conti | 7f2b34572c0056ff9730a707bb27e228694dc15d9a099362a9e16a0ba7fee024

Analysis

max time kernel
208s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00429.7z
Size

32.1MB
MD5

dc347fe718685d9942c53bae8ccd3396
SHA1

5acdaf735b7f94bcf180ae4d442738015f28a211
SHA256

7f2b34572c0056ff9730a707bb27e228694dc15d9a099362a9e16a0ba7fee024
SHA512

cceb077dbfe473b86fc4ac3bba475f7f9f5f26ee8c05f046c6149349162c8f860c0de1f8dbb95df9239289360f704d3a5256d834fb6c502ba63e10009039530b
SSDEEP

786432:b9LihPYEqVEaw4qJZMt5JPIrV1nqj9SVi/BbqSvrV5jxfunqz:uY5EaGJO/JP0qj9SAZ+2bjx+8

Malware Config

Extracted

Family

darkcomet

Botnet

Angel

detan155.3utilities.com:1537

Mutex

DC_MUTEX-8CBS1T7

Attributes

InstallPath
skype\Skype.exe
gencode
6M1G4dNEGvX2
install
true
offline_keylogger
true
password
viewsonic
persistence
true
reg_key
Skype

Extracted

Family

orcus

Botnet

mehack1234567.ddns.net:8832

Mutex

1aea3370b5824c3db9d5ee90510716f9

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\svchost\Yandex.exe
reconnect_delay
10000
registry_keyname
Yandex
taskscheduler_taskname
svchoster
watchdog_path
Temp\svchoster

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note

############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/104617a28c7b21518d506b079ca9d5221551f89d5d54025a1ec71dd33aacd896/ This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/4c43fb6f271eda10ac65ec0dc918f7ec851455acb98c1fe29f3b2feffe53c286 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorythm and you can harm your files by using 3rd party decryption software.

URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/104617a28c7b21518d506b079ca9d5221551f89d5d54025a1ec71dd33aacd896/

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/4c43fb6f271eda10ac65ec0dc918f7ec851455acb98c1fe29f3b2feffe53c286

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 7wlFp5C2bRaw8yYTfkDxBbVJsLQzxpY2Ykzuk2GNWnQxOO37y9kMP4pq7nIzBv5B ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

orcus

wwwwwwwwwwwwwwwwwww.webhop.me:8353

Mutex

5d87ffe5b7e9467491b5534273d3040f

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%systemroot%\dllhost.exe
reconnect_delay
10000
registry_keyname
Microsoft Corporation
taskscheduler_taskname
Microsoft Corporation
watchdog_path
AppData\1

Extracted

Path

C:\Program Files\Common Files\DESIGNER\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4mp6ximo2zlo.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.

Emails

[email protected]

URLs

http://cuba4mp6ximo2zlo.onion/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Conti family
conti
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-524-0x0000000000400000-0x0000000002FC4000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe	family_orcus

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2640-139-0x00000000051C0000-0x0000000005256000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2640-139-0x00000000051C0000-0x0000000005256000-memory.dmp	WebBrowserPassView

Orcurs Rat Executable 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	orcus
C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe	orcus
behavioral1/memory/1736-267-0x0000000000160000-0x000000000024E000-memory.dmp	orcus
behavioral1/memory/3244-260-0x0000000000D30000-0x0000000000E1A000-memory.dmp	orcus

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

6712 netsh.exe
820 netsh.exe

pid	process
6712	netsh.exe
820	netsh.exe

Executes dropped EXE 5 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exeHEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe

pid	process
2640	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
548	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
1992	HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
3064	HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
2172	HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe	vmprotect
behavioral1/memory/2640-125-0x00000000005E0000-0x000000000089A000-memory.dmp	vmprotect

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2908-203-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2908-219-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2908-206-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2908-205-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1636-220-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1636-223-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1636-224-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1636-222-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1636-751-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6996-749-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/6996-752-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/6996-788-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/6520-781-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6520-786-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6520-780-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2908-264-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/6520-1959-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

228 sc.exe
2632 sc.exe
5336 sc.exe

pid	process
228	sc.exe
2632	sc.exe
5336	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3896	5104	WerFault.exe	HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe
1704	2912	WerFault.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe
4732	2640	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
4996	2720	WerFault.exe	Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe
5104	4184	WerFault.exe	Trojan-Ransom.Win32.Blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Interacts with shadow copies 3 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

7924 vssadmin.exe
6968 vssadmin.exe
7600 vssadmin.exe
3976 vssadmin.exe
Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exeREG.exe

pid process

6492 reg.exe
2800 reg.exe
8008 reg.exe
1480 reg.exe
5644 REG.exe
Runs net.exe

pid	process
7924	vssadmin.exe
6968	vssadmin.exe
7600	vssadmin.exe
3976	vssadmin.exe

pid	process
6492	reg.exe
2800	reg.exe
8008	reg.exe
1480	reg.exe
5644	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2248 taskmgr.exe

pid	process
2248	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4284	7zFM.exe
Token: 35	4284	7zFM.exe
Token: SeSecurityPrivilege	4284	7zFM.exe
Token: SeDebugPrivilege	4768	taskmgr.exe
Token: SeSystemProfilePrivilege	4768	taskmgr.exe
Token: SeCreateGlobalPrivilege	4768	taskmgr.exe
Token: SeDebugPrivilege	2248	taskmgr.exe
Token: SeSystemProfilePrivilege	2248	taskmgr.exe
Token: SeCreateGlobalPrivilege	2248	taskmgr.exe
Token: 33	4768	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4768	taskmgr.exe
Token: SeDebugPrivilege	396	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
4284	7zFM.exe
4284	7zFM.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
4768	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe
2248	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe

pid process

548 HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe

pid	process
548	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

taskmgr.exepowershell.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 2248	4768	taskmgr.exe	taskmgr.exe
PID 4768 wrote to memory of 2248	4768	taskmgr.exe	taskmgr.exe
PID 396 wrote to memory of 4248	396	powershell.exe	cmd.exe
PID 396 wrote to memory of 4248	396	powershell.exe	cmd.exe
PID 4248 wrote to memory of 2640	4248	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
PID 4248 wrote to memory of 2640	4248	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
PID 4248 wrote to memory of 2640	4248	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
PID 4248 wrote to memory of 548	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
PID 4248 wrote to memory of 548	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
PID 4248 wrote to memory of 548	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
PID 4248 wrote to memory of 1992	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
PID 4248 wrote to memory of 1992	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
PID 4248 wrote to memory of 1992	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
PID 4248 wrote to memory of 3064	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
PID 4248 wrote to memory of 3064	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
PID 4248 wrote to memory of 3064	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
PID 4248 wrote to memory of 2172	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe
PID 4248 wrote to memory of 2172	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe
PID 4248 wrote to memory of 2172	4248	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00429.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4284

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1860
      4⤵
      Program crash
      PID:4732
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:548
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
    HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3064
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete
      4⤵
      PID:364
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{58CC7F70-8E97-4893-889A-A699EF3C11A2}'" delete
        5⤵
        
        PID:3128
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe
    HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exe
    3⤵
    PID:968
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe
    HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 444
      4⤵
      Program crash
      PID:3896
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe
    HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe
    3⤵
    PID:2352
  - - C:\windows\system32\sc.exe
      "C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe" start= auto
      4⤵
      Launches sc.exe
      PID:228
  - - \??\c:\windows\system32\cmd.exe
      "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
      4⤵
      PID:5020
  - - \??\c:\Windows\system32\vssadmin.exe
      "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3976
  - - \??\c:\windows\system32\sc.exe
      "c:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe" start= auto
      4⤵
      Launches sc.exe
      PID:2632
  - - \??\c:\windows\system32\sc.exe
      "c:\windows\system32\sc.exe" start defragsrv
      4⤵
      Launches sc.exe
      PID:5336
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exe
    HEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exe
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      4⤵
      PID:3244
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exe
    HEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exe
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe
      "C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe"
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\WindowsInput.exe
        
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        5⤵
        
        PID:6312
- - C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 232
      4⤵
      Program crash
      PID:1704
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe
    Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 372
      4⤵
      Program crash
      PID:4996
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe
    Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe
    3⤵
    PID:2216
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe
      4⤵
      PID:2152
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
    Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
    3⤵
    PID:3624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      PID:4316
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:7924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      PID:6632
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:6968
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exe
    Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exe
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      PID:304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies registry key
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f
        5⤵
        Modifies registry key
        
        PID:6492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netsh firewall set opmode disable
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        
        PID:6712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop security center
      4⤵
      PID:2300
    - - C:\Windows\SysWOW64\net.exe
        
        net stop security center
        5⤵
        
        PID:7132
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop security center
        6⤵
        
        PID:7484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop WinDefend
      4⤵
      PID:2432
    - - C:\Windows\SysWOW64\net.exe
        
        net stop WinDefend
        5⤵
        
        PID:6720
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        6⤵
        
        PID:4368
  - - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE
      "C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"
      4⤵
      PID:2908
    - - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE
        
        "C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.EXE"
        5⤵
        
        PID:1636
      - C:\Users\Admin\AppData\Roaming\skype\Skype.exe
        
        "C:\Users\Admin\AppData\Roaming\skype\Skype.exe"
        6⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        8⤵
        Modifies registry key
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f
        7⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "" /t REG_SZ /d ":*:Enabled:Windows Messanger" /f
        8⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c netsh firewall set opmode disable
        7⤵
        
        PID:220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        8⤵
        Modifies Windows Firewall
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop security center
        7⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\net.exe
        
        net stop security center
        8⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop security center
        9⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop WinDefend
        7⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\net.exe
        
        net stop WinDefend
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        9⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Roaming\skype\Skype.EXE
        
        "C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"
        7⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Roaming\skype\Skype.EXE
        
        "C:\Users\Admin\AppData\Roaming\skype\Skype.EXE"
        8⤵
        
        PID:6520
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exe
    Trojan-Ransom.Win32.Blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exe
    3⤵
    PID:4584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\plantilla\7.vbs"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\7.vbs"
        5⤵
        
        PID:7012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c keygenerator.dll
      4⤵
      PID:2912
    - - C:\Users\Admin\Desktop\00429\keygenerator.dll
        
        keygenerator.dll
        5⤵
        
        PID:7984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "
      4⤵
      PID:6096
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe
    Trojan-Ransom.Win32.Blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe
    3⤵
    PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 236
      4⤵
      Program crash
      PID:5104
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exe
    Trojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exe
    3⤵
    PID:1236
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe
    Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe
    3⤵
    PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe.bat" "
      4⤵
      PID:2784
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.edo-008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
    Trojan-Ransom.Win32.Cryptor.edo-008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.eea-fc990b79c1f106bfe21a6b2faa0455429e12e1707546e9475d5ea66daf10fd98.exe
    Trojan-Ransom.Win32.Cryptor.eea-fc990b79c1f106bfe21a6b2faa0455429e12e1707546e9475d5ea66daf10fd98.exe
    3⤵
    PID:8048
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cryptor.etd-781c3e38141cda20fe0a87847d12a3bde0c298d74857ea93bc45a44c63e4bec0.exe
    Trojan-Ransom.Win32.Cryptor.etd-781c3e38141cda20fe0a87847d12a3bde0c298d74857ea93bc45a44c63e4bec0.exe
    3⤵
    PID:6264
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Cuba.k-00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed.exe
    Trojan-Ransom.Win32.Cuba.k-00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed.exe
    3⤵
    PID:7788
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Encoder.lxj-2d6ad546be178ae80462c39e6fde4752272b647f7a2848aa15c84a1c6c23e0ae.exe
    Trojan-Ransom.Win32.Encoder.lxj-2d6ad546be178ae80462c39e6fde4752272b647f7a2848aa15c84a1c6c23e0ae.exe
    3⤵
    PID:7260
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Gen.aaqy-df67c44fc4d8ef2d1cdea52afb5d08387deb8f04d5477ba36fb392f2f3230800.exe
    Trojan-Ransom.Win32.Gen.aaqy-df67c44fc4d8ef2d1cdea52afb5d08387deb8f04d5477ba36fb392f2f3230800.exe
    3⤵
    PID:7200
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Gimemo.cdqu-80a59a838cc14bcd7244c214bfa27ea4bd87a3cbacf217fa43fb295bb70ee765.exe
    Trojan-Ransom.Win32.Gimemo.cdqu-80a59a838cc14bcd7244c214bfa27ea4bd87a3cbacf217fa43fb295bb70ee765.exe
    3⤵
    PID:8000
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Hades.e-e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe
    Trojan-Ransom.Win32.Hades.e-e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe
    3⤵
    PID:7240
- - C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Mbro.bcet-b373dd5a8845a5e6f2e112160a87f37ef2f401f7783db0dfb22710b254356db7.exe
    Trojan-Ransom.Win32.Mbro.bcet-b373dd5a8845a5e6f2e112160a87f37ef2f401f7783db0dfb22710b254356db7.exe
    3⤵
    PID:5156
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ /va /f
      4⤵
      Modifies registry key
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:6184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,834389301157742121,13927025126497203477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        5⤵
        
        PID:7820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,834389301157742121,13927025126497203477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        
        PID:5908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:8152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:4740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        
        PID:4104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        5⤵
        
        PID:6864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:7936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        5⤵
        
        PID:3948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
        5⤵
        
        PID:5476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
        5⤵
        
        PID:5608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
        5⤵
        
        PID:7116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
        5⤵
        
        PID:7700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        5⤵
        
        PID:7872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
        5⤵
        
        PID:5896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
        5⤵
        
        PID:4796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
        5⤵
        
        PID:6464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        5⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
        5⤵
        
        PID:5456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
        5⤵
        
        PID:6164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
        5⤵
        
        PID:6532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
        5⤵
        
        PID:7092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
        5⤵
        
        PID:6576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
        5⤵
        
        PID:6320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
        5⤵
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
        5⤵
        
        PID:7216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        
        PID:8516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:1
        5⤵
        
        PID:2908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        
        PID:8580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1
        5⤵
        
        PID:8740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
        5⤵
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
        5⤵
        
        PID:8760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        5⤵
        
        PID:4020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
        5⤵
        
        PID:9080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15650152436811140047,2617571836601899031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        5⤵
        
        PID:424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1476,16301248986751226005,11892626811842680014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        5⤵
        
        PID:5912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,16301248986751226005,11892626811842680014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        5⤵
        
        PID:1192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:6264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14404626923318498773,11375022507309421041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        5⤵
        
        PID:7676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14404626923318498773,11375022507309421041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
        5⤵
        
        PID:308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:6624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:8060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:7316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xa4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:6760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:7164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:4416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:4788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:6552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:8260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:4132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:8752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:9100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:8592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:7272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:5644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xd8,0x104,0xdc,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:8680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:9156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gys47.pw/hot/70ef/?uid=
      4⤵
      PID:9164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5bc46f8,0x7ffbc5bc4708,0x7ffbc5bc4718
        5⤵
        
        PID:7148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2912 -ip 2912
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5104 -ip 5104
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2640 -ip 2640
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2720 -ip 2720
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 4184
1⤵
PID:4608

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:6904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5096

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt
1⤵
PID:8168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x328
1⤵
PID:7492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7948

C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe
1⤵
PID:6248
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:4904
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:7600

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\4db0eb747d734b6cbeb35c23d0e6e92c /t 7652 /p 8000
1⤵
PID:6620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa383a055 /state1:0x41c64e6d
1⤵
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\How To Restore Your Files.txt

Filesize
4KB

MD5
9031db25ad5c4f9cea2926955eb86ee7

SHA1
9e3902e9726d54608a7be25eef1e76ba6a16300d

SHA256
cb16022ee42d7582afb1e083197bb7d450fdaa21e24f1793e248ac39d316bb59

SHA512
8865c08be098a32c624404e74f44e647428b007248bf260d5d285bbe52cbd3a80e0e33fbdddd0c0a9f397ecdc80ebeb341a4dd5c4ea72822db45afbb6e030c07

Download Submit
C:\Program Files\Common Files\DESIGNER\!!FAQ for Decryption!!.txt

Filesize
649B

MD5
866d1ff78d0709ddaf0c978e19acc183

SHA1
17e635948456f57e7cf4f7178d0e083f2322cc9c

SHA256
cf2e3e0d18415f826da1c73db67af0f5b0bce77ed1221a1e4ad8b2b87e7e1a67

SHA512
4666f09c6cc6c1a7f551e9ed98638efb59fbb182fd093a5044f5d5039b8096ff07b26830ecabf8f8552b7176825772f98052316cf3eff65267884442917b35f7

Download Submit
C:\ProgramData\readme.txt

Filesize
1KB

MD5
73132282367f7d0dad405cbf8f53558a

SHA1
d9f6e7800862995726047af126146441095677d3

SHA256
b8845657c64ee066cdf83c749507e9cea1683798eec0b45e57376e3f81de5859

SHA512
13bfda3b64dea373ffd0bf096e635b7949ccadf3aa14c2be499843be31a32e11e30994a4fd58b9e245d88387915b4ee38c75cc1ac4fd669a5fa20a874b749561

Download Submit
C:\Recovery\readme.txt.fun

Filesize
1KB

MD5
b15e37635ae8db46883087454ae62c5f

SHA1
16ab7d78d4818caf68c18c55c5757c98679c3b31

SHA256
2fe94efdb3736a27efe2e0c9b7f3ba91c7145f07001c4ee09da7620bf460a640

SHA512
ca139ec1eb1453989037c5789bcec402fc1c200330f9516b265b735b1f663daad9dffd103d66eca33403d2ae66e616a0c9f81fd5e275411b8538d87550b24651

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d33b94a879fdd0a203017b60875ad321

SHA1
e102a698d975ae366116805f7dc9291700962365

SHA256
88512770f8be6520b0c8b7e30bf744c502f2464f93ab3772734d724754c4588c

SHA512
a2a998e54d462787cd5bf3ed4969de9631cb552e064a6a9f07020db6dafc3335c43d7cc945f640f22893f1b76934cb957e183941b5100e2d445d1e51e5d01762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
972ccb8ba4f3a4601215c08fbcacb1d0

SHA1
d8dfa815153856d97a1a4677fc214365a23df3d1

SHA256
8b18ebdffe9066a0dad1179069ff8e68f7b096b733ec6c8bdb4a045963ae4aa3

SHA512
c31d1e2c7ec44cb38b0777ffbdcffd808207c29ee626413f62b68b6109233f91428ac80140ce79cc7c06e5983108f5cdba4fe5f650498d41e0ddc2d6195d8a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
917fbf65383bb293c8de426ef06bc297

SHA1
74dfc885a77ed3603b46ff1c97b49267a83afcf9

SHA256
47afd9d050c66ffdf85ef7c9daab8bb5a34450008ce917df93847a695f484f4f

SHA512
b05f0ef9d84f8c52dda6bf52ead39bc187d2e71ddac3d1995217dff4f2396e0c237e6368de466dcfe7f33d14b10c1fc55836c24fab1c44314b4a0e0b89bf8fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6bee9cc94a345eeb0fe6663841d10c7

SHA1
7bdce348bbf1c5ef9a000a3837fc566ace50ebc0

SHA256
67ae1d37352cd07de0ef717f4b88a307af6b50e8d66ecadbd78f4a3633c7a91e

SHA512
8af59c5f00dd8b50afffa6673b035ba37b76f365ce23121d58132421e05b7c86932db8d7b0619b1daf837dc5b9df38eb5c3f12a83531c972da298dedfbb8d1b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1101b74a8b840c691d5f191ac5f3bbc3

SHA1
802bae22187185eaf31f65707894ab977d6c1cf7

SHA256
9a45ccfdebebb13eb298c43b175d6c12ff8844e20857c728c73b9c69bcdd95bb

SHA512
ac2ceb9206709ac52ba60999c27202b163f41f9c8478b8847ea60f1e6d2af383682e6b300f4fc8e4854c134eb84ceb7e55b5cc5c712b3b02b4f2d78c7c2bb37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fuxzp1nv.tjh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
911KB

MD5
f8b57a0d3e85bf158f8076d602b8f803

SHA1
a2d65df4ade4d6c23c009d21bb6baafb678d5948

SHA256
cdde47984c9d109772a9854a731fd94ca7f9c70dc569ce129755951422bf85a3

SHA512
d7eae26d816a03a4e3f0c83a2c06f3c2273380791c7b3d68d95da85c727457dfcbd81b83f235a64c4fb87ed73814065f143f7b0329f53ca22593b53c94dd21e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee49\guig.dll

Filesize
20KB

MD5
d3f8c0334c19198a109e44d074dac5fd

SHA1
167716989a62b25e9fcf8e20d78e390a52e12077

SHA256
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

SHA512
9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll

Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper_v5.exe

Filesize
932KB

MD5
ca0ee6986f4c9da0443e3d822150d173

SHA1
ac77e792a149cf9d9869a8f320776a205cbf6cfe

SHA256
b90eaa14657a570044b6f903bc0ccf2b0ab7802b870342cc98f2dc27120c24f7

SHA512
ef785a317b4c032d069cfc737c9b17359fe6ae8b3c66207f7d48d508b0ae0acf3870298fba45b3edf5da0dc242ee7057ead067c89c6b0b0beb3790c74bdc4f13

Download Submit
C:\Users\Admin\AppData\Roaming\plantilla\7.vbs

Filesize
37KB

MD5
f55efb8b3295e88db8da3e8e2f2e8de0

SHA1
861bfcfee6ccdffbd4c1c1cdbc35fd9a689b04ee

SHA256
9efa2a9210faec62c02fe95b62b783e3816de52ef057b5e5766ad509c6c55f93

SHA512
fdb630cfc2e1db484f94ee9a18e99fa9ee12131d6db803e79409aec29849ec40174d20814602290ef9f7a054a9bec6bc17456c02ca9fd7ff8ac4ac42e2a0c257

Download Submit
C:\Users\Admin\Desktop\00429\Config.cfg

Filesize
91B

MD5
0c3997540259a8d5ad28f9a5f008d9d8

SHA1
64db2fbed2187ded01f5a4316298058637d6dcac

SHA256
e07f0aaace593d7d3090af1f67c3364d72b2a2f042cc4eadc95345ba0215ab42

SHA512
cbf0df0b652f8695f4f467780031ead0c448e621615e77a04b9eba71da75d7ef6071df260a7cfb37eaa16f82f23a0bb0fd4e1735064dae1b1c5e17934c6e2352

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37.exe

Filesize
5.9MB

MD5
6e2b958c779311b1bb2f3846e3e6f227

SHA1
74cca9bd27746fb3543346c7a64ecf62edd67cc9

SHA256
fdf3c2dbf8e0499ce773464d812811e96dcd87f7c54db2a661aa803c32b6cf37

SHA512
f859e5a89b974b82741641caac4d9f1f03e2a71110c739afbaa16b970f25fd223cab01340ea761869dd8ca94278b67f6c89cff8ef2dbcdca4fcfb9987073d9d7

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605.exe

Filesize
2.6MB

MD5
d544e7ce4e8d537afae7104d03e5d752

SHA1
a93354489dc4a6057123184a86344bee798610a9

SHA256
ae48910e64a0f0a002b3f93023460e6ccf3f2bd0f49a22f299db13a914d24605

SHA512
bb8a59bad72dd2dc6fefdd6c7b01b63932826af5eb1b7975f7f15f8328f45871fba26e6ca52942243626ca25121ce9d66d150135d1f90a4f336216f7ff6fb966

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Blocker.gen-c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a.exe

Filesize
3.4MB

MD5
3682137829a24b7e66ac9f2882d2ee8e

SHA1
ec9bdb15c55c4dd17558af14e44d39cef41f89ab

SHA256
c54958d946b5a0f58ec26c4e03918460931c33dc9822a586e02c7ab8cf92291a

SHA512
0ebc112a6b270c14f4f78b262ec3c0c01d8713bcd806ec051700ce0527bd376777ab97ec6f90ef8ad260790807627f88d4b14464a2622c01b9d0be5dae2703a5

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Conti.gen-909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5.exe

Filesize
194KB

MD5
ec2bb08101a9d8f63787958dd72a9e22

SHA1
077dd29fbd776656a05aebc50dd59b1eb810258c

SHA256
909224f5de1c33d7bf71242ab16269a11b8a36b457ab1c55f37098887e26e0e5

SHA512
a6a7a8f71132c901877a73b08b2ef91744c4dea29d42efdd316a04ba4172119ecc472b6cc258cdb2578d18bace8c4bdbe99961c4d5b77d10326312a2c3b0ada7

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Crypmod.gen-eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056.exe

Filesize
4.3MB

MD5
53f7352d2f0627183efd62dd20b2bbe8

SHA1
2cd84c6ff143d9aaa260d075e2ac7ab6d0d1bdb8

SHA256
eccd4b2c4f1e6d22d6e4f0fe7b5123f89161abfc4fafe9c0487b8e30179d2056

SHA512
c93f36a7b708a912938d93f83b13a09859e189bd1e82908cf8563708fac0062cb02412145b80b6983ea9f584be8b302d7c7587cbd00e0e3b72c15b290b67d65f

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Gen.gen-e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16.exe

Filesize
604KB

MD5
7eaf2c8cd97990e515ed8c4515e9856b

SHA1
a293d64e031ed0f39c140eb257879dc62dd4be33

SHA256
e0063e1195df32dc9ddacb38b8f7ecc658f1e57c545905904cb3967a0a94af16

SHA512
95586c20dc2644213861d41a356e9029934f73cea42a897d0db484bf355ab59f6d61f57a5036e40507adeeea1099a73aa42d4f7d19365b0b07431c8d049ec330

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908.exe

Filesize
1.7MB

MD5
f52339897bab303fdb9acd0201940dfe

SHA1
bfbf39c9bf6343663d59c7fb58f3ba275157764e

SHA256
0984f098c2eddf9a34d8122b97635a8cc6c0fc9dbfa95856a56ae47cedf55908

SHA512
d3bd77968b90e13249d3bc35fe30f7cc22b5a8ea07a34bbf41ff3139f66a03680bc64ae7019f14207128bd7ac5cd9c44f6b427ae76fa6c70134134d332911d74

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7.exe

Filesize
947KB

MD5
289d4167df85edaecb94a98028335bf4

SHA1
716448d4a1bd77597af2ca826279483a4e60687a

SHA256
668632dd546969da7eb384c587bda1a1d69dc7081a1c0f13df7bcb9eb0e4a9a7

SHA512
78b355efa87a4a565fb71fea278fa0ffe9f3b3e5db977d5328986f293d28b65a69fa8393557e1e886c302c7272b958764de45e2aef3228e09b99672766097e1f

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc.exe

Filesize
601KB

MD5
1369cff4b4b4f3a2568307aa04b9f2e9

SHA1
7b919a96c9741b32c2345697cbfbcfd257f68c1d

SHA256
9f70d9a756b40db1f6e5268e246ea7c3ceed45162e975d84b25908734f8eb8bc

SHA512
86cd688a46421ea79643040b948390880370e99653d19f80b15fb6eab73999d32f34e2669cf35a3d66c6161c385b6c5c5e49adf2f416e28b6bf18368a93aa85e

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.Generic-ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8.exe

Filesize
713KB

MD5
a07f518dbe20e16ed76388c4eafde562

SHA1
2c2d26b0230278e3aecbabc54405cb5f7802e1f2

SHA256
ee648c265f0fd485ccc3da0328014dcad66d4c0e40ffbe787a81e865baf4fdc8

SHA512
3a3dbc19eb8048026b0be0a1b7caae57ffb14e16070c4cb12b0afc34933eb4b508bceec3abe78bfbe15f0259efe98a73aeef240d6733618391bbe66716d25467

Download Submit
C:\Users\Admin\Desktop\00429\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151.exe

Filesize
1.0MB

MD5
0ed06bd5c518f7a95d83858027538143

SHA1
9946fe2af6aa38a0852f6374f42490977c8afbaa

SHA256
e650436c4f35b160ed27dae6a113a849e62437864aad1cd326faef1f22fba151

SHA512
ef0391cc87f570a69decda78a528121791d003032eb33982744ee1e7d2a8286012473aee5f28eb6d0dad9c933266cf030f5d66e9cd8d6f0e99698d8fa835162d

Download Submit
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.aztl-cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799.exe

Filesize
70KB

MD5
cdef2e8636422621b2e5350c889be2a5

SHA1
730417848eaf82434e56e14b4bf9a89b510052d8

SHA256
cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799

SHA512
ade3899b70b0ee26ba0ff7d897c269def9e74720eba8087a82ce911f19896ee304d8823aafc89a73439549dad936b7e901499c4b33f2a1ddc4be6fdb010d0fab

Download Submit
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Agent.iqf-3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe

Filesize
79KB

MD5
f6282c938e0662cf851feee0146d79a4

SHA1
9d0c6528565303e5b10a964a2783c77f25b9695b

SHA256
2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf

SHA512
b99be65ddc6154128992b510aa1b053b56dbad7f91f9102e42a06ada2f3c58f5ac6423483728648c20adce862c6f0e136913c6d0441a47391cedc76194c2936f

Download Submit
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.Blocker.mvyz-23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7.exe

Filesize
4.8MB

MD5
c5d939542d88ff7ff76edd94d74e1d48

SHA1
cc6cca15dec4362e66ccc42f0f3e4eab7caae1e2

SHA256
23000103a948eba86fb7f24c60dbfcc0830fb160f85ff27dd5d8ada32feea4f7

SHA512
e82dedafb5d6417e920d08db66b3e61a248dc10917f55184082bdb1466b61d22720059882c8fad79d5a91df18e23c18537dcfb0968feea9a20d291773f8fe35d

Download Submit
C:\Users\Admin\Desktop\00429\Trojan-Ransom.Win32.CryFile.zeo-8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f.exe

Filesize
123KB

MD5
87175668b1c2aab93f454b179430d39e

SHA1
9b95aaae4a205751c3e1b4d24f68e26b6d7865f5

SHA256
8bd7d90814071ee9704391bd3e298aadfe4ed6c0f8feaf3ebdd7e3afdbaa600f

SHA512
5fc44b0e65ffebee40f7b110561b563c01f02e94f29bc7862540465502d6ccd2a197bc8b3c60558389bfbec8d994385fb4b38a80c47b8f3b9b5105a933093812

Download Submit
C:\Users\How To Restore Your Files.txt

Filesize
4KB

MD5
655a099a144e6164ba891274ac9aa406

SHA1
66c4292b9f1b516ec0869adcd64efeb5c4bd1917

SHA256
cfad30c98f7fdd4c40a88994cb4d2f8499d67525ac92031d1f77595164b27b71

SHA512
3fc847a23a2fbc3a03607195451a22caf3cd867d4085796d8ddb4e6b490cd303524c22c75d9b9f204b17d62f089692fd8f11d9275a10e15da62ae3bcf2fedecf

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\vcredist2010_x64.log.html.babyk

Filesize
86KB

MD5
9159e18dc5d2a5dd2cfe37e88bcf7ef2

SHA1
ac2d76cac0ffc96e2edb0b212c52fe4f6ac303d1

SHA256
c2a98e740a050bc197d996faaf7004a78f922beab179bcd739f4168789b3429d

SHA512
d70effd36acbf6e8ca98cfa4f27886ff1a62189a82b8bbf88bac3fcf51225f0f651173c57e8c4c615d786f370033c42d46bcaa22a51412a959ec3cf7cc2930d3

Download Submit
C:\vcredist2010_x86.log.html.babyk

Filesize
82KB

MD5
c5f0ba2bf0271ae42cd7b786973ee1ce

SHA1
9ac8eb6db96b637474aece6eef16bafb0c703d0f

SHA256
d79e476d52e2035e200b95cf8e2be69244fedf8078144d628f954cd54da50034

SHA512
f8156ca39dd263fdab99b70632967ae4760389ec2127a2a3bbce6afb47137e28b70c77437a5b82289f79fdbd8963898b8a381bbeaaf01c0731969ca12777d0ac

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.babyk

Filesize
168KB

MD5
3752168fc9dc7b80ea0ae2cdb16ff363

SHA1
8d7a008200a0e9829d502753b001a2288d10d5ee

SHA256
a4f8bdb554280774c4a9a192b0d0202179d8bd52b745ffc0ce6edd20db1519c8

SHA512
94a9a73806df800c1aed6eb6798960cffa2ee159e3e2c41a742cf31fdb746484caece3b90ead1e85aa595570754e6394804a0c4c872f9fd0ef130de240f1b089

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.babyk

Filesize
195KB

MD5
566fa29003c571fd6cf86fd9320adc82

SHA1
0b727cb2f005b9ba324ff3a81fbbf2215db34c7e

SHA256
f194e89a8bed950cab30769b9f94fe004b0ca0d82a1d87c9f9cea2dfc56e4458

SHA512
ce0792df5a13980e353c4fbdaea61d4994d122c945d9ac67b9e4ed128a9e565e004f46ece0c4aa1cf553a2a1120c806af04664b4ebb2c599f0034b6ebc92f7f7

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.babyk

Filesize
171KB

MD5
4d821e361aaca30d747e24003349f52d

SHA1
98aeca2311ca6ddbd094ee0e26cb3c13a65bdfd3

SHA256
135e642ed57b6153d96318b45efe6b1b21490c20aaf0b45c14b76923e300d32a

SHA512
a4f8fe3f0431f7ce2bced52755e17cca8fb72304da07f02b4c7392fb74fe80f5ed8d22ac7bc75db98e092aff34b662bc0d5433725c9eb7f9bdd15403bedd7e1a

Download Submit
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.fndo-86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b.exe

Filesize
391KB

MD5
e5409d8ba3a4ba334731409a79923b08

SHA1
8a07b54a6be849a86a2dcfdbeab8ebaedb95b296

SHA256
86c01a9f145db2d92275820fb16c06f08a7320d769e8e1a9ff4e28d8bc7eff0b

SHA512
294d31cdef2d91732f6473c40a4a49d652352dac5952d3982688f57330eb69211aade72947bd0c403742cfb33c9e937c37f64cb74229d8bc46ef9d39d6f0b905

Download Submit
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.kjhn-31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b.exe

Filesize
488KB

MD5
ade549d17160f78f9e3be455a42d946b

SHA1
02e5fa12a8513f349627a794f86c649774e06882

SHA256
31b4b6a9fe95e3ab3a641492b45ebc82e48f76618d6c076d6979dddedc2c240b

SHA512
7f5ec54e13765292310f9c2276fee1635c519a6517f27220dd4ea28918bcff620319372620125d3656c559b78e23e448405ea5b5e2b406d481a1c5684fae0a7c

Download Submit
\??\c:\users\admin\desktop\00429\trojan-ransom.win32.blocker.kmpr-841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987.exe

Filesize
184KB

MD5
4bbe82c1c108157bcbc814168d280130

SHA1
787a08486ff5ef69ad764a793bae5db037c270a9

SHA256
841cc6074ba4c04dc26fe7778aa54cae29060501e9f5e69f7b7dde398b6b3987

SHA512
8ce2354667f3a73232f21bd471e5c808f4776332e76d04c6792b57e30a869d9f7795a7f87727df522e869de2c400ef0dc6c245a9f1f69a90baa55ece21b5422e

Download Submit
memory/396-111-0x000002A5BB620000-0x000002A5BB664000-memory.dmp

Filesize
272KB

Download
memory/396-112-0x000002A5BB6F0000-0x000002A5BB766000-memory.dmp

Filesize
472KB

Download
memory/396-110-0x000002A5BB260000-0x000002A5BB282000-memory.dmp

Filesize
136KB

Download
memory/396-114-0x000002A5BB690000-0x000002A5BB6AE000-memory.dmp

Filesize
120KB

Download
memory/548-282-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1068-164-0x0000000000330000-0x00000000003CC000-memory.dmp

Filesize
624KB

Download
memory/1236-210-0x0000000000EE0000-0x0000000002C77000-memory.dmp

Filesize
29.6MB

Download
memory/1236-785-0x0000000000EE0000-0x0000000002C77000-memory.dmp

Filesize
29.6MB

Download
memory/1636-220-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1636-223-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1636-224-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1636-751-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1636-222-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-163-0x0000000000D20000-0x0000000000DD8000-memory.dmp

Filesize
736KB

Download
memory/1736-2838-0x0000000040000000-0x000000004000E000-memory.dmp

Filesize
56KB

Download
memory/1736-805-0x0000000005B60000-0x0000000005C12000-memory.dmp

Filesize
712KB

Download
memory/1736-6638-0x00000000058B0000-0x00000000058BC000-memory.dmp

Filesize
48KB

Download
memory/1736-7167-0x00000000058B0000-0x00000000058B8000-memory.dmp

Filesize
32KB

Download
memory/1736-267-0x0000000000160000-0x000000000024E000-memory.dmp

Filesize
952KB

Download
memory/1736-288-0x0000000004C20000-0x0000000004C28000-memory.dmp

Filesize
32KB

Download
memory/1736-6764-0x00000000058D0000-0x00000000058F6000-memory.dmp

Filesize
152KB

Download
memory/1736-6641-0x00000000058C0000-0x00000000058E0000-memory.dmp

Filesize
128KB

Download
memory/1736-6517-0x00000000058E0000-0x00000000058F6000-memory.dmp

Filesize
88KB

Download
memory/1736-6544-0x00000000058D0000-0x00000000058FA000-memory.dmp

Filesize
168KB

Download
memory/1736-1911-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/1736-6547-0x00000000058B0000-0x00000000058B8000-memory.dmp

Filesize
32KB

Download
memory/1736-7685-0x00000000058B0000-0x00000000058BC000-memory.dmp

Filesize
48KB

Download
memory/1736-6301-0x0000000009060000-0x000000000ADF7000-memory.dmp

Filesize
29.6MB

Download
memory/1736-1900-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/1736-1028-0x0000000040000000-0x0000000040084000-memory.dmp

Filesize
528KB

Download
memory/1736-2116-0x0000000005BA0000-0x0000000005C14000-memory.dmp

Filesize
464KB

Download
memory/1736-6327-0x00000000058F0000-0x0000000005936000-memory.dmp

Filesize
280KB

Download
memory/1736-6326-0x00000000058A0000-0x00000000058E6000-memory.dmp

Filesize
280KB

Download
memory/1736-6176-0x0000000005B20000-0x00000000078B7000-memory.dmp

Filesize
29.6MB

Download
memory/1736-6076-0x00000000058C0000-0x00000000058DA000-memory.dmp

Filesize
104KB

Download
memory/1736-6491-0x00000000058C0000-0x00000000058D8000-memory.dmp

Filesize
96KB

Download
memory/1736-7166-0x00000000058D0000-0x00000000058FC000-memory.dmp

Filesize
176KB

Download
memory/1736-5345-0x00000000058F0000-0x0000000005940000-memory.dmp

Filesize
320KB

Download
memory/1736-7165-0x0000000040000000-0x000000004003E000-memory.dmp

Filesize
248KB

Download
memory/1736-289-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/1736-7675-0x00000000058D0000-0x00000000058F8000-memory.dmp

Filesize
160KB

Download
memory/1736-7676-0x00000000058B0000-0x00000000058BC000-memory.dmp

Filesize
48KB

Download
memory/1736-7145-0x00000000058E0000-0x0000000005920000-memory.dmp

Filesize
256KB

Download
memory/1736-7677-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/1736-7678-0x00000000058C0000-0x00000000058DE000-memory.dmp

Filesize
120KB

Download
memory/1736-7679-0x00000000058C0000-0x00000000058DE000-memory.dmp

Filesize
120KB

Download
memory/1736-2111-0x0000000005B50000-0x0000000005B80000-memory.dmp

Filesize
192KB

Download
memory/1736-7680-0x00000000058B0000-0x00000000058B8000-memory.dmp

Filesize
32KB

Download
memory/1736-7681-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/1736-7682-0x00000000058B0000-0x00000000058BE000-memory.dmp

Filesize
56KB

Download
memory/1736-3103-0x0000000040000000-0x0000000040094000-memory.dmp

Filesize
592KB

Download
memory/1736-7683-0x00000000058C0000-0x00000000058D4000-memory.dmp

Filesize
80KB

Download
memory/1736-7684-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/1736-2828-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/1736-7447-0x00000000058D0000-0x00000000058F4000-memory.dmp

Filesize
144KB

Download
memory/1736-2807-0x0000000040000000-0x0000000040020000-memory.dmp

Filesize
128KB

Download
memory/1736-7434-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/1736-1915-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/1736-793-0x0000000005B00000-0x0000000005B8E000-memory.dmp

Filesize
568KB

Download
memory/1736-823-0x00000000059F0000-0x00000000059FE000-memory.dmp

Filesize
56KB

Download
memory/1736-811-0x0000000040000000-0x0000000040224000-memory.dmp

Filesize
2.1MB

Download
memory/1736-806-0x0000000005B61000-0x0000000005BD4000-memory.dmp

Filesize
460KB

Download
memory/1736-799-0x0000000005BC0000-0x0000000005CAE000-memory.dmp

Filesize
952KB

Download
memory/1736-2090-0x0000000005B30000-0x0000000005B3C000-memory.dmp

Filesize
48KB

Download
memory/1736-2096-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download
memory/1992-148-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2152-782-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

Filesize
32KB

Download
memory/2172-524-0x0000000000400000-0x0000000002FC4000-memory.dmp

Filesize
43.8MB

Download
memory/2216-202-0x000000001B9A0000-0x000000001B9D8000-memory.dmp

Filesize
224KB

Download
memory/2216-209-0x000000001BAB0000-0x000000001BB4C000-memory.dmp

Filesize
624KB

Download
memory/2216-207-0x000000001C040000-0x000000001C50E000-memory.dmp

Filesize
4.8MB

Download
memory/2640-141-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/2640-125-0x00000000005E0000-0x000000000089A000-memory.dmp

Filesize
2.7MB

Download
memory/2640-143-0x00000000052E0000-0x00000000052FE000-memory.dmp

Filesize
120KB

Download
memory/2640-144-0x0000000005410000-0x0000000005426000-memory.dmp

Filesize
88KB

Download
memory/2640-140-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/2640-139-0x00000000051C0000-0x0000000005256000-memory.dmp

Filesize
600KB

Download
memory/2908-203-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-264-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-206-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-219-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-205-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3244-985-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3244-609-0x0000000006640000-0x000000000674A000-memory.dmp

Filesize
1.0MB

Download
memory/3244-293-0x0000000006420000-0x0000000006432000-memory.dmp

Filesize
72KB

Download
memory/3244-294-0x0000000006480000-0x00000000064BC000-memory.dmp

Filesize
240KB

Download
memory/3244-946-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/3244-945-0x0000000007480000-0x0000000007642000-memory.dmp

Filesize
1.8MB

Download
memory/3244-880-0x00000000069E0000-0x00000000069F8000-memory.dmp

Filesize
96KB

Download
memory/3244-292-0x0000000006A00000-0x0000000007018000-memory.dmp

Filesize
6.1MB

Download
memory/3244-262-0x0000000005660000-0x00000000056BC000-memory.dmp

Filesize
368KB

Download
memory/3244-261-0x0000000003070000-0x000000000307E000-memory.dmp

Filesize
56KB

Download
memory/3244-297-0x00000000064C0000-0x000000000650C000-memory.dmp

Filesize
304KB

Download
memory/3244-285-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/3244-286-0x00000000057E0000-0x00000000057E8000-memory.dmp

Filesize
32KB

Download
memory/3244-287-0x0000000005C10000-0x0000000005C18000-memory.dmp

Filesize
32KB

Download
memory/3244-268-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/3244-260-0x0000000000D30000-0x0000000000E1A000-memory.dmp

Filesize
936KB

Download
memory/4768-79-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-72-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-81-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-73-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-78-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-74-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-80-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-82-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-84-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/4768-83-0x00000237834F0000-0x00000237834F1000-memory.dmp

Filesize
4KB

Download
memory/6312-741-0x0000000002DA0000-0x0000000002DB2000-memory.dmp

Filesize
72KB

Download
memory/6312-740-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/6312-742-0x0000000002F20000-0x0000000002F5C000-memory.dmp

Filesize
240KB

Download
memory/6520-1959-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6520-781-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6520-786-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6520-780-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6904-779-0x0000000019EC0000-0x0000000019FCA000-memory.dmp

Filesize
1.0MB

Download
memory/6996-752-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6996-749-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6996-788-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/7200-6841-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/7200-5624-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/7260-4350-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/7260-7156-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/8048-1723-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download