7aff1e5a68a76dcd09a32ca055e5f2d87856a33c0960

                                                                                                                                                            SHA512

                                                                                                                                                            110361f74df85da9cbc09a727c0265f8da97127cc472b77a283b68b799a21d8816146b2ad7d3c9775dd3b03e667a33290861e59745a7f67a2d8491fe56d99833

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\GrantSuspend.3gp2
                                                                                                                                                            Filesize

                                                                                                                                                            296KB

                                                                                                                                                            MD5

                                                                                                                                                            b8f735efa2b837fee64183eaafc0ac68

                                                                                                                                                            SHA1

                                                                                                                                                            f2459b7d168dcedd8562a428d1a9a8e1ef951999

                                                                                                                                                            SHA256

                                                                                                                                                            9ecec4337df08714ffaa8876f62eaa9994789d978836a424192bb6cca8951e64

                                                                                                                                                            SHA512

                                                                                                                                                            ad8f667385ca030e466c45fa083ca7e357e2035f5870586a50e6aeff3e06d2cc18ab7d6aeeced079b742f0b7ce7be5afdda79f1373691db9fca1ee8608f7d365

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\InvokeRemove.search-ms
                                                                                                                                                            Filesize

                                                                                                                                                            476KB

                                                                                                                                                            MD5

                                                                                                                                                            a84d12602fc1ef15c7f75163c9fa0ad0

                                                                                                                                                            SHA1

                                                                                                                                                            5bb928e5e178a0facfe1dcfe66eee33d9e4c1777

                                                                                                                                                            SHA256

                                                                                                                                                            40db4c51859691271f6e3b2754055e896ec837f289c599b054d20defec051f21

                                                                                                                                                            SHA512

                                                                                                                                                            1920962aaf3fcaa126f9416c356d323d5a829664c436a81e342aff54a4b6650faa29671afd2215d0624657028f7faeb45ee0bb77b5911fe7e87abdfd397e9937

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\LimitPublish.ADT
                                                                                                                                                            Filesize

                                                                                                                                                            343KB

                                                                                                                                                            MD5

                                                                                                                                                            fde55d3eb21e490452671b93cbe511b8

                                                                                                                                                            SHA1

                                                                                                                                                            51603d8a51ad68296eb0ce5979b3b548c7fd05b5

                                                                                                                                                            SHA256

                                                                                                                                                            1731706e8644a46d7ba12301baa06cda4cdfba74a6e495baa6a3dcdcd6c2c368

                                                                                                                                                            SHA512

                                                                                                                                                            2231fd7b140cf9c03fb0ed39e00932bf8d2c88b41332edd93806304ff91176cabc3fc7f69a1cdecb60c8a6f95e588a865dbbbf7994171f4923f09cb9dacdf89b

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\MergeDismount.jpg
                                                                                                                                                            Filesize

                                                                                                                                                            214KB

                                                                                                                                                            MD5

                                                                                                                                                            0f6d2761ffb70160c5ef5b32c2ca800d

                                                                                                                                                            SHA1

                                                                                                                                                            7d26c3c67cc30d61827ba18ff8fbc87c4a02bbe5

                                                                                                                                                            SHA256

                                                                                                                                                            0c43a71ec340fd61c2428e12d9d430de9f6323a6354c8fb6c021abc828d5e2eb

                                                                                                                                                            SHA512

                                                                                                                                                            7ccb622e90e320cdd95a76ed6b09c167944f2c7e9357b374d80aae2285b0e320c4e51a173c3e0ae75d1f76097b0c0026df946616f9f866d16fed3015cce7036e

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                                                                                                            Filesize

                                                                                                                                                            2KB

                                                                                                                                                            MD5

                                                                                                                                                            d93405b696e5fca57543682db52fb523

                                                                                                                                                            SHA1

                                                                                                                                                            d0efbe510a9022c066874c28ba53dffce896c90d

                                                                                                                                                            SHA256

                                                                                                                                                            aa9ee69bc3028a4bea1f9733ab2f15f9d503e9c4cb16cabc30e33eea5a3b1340

                                                                                                                                                            SHA512

                                                                                                                                                            77d2026ff2c2c129dc6bf42f591b847590cea9854e1c37a06a0fb16ce07f338f9fa66c92f2b32a246ffbf805495830941f08406c334f2e44216db36cbdffb210

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\MountImport.M2TS
                                                                                                                                                            Filesize

                                                                                                                                                            330KB

                                                                                                                                                            MD5

                                                                                                                                                            95ff2dd77104568ffad9861f33238acc

                                                                                                                                                            SHA1

                                                                                                                                                            827deb26599123a8476659355bcafdb8d5cc4370

                                                                                                                                                            SHA256

                                                                                                                                                            683ee914d3655fd4094bb25aecebfd074ef7ef3b38892673c6d2fd58c4611a86

                                                                                                                                                            SHA512

                                                                                                                                                            c88c77e18b4dc1bb02ec05f8cfbdc7f6324064e0814efb6a163870e12c56e9f93cc493856a30c54d6d9174e07299cb3955e8019849b153d45437f74ac4a23568

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\PushJoin.cab
                                                                                                                                                            Filesize

                                                                                                                                                            203KB

                                                                                                                                                            MD5

                                                                                                                                                            3904dd2bab896341752137b86d22abde

                                                                                                                                                            SHA1

                                                                                                                                                            e71c895ecc6d0495dfb8f09acc728ac98423dd82

                                                                                                                                                            SHA256

                                                                                                                                                            a02a86415e0c4a047fde6ca22dd5ec59aa26dd013513f8b322a778e0dfbfc521

                                                                                                                                                            SHA512

                                                                                                                                                            5f9d1824672f23e18e57346d6dac4e2199745d62edcb8e2a2079f01ddc771a31782136c7d9f47cd5a9d7358964a19e2e7a743ef2fa62d396de4c97e5cdeaf89c

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\RegisterHide.aiff
                                                                                                                                                            Filesize

                                                                                                                                                            168KB

                                                                                                                                                            MD5

                                                                                                                                                            a6b5faacd527068e64251a04744df5c6

                                                                                                                                                            SHA1

                                                                                                                                                            998e8dc38c8fc3ceebc43e7c7e5304b238059851

                                                                                                                                                            SHA256

                                                                                                                                                            f4ad2fc5be0b3a0b2008f66d0b4c26c65fb6c34ceeac84403d58dbe33d33e3d0

                                                                                                                                                            SHA512

                                                                                                                                                            1c75054dab7f7b8eceae7384dd0ddffca8cedacb63f1f5f5b62d9888ac13aa3cb250464bf5b76871e95ec2e86dd1f04bc31391b2372887b3a65f346272784725

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\StepOptimize.m3u
                                                                                                                                                            Filesize

                                                                                                                                                            145KB

                                                                                                                                                            MD5

                                                                                                                                                            04d2a3cc015566b1efd3e37ffa7499ac

                                                                                                                                                            SHA1

                                                                                                                                                            833c62b98a3cc46d50b59fee0c0c90e269ccef0f

                                                                                                                                                            SHA256

                                                                                                                                                            30ab900f3d5669f09e9e33ef258e998d4fa5e7fe24afaae5eba1cb18071032aa

                                                                                                                                                            SHA512

                                                                                                                                                            9ccc9f3ea38ec7643793a95a74e1d06deb642c3149a793706ee5c24aea87a0fe4d123c37d176db182fbd9d2eebb31efaf4885b69f108d5084f46b8661b9c96af

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\SuspendImport.m4a
                                                                                                                                                            Filesize

                                                                                                                                                            319KB

                                                                                                                                                            MD5

                                                                                                                                                            95f03e820dfae9da6d5fbc3d7a4ee987

                                                                                                                                                            SHA1

                                                                                                                                                            436138d2eaf97f32ee357c49cef752c56cff0f9a

                                                                                                                                                            SHA256

                                                                                                                                                            e642848b12c7551812253874e9189b2e788c2252d154b89b05d1a8804ef135ec

                                                                                                                                                            SHA512

                                                                                                                                                            54fcf7d205496ea3107f6da857fa7645287790908d3c3a230443159673f8ac3aa4167c2d9013944c60cf8b34f7557467d033b5b25867fb95beba46807aff2883

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\UnblockSubmit.xlsx
                                                                                                                                                            Filesize

                                                                                                                                                            9KB

                                                                                                                                                            MD5

                                                                                                                                                            495ec50f1fd59fedf65deebb9f70209b

                                                                                                                                                            SHA1

                                                                                                                                                            6ff5df21870397eb8a007dad60c160ad3dc59ad5

                                                                                                                                                            SHA256

                                                                                                                                                            67ab42f82ef6749cd722f5e1d358e1980c8c6836258f269b383203db53076c03

                                                                                                                                                            SHA512

                                                                                                                                                            eafd514a495b92126ebef31fadc394ac504b59424d9d4b3fa26c55c675ca1b1e480d695b7eef810025db50e0ffa7a3d146116c62c79d69229591623cd6b7a25e

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\UninstallSelect.xsl
                                                                                                                                                            Filesize

                                                                                                                                                            134KB

                                                                                                                                                            MD5

                                                                                                                                                            b5b032ed9d7d35996f96e4a138faa2ec

                                                                                                                                                            SHA1

                                                                                                                                                            43131981ea681273fc0b8dde843b449ea9839ab5

                                                                                                                                                            SHA256

                                                                                                                                                            b80a3f5c729547dba5dbfaf473672ef977b3019d02112cd4ca53607fe0757fd3

                                                                                                                                                            SHA512

                                                                                                                                                            a7379a30475bbe97f61b6e7052f9a86638b3806ebc1b20d58737b15d9ec02adb9470e27c62abb144b672823f334ceb24dccd97503a500b371a196954013f8062

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\UnpublishSubmit.asf
                                                                                                                                                            Filesize

                                                                                                                                                            191KB

                                                                                                                                                            MD5

                                                                                                                                                            4049f9b9c446adfd446cf14d206c90e8

                                                                                                                                                            SHA1

                                                                                                                                                            8559ab77408b8283fa03ab2917a8e3d9146e53e1

                                                                                                                                                            SHA256

                                                                                                                                                            78d25c532b2eed5532e7c6013ca2081903c26afddd466bcaaad512ba4fe15343

                                                                                                                                                            SHA512

                                                                                                                                                            4625283499d1868a6972c069dc158b71f73bfa143c28122d9b65be0959afe157bdcecd6f2aa5524d3a7727623c30bb2e8e08f1f15934d7a716dd77ff0d63712e

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\Admin\Desktop\WaitMerge.dib
                                                                                                                                                            Filesize

                                                                                                                                                            226KB

                                                                                                                                                            MD5

                                                                                                                                                            75dec6a19fc99e81e50533142a2b2b98

                                                                                                                                                            SHA1

                                                                                                                                                            72ea80036ba7e342511ba68e5f6c00d671407fbc

                                                                                                                                                            SHA256

                                                                                                                                                            d927f3a0958b26b2b08d434bbf8f1c60b9a05efd40822d019a3b3c84fcc76568

                                                                                                                                                            SHA512

                                                                                                                                                            99481e39ab8c681f03ef130f38491713cfb50810eba947df5e325093a10b1c2c0d0878678501a5202e0ef8926e67a7c58759b8e5347642b941b628449f654355

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\How To Restore Your Files.txt
                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            MD5

                                                                                                                                                            087edfb43d589ad5a61466695c286cf2

                                                                                                                                                            SHA1

                                                                                                                                                            b44ddcc8dab03eb9a999ef119a42e16f78025ccd

                                                                                                                                                            SHA256

                                                                                                                                                            4e0f62dbb239250c5abe94791e09e3b2240faae14a6be5052ba9449ebb35c778

                                                                                                                                                            SHA512

                                                                                                                                                            28665d5627f368498c5e6e615dac0f9e5a8525fc52cda632d22e37033ceffb98a5f89a01af5fe9d425a9c876a9787c562a9057f6108fd54aafe36277ffb4edda

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Users\ReadMe.hta
                                                                                                                                                            Filesize

                                                                                                                                                            11KB

                                                                                                                                                            MD5

                                                                                                                                                            38d9f86b9910f2315b9bad9063a12077

                                                                                                                                                            SHA1

                                                                                                                                                            d20411d946610f0e14745985090be2e3eb166fae

                                                                                                                                                            SHA256

                                                                                                                                                            de48539c5d2455ef9ef3b357ecd79dbff87fa034e3aab2f4e44e5818ef9804c2

                                                                                                                                                            SHA512

                                                                                                                                                            9ee0216fd8a0e68d99199ebb8aa80c0fd769ad25acde6e64a439e3d4d73d91296de9ac4874d8b973207dc788fb33dd227caadd09aa2c2b64fee7eb6413e8844c

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\Windows\rwjfk.bat
                                                                                                                                                            Filesize

                                                                                                                                                            144B

                                                                                                                                                            MD5

                                                                                                                                                            4e714e2aa7f0c6a762c4d9a5162e3173

                                                                                                                                                            SHA1

                                                                                                                                                            ed3b8509ff3f9e849f2c2450d14f09a33ea1785e

                                                                                                                                                            SHA256

                                                                                                                                                            593d002c58bbcab7a6fee250b15b360552e360a08995e9057646493184f47b76

                                                                                                                                                            SHA512

                                                                                                                                                            d666e12c232626c6d7726529ee82f0413aa0e8f100f1d2b37a89f1e6f749fed505c82e66ff9b54ba4fc24df64f95c46c1e4714fa86682e173f3c60311d26492f

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\readme.txt
                                                                                                                                                            Filesize

                                                                                                                                                            2KB

                                                                                                                                                            MD5

                                                                                                                                                            cc18b3717f346100de64388c7a61f293

                                                                                                                                                            SHA1

                                                                                                                                                            47fc92f42dd50254e34994bf3b1c0b9fa3c053f1

                                                                                                                                                            SHA256

                                                                                                                                                            c632d9770574291e7f4629a15acebcf688b25c6eba12230af58b0910353e7b83

                                                                                                                                                            SHA512

                                                                                                                                                            32613b333e6c3e743e711511b7cf7a2a26b442e65aaa22463edd71fba916695c6d28140b43c0629861ab79dd033215c33f85431d28ca39485bd2e61f6a9be4a2

                                                                                                                                                            Download Submit

                                                                                                                                                          • C:\vcredist2010_x64.log.html.NSACS
                                                                                                                                                            Filesize

                                                                                                                                                            87KB

                                                                                                                                                            MD5

                                                                                                                                                            aa3ed73e60b26f0b9c05fabaa8f9242b

                                                                                                                                                            SHA1

                                                                                                                                                            7c4fd969032b75f4cf2a55b6fbd2e406e073aeca

                                                                                                                                                            SHA256

                                                                                                                                                            b3f38d629c55701737904c45bcd363ccdd436b4da309c442431b7fff9bb67b18

                                                                                                                                                            SHA512

                                                                                                                                                            6f0eb8b7a31a4a6d0d0d227a112341152b60b898702609ede35c6254e287e60aae994ae8b091ad52e0263640da227a1df4b8a2f33ae9ab7687e17919f301e3c0

                                                                                                                                                            Download Submit

                                                                                                                                                          • F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README
                                                                                                                                                            Filesize

                                                                                                                                                            532B

                                                                                                                                                            MD5

                                                                                                                                                            d43f38b2358ee9a700bac47bf007b973

                                                                                                                                                            SHA1

                                                                                                                                                            fd3e0856a5b0950093e168621dd4fe3332be39d1

                                                                                                                                                            SHA256

                                                                                                                                                            c5ac1a88dcba47d9267174c9897535fb8a6db261459357dcd6f42d757c3d1395

                                                                                                                                                            SHA512

                                                                                                                                                            1c5882179242ea57306ebc7f30f4749db6a289d7f7cde43bc03898154171126c9f382e715501f8968891046dbb8b40ceb40cabf84715c2ad7ea2e6afba0c22be

                                                                                                                                                            Download Submit

                                                                                                                                                          • F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini
                                                                                                                                                            Filesize

                                                                                                                                                            129B

                                                                                                                                                            MD5

                                                                                                                                                            a526b9e7c716b3489d8cc062fbce4005

                                                                                                                                                            SHA1

                                                                                                                                                            2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                                                                            SHA256

                                                                                                                                                            e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                                                                            SHA512

                                                                                                                                                            d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                                                                            Download Submit

                                                                                                                                                          • F:\readme.txt
                                                                                                                                                            Filesize

                                                                                                                                                            2KB

                                                                                                                                                            MD5

                                                                                                                                                            786991f1b761bb5b1d33126b986c12e3

                                                                                                                                                            SHA1

                                                                                                                                                            882ac4e34f0e229307eb2d08383bcfed35f38876

                                                                                                                                                            SHA256

                                                                                                                                                            9afe1f8dc32364f98c142219143054b86e80cf007c5839e6565694abc4cc243e

                                                                                                                                                            SHA512

                                                                                                                                                            624bcb3b1f59f6512ed01f1e6531ff9f067cbeac8d11d66bccd9017a991bd45778542954c2dc99733f41d580f2a52bca495f7161f64e78b9e030c8088390b15b

                                                                                                                                                            Download Submit

                                                                                                                                                          • \Device\HarddiskVolume1\Boot\BCD.LOG1
                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            972fc3af73f62a48ab287fbbc067362d

                                                                                                                                                            SHA1

                                                                                                                                                            b80dfcd452fb5daaf9ec27187edccd84847037d7

                                                                                                                                                            SHA256

                                                                                                                                                            48cb9f70a87152b24f7192d3c888bec9bc313c03d1b8742b93c657e5b4a06dd8

                                                                                                                                                            SHA512

                                                                                                                                                            96e63c84a873e939f04039150b861c8fca3fa981520a342d1b6fbe53fd018840283edee81d8a61465232816625cccbf3a7d2aa9bb46a78d89bd5d3f6a92fa248

                                                                                                                                                            Download Submit

                                                                                                                                                          • memory/408-209-0x000002CF113D0000-0x000002CF113D5000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            20KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/788-136-0x00000281BCDF0000-0x00000281BCDF2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1592-133-0x0000000140000000-0x00000001402F7000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.0MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1740-41284-0x000000001B850000-0x000000001B894000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            272KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1740-59266-0x000000001BFD0000-0x000000001C032000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/1740-41296-0x000000001B8D0000-0x000000001B8D6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            24KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2028-202-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            288KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2028-204-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            288KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2044-106-0x000001F770780000-0x000001F77079E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            120KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2044-98-0x000001F770230000-0x000001F770252000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            136KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2044-103-0x000001F7706F0000-0x000001F770734000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            272KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2044-104-0x000001F7707C0000-0x000001F770836000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            472KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2424-1304-0x00000000000D0000-0x00000000001B2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            904KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2424-178-0x00000000000D0000-0x00000000001B2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            904KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2444-194-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2444-182-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2444-195-0x0000000000600000-0x0000000000617000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            92KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2448-1492-0x00000000009B0000-0x0000000000C76000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            2.8MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2448-135-0x00000000009B0000-0x0000000000C76000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            2.8MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/2448-15341-0x00000000009B0000-0x0000000000C76000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            2.8MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3260-119-0x00000000008C0000-0x0000000000AF2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            2.2MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3444-63627-0x00007FF7ED8E0000-0x00007FF7EDE86000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.6MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3444-41932-0x00007FF7ED8E0000-0x00007FF7EDE86000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.6MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/3444-47215-0x00007FF7ED8E0000-0x00007FF7EDE86000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.6MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-65-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-66-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-76-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-70-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-75-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-71-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-72-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-64-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-73-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4152-74-0x000001AA7AC10000-0x000001AA7AC11000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4444-125-0x000000001C540000-0x000000001C5DC000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            624KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4444-123-0x000000001BFD0000-0x000000001C49E000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.8MB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4444-131-0x00000000015B0000-0x00000000015B8000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            32KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/4744-120-0x0000000000FF0000-0x0000000001064000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            464KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/7128-40330-0x0000000000400000-0x0000000000489000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            548KB

                                                                                                                                                            Download

                                                                                                                                                          • memory/7128-40786-0x0000000000400000-0x0000000000489000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            548KB

                                                                                                                                                            Download