Overview

overview

10

Static

static

1

RNSM00409.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    470s
  • max time network
    472s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00409.7z

  • Size

    21.9MB

  • MD5

    2b3532d723da17993253cf1177d60353

  • SHA1

    c3ba17fa6e7cba1d56b249d0172939a88479970f

  • SHA256

    e9dcab6c8daf2d1e5e3bfb114abb6a712e3d88434f61e9e8a2e1fda67b12e0e6

  • SHA512

    38b4d7ab086eba672aa5b562d669c345f20b5977c04440b306e34d6faac634409015ead030e74cc72fff612edb10bbba9b1b5d48cdd5b089a63a0d3242e65512

  • SSDEEP

    393216:wtn7WUHzs1g6LuXtFVRCPbMzyBSUPNUz5udv8nH9jjiieVPSR7UMdka2G18hyHA9:qfkKnmPlXw5av8nH9q4YSka2XhyH8

Score
10/10
bitratdarkcometgandcrabgrowtopiasuncryptguest16backdoorcollectioncredential_accessdiscoveryevasionpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

fantomazzz.ddns.net:1604

Mutex

DC_MUTEX-WB00FV3

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    058yy4Fpjp6w

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Path

C:\ProgramData\Microsoft\AppV\Setup\YOUR_FILES_ARE_ENCRYPTED.HTML

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 3rem !important; } #text h2 { color: white; font-size: 2rem; font-weight: 600; line-height: 1.125; } .tabs { -webkit-overflow-scrolling: touch; align-items: stretch; display: flex; font-size: 1rem; justify-content: space-between; overflow: hidden; overflow-x: hidden; overflow-x: auto; white-space: nowrap; } .tabs ul { align-items: center; border-bottom-color: #454545; border-bottom-style: solid; border-bottom-width: 1px; display: flex; flex-grow: 1; flex-shrink: 0; justify-content: flex-start; } .tabs.is-toggle ul { border-bottom: none; } .tabs li { position: relative; } .tabs li { display: block; } .tabs.is-toggle li.is-active a { background-color: white; border-color: white; color: rgba(0, 0, 0, 0.7); z-index: 1; } .tabs.is-toggle li:first-child a { border-top-left-radius: 3px; border-bottom-left-radius: 3px; } .tabs li.is-active a { border-bottom-color: white; color: white; } .tabs.is-toggle a { border-color: #454545; border-style: solid; border-width: 1px; margin-bottom: 0; position: relative; } .tabs a { align-items: center; border-bottom-color: #454545; border-bottom-style: solid; border-bottom-width: 1px; color: white; display: flex; justify-content: center; margin-bottom: -1px; padding: 0.5em 1em; vertical-align: top; cursor: pointer; } .tabs.is-toggle li:last-child a { border-top-right-radius: 3px; border-bottom-right-radius: 3px; } .container { max-width: 1152px; max-width: ; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; color: white; display: block; padding: 1.25rem; border: 1px solid #303030; } blockquote { background: hsl(0, 0%, 20%); padding: 1rem; border-left: 3px solid #55a630; } a { color: #e55934; } </style> <script> let text = { en: `<h2> Whats Happen? </h2> We got your documents and files encrypted and you cannot access them. To make sure we�re not bluffing just check out your files. Want to recover them? Just do what we instruct you to. If you fail to follow our recommendations, you will never see your files again. During each attack, we copy valuable commercial data. If the user doesn’t pay to us, we will either send those data to rivals, or publish them. GDPR. Don’t want to pay to us, pay 10x more to the government. <h2> What Guarantees? </h2> We’re doing our own business and never care about what you do. All we need is to earn. Should we be unfair guys, no one would work with us. So if you drop our offer we won’t take any offense but you’ll lose all of your data and files. How much time would it take to recover losses? You only may guess. <h2> How do I access the website? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Get TOR browser here</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Go to our website</a></li> </ul>`, de: `<h2> Was ist gerade passiert? </h2> Wir haben Ihre Dokumente und Dateien verschlüsselt und Sie können nicht mehr darauf zugreifen. Jeder Angriff wird von einer Kopie der kommerziellen Informationen begleitet. Um sicherzustellen, dass wir es ernst meinen, prüfen Sie einfach Ihre Dateien und Sie werden sehen. Möchten Sie sie wiederherstellen? Halten Sie sich einfach an unsere Anweisungen, um uns zu bezahlen. Tuen Sie dies nicht, werden Sie Ihre Dateien niemals wiedersehen. Im Falle einer Zahlungsverweigerung werden die Daten entweder an Wettbewerber verkauft oder in offenen Quellen bereitgestellt. GDPR. Wenn Sie uns nicht bezahlen möchten, zahlen Sie das Zehnfache an der Regierung. <h2> Wie sollten Sie uns trauen ? </h2> Wir machen unsere eigenen Geschäfte und kümmern uns nicht darum was Sie tunen. Wir müssen nur verdienen. Sollten wir einfach nur bluffen, würde niemand an uns zahlen. Wenn Sie unser Angebot ablehnen, werden Sie alle Ihre Daten für immer verlieren. Wie viel Zeit werden Sie brauchen um ihre Daten selber zu ersetzen ? Sie können es sich schon denken. <h2> Unsere Forderungen </h2> <ul> <li><a href="https://torproject.org" target="_blank">Holen Sie sich den TOR-Browser hier</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Gehen Sie auf unsere Website</a></li> </ul>`, fr: `<h2> Qu'est-ce qui vient de se passer? </h2> Nous avons crypté vos documents et fichiers et vous ne pouvez pas y accéder. Chaque attaque est accompagnée d'une copie des informations commerciales. Pour vous assurer que nous ne bluffons pas. Voulez-vous les restaurer? Faites juste ce que nous vous demandons, pour nous payer. Si vous ne suivez pas nos recommandations, vous ne verrez plus jamais vos fichiers. En cas de refus de paiement - les données seront soit revendues à des concurrents, soit diffusées dans des sources ouvertes. GDPR. Si vous ne voulez pas nous payer, payez x10 fois le gouvernement. <h2> Qu'en est-il des garanties? </h2> Nous faisons nos propres affaires et ne nous soucions jamais de ce que vous faites. Tout ce dont nous avons besoin est de gagner de l'argent. Si nous devions être injustes, personne ne travaillerait avec nous. Donc, si vous abandonnez notre offre, nous ne prendrons aucune infraction, mais vous perdrez toutes vos données et vos fichiers. Combien de temps faudrait-il pour récupérer les pertes? Vous pouvez seulement deviner. <h2> Comment puis-je accéder au site web? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Téléchargez le navigateur TOR ici</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Allez sur notre site web</a></li> </ul>`, es: `<h2> ¿Lo que de pasar? </h2> Ya tenemos sus documentos y archivos encriptados y usted no puede acceder a ellos. Para asegurarse de que no estamos faroleando. ¿Quiere recuperarlos? Sólo haga lo que le indicamos. Si usted no sigue nuestras recomendaciones, usted nunca verá sus archivos. Durante cada ataque, copiamos los datos comerciales valiosos. Si el usuario no nos paga, enviaremos estos datos a sus rivales o los publicaremos. GDPR. No quiere pagarnos, paga 10 veces más al gobierno. <h2> ¿Qué pasa con las garantías? </h2> Estamos haciendo nuestro propio negocio y nunca nos importa lo que hace usted. Todo lo que necesitamos es ganar. Hay que ser injustos chicos, nadie trabajaría con nosotros. Entonces, si deja caer nuestras propuestas, no nos ofenderemos pero usted perderá todos sus datos y archivos. ¿Cuánto tiempo se requiere para recuperar las pérdidas? Sólo usted puede adivinar. <h2> ¿Cómo acceder al sitio web? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Obtenga el navegador TOR aquí</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Vaya a nuestro sitio web</a></li> </ul>`, jp: `<h2> 何があったのですか? </h2> ドキュメントとファイルを暗号化しました。 それらにアクセスすることはできません。 ブラフしないようにするには、 ファイルをチェックアウトして、すべてが。 それらを回復したいですか? ただや る 指示すること。 指示に従わない場合、ファイルは二度と表示されません。 各攻撃中に、貴重な商用データをコピーします。 ユーザーが当社に支払わない場合は、それらのデータをライバルに送信するか、公開します。 <h2> 何が保証されますか ? </h2> 私たちは私たち自身のビジネスを行っており、あなたが何をするかを気にしません。 必要なのは稼ぐことだけです。 私たちが不公平な人である場合、誰も私たちと一緒に働くことはありません。 ですから、あなたが私たちの申し出をやめても、私たちは何の罪も犯しません すべてのデータとファイルが失われます。 損失を回復するのにどれくらい時間がかかりますか? 推測するだけです。 <h2> Webサイトにアクセスするにはどうすればよいですか? </h2> <ul> <li><a href=" https://torproject.org " target="_blank">ここで TORブラウザを入手 </a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">当社のウェブサイトにアクセス </a></li> </ul>` }; function sel_lang(event) { let active = document.getElementsByClassName('is-active')[0]; active.classList.remove('is-active'); event.target.parentElement.classList.add('is-active'); let lang = event.target.getAttribute('data-lang'); let el = document.getElementById('text'); el.innerHTML = text[lang]; } document.addEventListener("DOMContentLoaded", ()=>{ let el = document.getElementById('text'); el.innerHTML = text['en']; }); </script> </head> <body class='pt-6'> <div class='container'> <div class="tabs is-toggle"> <ul> <li class="is-active"><a onclick='sel_lang(event);' data-lang='en'>EN</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='de'>DE</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='fr'>FR</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='es'>ES</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='jp'>JP</a></li> </ul> </div> <div class='box'> <div id='text'></div> <div style='border: 1px solid red; padding: .5rem; font-size: 1.3rem; font-weight: 500; margin: 3rem 0;'> <div class='title is-4'> In case you decide not to cooperate, your private data will be published <a style='color: #46a049; text-decoration: underline;' target='_blank' href='http://nbzzb6sa6xuura2z.onion/'>here</a> or sold. </div> </div> <div style='margin-top: 2rem;'> <h2>Offline how-to</h2> <p>Copy & Paste this secret message to <a href="http://ebwexiymbsib4rmw.onion">this page</a> textarea field</p> <p><blockquote>31780cb47bbd5dddd3589b95721d116d0fc17522ce7da1280869616a3f85e888c8687d781de97c0fdbb6e15ae91e2387</blockquote></p> </div> </div> </div> </body> </html>������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/780416990140694560/Rv9Dt6aXO_jwSBUytdlrYD0xRmVZ-TRjS-VN_rVJyUGInUZG9tQ74zrBQkWp8ra_rO6t

https://discord.com/api/webhooks/780417200812064838/AxlXPJdiiiyzr1AD-VwaKwgmi1d_r6kSqhEOkzYbJoTaBN4Mi8BeaLGVanbylFg2lyte
Attributes
  • payload_url

    https://cdn.discordapp.com/attachments/652852711808565258/780420698606272512/d.png

    https://cdn.discordapp.com/attachments/652852711808565258/780420220920791060/AOh14GjonoJ9cL49y6uZta-q3iCNSa-rfYbkn6UPvgs68-c-k-c0x00ffffff-no-rj-mo.png

Extracted

Family

bitrat

Version

1.32

C2

192.236.195.143:44220

Attributes
  • communication_password

    4d528518d1e67adc6d7688e281f1028d

  • install_dir

    windows

  • install_file

    tst.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Bitrat family
    bitrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Detected SunCrypt ransomware 1 IoCs
    ransomware
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Growtopia

    Growtopa is an opensource modular stealer written in C#.

    stealergrowtopia
  • Growtopia family
    growtopia
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Suncrypt family
    suncrypt
  • Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 46 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 64 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 33 IoCs
  • Enumerates connected drives 3 TTPs 49 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00409.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2476
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2836
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:5276
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4284
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Blocker.gen-54e8b5e94998f65f38265104450daf8565391ecc487eed0ef0ed1201656aa8c6.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-54e8b5e94998f65f38265104450daf8565391ecc487eed0ef0ed1201656aa8c6.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
        • C:\Users\Admin\AppData\Roaming\Java Updater.exe
          "C:\Users\Admin\AppData\Roaming\Java Updater.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5832
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Makop.gen-3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da.exe
        HEUR-Trojan-Ransom.MSIL.Makop.gen-3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4908
        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Makop.gen-3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da.exe
          "C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Makop.gen-3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:4572
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Blocker.gen-957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c.exe
        HEUR-Trojan-Ransom.Win32.Blocker.gen-957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1420
          4⤵
          • Program crash
          PID:4424
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Encoder.gen-01adfd916d94200342161f5dd0f585859921ac2a4c9f7196d765271b49699d6b.exe
        HEUR-Trojan-Ransom.Win32.Encoder.gen-01adfd916d94200342161f5dd0f585859921ac2a4c9f7196d765271b49699d6b.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\batch.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4620
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Encoder.gen-d641070218aece6e82d4e0c532e0eed71b23a912bf97379f3ab71c1e97cbe7e9.exe
        HEUR-Trojan-Ransom.Win32.Encoder.gen-d641070218aece6e82d4e0c532e0eed71b23a912bf97379f3ab71c1e97cbe7e9.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\File3.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4284
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kartinka.sfx.exe
            Kartinka.sfx.exe -pqawsedrftg -dC:\Users\Admin\AppData\Local\Temp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5488
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Kartinka.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Kartinka.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:5728
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Îòêðûòêà.gif
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:5948
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5948 CREDAT:17410 /prefetch:2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:288
              • C:\Users\Admin\AppData\Local\Temp\File1.exe
                "C:\Users\Admin\AppData\Local\Temp\File1.exe"
                7⤵
                • Modifies WinLogon for persistence
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:6104
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\File1.exe" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2500
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Users\Admin\AppData\Local\Temp\File1.exe" +s +h
                    9⤵
                    • Sets file to hidden
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:5932
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1680
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
                    9⤵
                    • Sets file to hidden
                    • System Location Discovery: System Language Discovery
                    • Views/modifies file attributes
                    PID:6076
                • C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
                  "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
                  8⤵
                  • Modifies firewall policy service
                  • Modifies security service
                  • Windows security bypass
                  • Executes dropped EXE
                  • Windows security modification
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:4600
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1952
                    • C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
                      C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
                      10⤵
                      • Modifies firewall policy service
                      • Modifies security service
                      • Windows security bypass
                      • Executes dropped EXE
                      • Windows security modification
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:3696
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4744
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-26f050108095378962e1a61d59fc7faeb804fdd93f87618c2f3e5dbdda137b8a.exe
        HEUR-Trojan-Ransom.Win32.GandCrypt.gen-26f050108095378962e1a61d59fc7faeb804fdd93f87618c2f3e5dbdda137b8a.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4708
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 480
          4⤵
          • Program crash
          PID:3012
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Gen.gen-50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f.exe
        HEUR-Trojan-Ransom.Win32.Gen.gen-50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4604
        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Gen.gen-50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f.exe
          HEUR-Trojan-Ransom.Win32.Gen.gen-50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          • Suspicious use of SetWindowsHookEx
          PID:5636
      • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.SuspFile.vho-c81c2c539ccba4c38add72e271fe63a2e389f2f645050289257fc6af4f47a82e.exe
        HEUR-Trojan-Ransom.Win32.SuspFile.vho-c81c2c539ccba4c38add72e271fe63a2e389f2f645050289257fc6af4f47a82e.exe
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        PID:3816
      • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Blocker.mstb-33fdf4f6aabfc32fea72ca804da80422410cffa743ae00466bb4eb728c758365.exe
        Trojan-Ransom.Win32.Blocker.mstb-33fdf4f6aabfc32fea72ca804da80422410cffa743ae00466bb4eb728c758365.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4644
      • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Encoder.kpq-ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
        Trojan-Ransom.Win32.Encoder.kpq-ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7318.tmp\7328.tmp\7329.bat C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Encoder.kpq-ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Windows\system32\timeout.exe
            timeout /t 7 /nobreak
            5⤵
            • Delays execution with timeout.exe
            PID:5464
          • C:\Windows\system32\timeout.exe
            timeout /t 10 /nobreak
            5⤵
            • Delays execution with timeout.exe
            PID:5660
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
            5⤵
            • Checks computer location settings
            PID:5476
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\remove.bat" "
              6⤵
                PID:2564
        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.PolyRansom.btzw-5548b06eba1fa8a4fb462453a0a33b1722b01ac3752b6e87c04101af2fc1086d.exe
          Trojan-Ransom.Win32.PolyRansom.btzw-5548b06eba1fa8a4fb462453a0a33b1722b01ac3752b6e87c04101af2fc1086d.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • System Location Discovery: System Language Discovery
          PID:1944
        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.PornoBlocker.ajrm-ed5c8667c0dd2d7747f509a0e68d88fcf6d1338594f9b653790e814aa9b64ba9.exe
          Trojan-Ransom.Win32.PornoBlocker.ajrm-ed5c8667c0dd2d7747f509a0e68d88fcf6d1338594f9b653790e814aa9b64ba9.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:2852
          • C:\Program Files (x86)\411a82d8\jusched.exe
            "C:\Program Files (x86)\411a82d8\jusched.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:6036
        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Suncrypt.a-3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
          Trojan-Ransom.Win32.Suncrypt.a-3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: RenamesItself
          PID:3884
        • C:\Users\Admin\Desktop\00409\UDS-Trojan-Ransom.Win32.Blocker-ba959985ab5014a21067af034c23bb3d966bee4bb39b58b0de2c6df2c3709976.exe
          UDS-Trojan-Ransom.Win32.Blocker-ba959985ab5014a21067af034c23bb3d966bee4bb39b58b0de2c6df2c3709976.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
              "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
              5⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:5708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4708 -ip 4708
      1⤵
        PID:1536
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:364
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4b8 0x4f4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:5912
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
          1⤵
            PID:3080
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1776 -ip 1776
            1⤵
              PID:660
            • C:\Windows\SysWOW64\werfault.exe
              werfault.exe /h /shared Global\d719735fc0e14e33912a8e730dcfa2fb /t 5712 /p 5708
              1⤵
                PID:304
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:5700
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                PID:1748
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:5964
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                PID:2708
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4636
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4204
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                PID:4156
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:3332
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                PID:5364
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:700
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:60
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Drops desktop.ini file(s)
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                PID:3360
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
                  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
                  2⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:1812
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:5464
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:920
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                PID:5692
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:2016
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                PID:2056
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
                  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
                  2⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:5916
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
                  2⤵
                  • Enumerates system info in registry
                  • NTFS ADS
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  PID:5704
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ff9302646f8,0x7ff930264708,0x7ff930264718
                    3⤵
                      PID:2444
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
                      3⤵
                        PID:3680
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
                        3⤵
                          PID:3988
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
                          3⤵
                            PID:4936
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                            3⤵
                              PID:4508
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                              3⤵
                                PID:1436
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                                3⤵
                                  PID:1212
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                                  3⤵
                                    PID:1792
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                                    3⤵
                                      PID:3676
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
                                      3⤵
                                        PID:1504
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
                                        3⤵
                                          PID:4504
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                          3⤵
                                            PID:4200
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4760 /prefetch:8
                                            3⤵
                                              PID:2416
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                                              3⤵
                                                PID:4600
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
                                                3⤵
                                                  PID:2268
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                                                  3⤵
                                                    PID:5716
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
                                                    3⤵
                                                      PID:5548
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
                                                      3⤵
                                                        PID:1332
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
                                                        3⤵
                                                          PID:4120
                                                        • C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.exe
                                                          "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-14.0.exe"
                                                          3⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                          PID:4252
                                                          • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                            "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            PID:5792
                                                            • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                              "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
                                                              5⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Checks whether UAC is enabled
                                                              • Checks processor information in registry
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:3604
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2560 -parentBuildID 20241016164500 -prefsHandle 2540 -prefMapHandle 2532 -prefsLen 21009 -prefMapSize 251695 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {48066ba8-30eb-4d07-8d9f-f58d7bc323c0} 3604 gpu
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:1328
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2228 -childID 1 -isForBrowser -prefsHandle 2304 -prefMapHandle 1936 -prefsLen 21821 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {67afd896-9d2b-4c91-9e53-4e5901e80e9c} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:5392
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:16175209e2b7825b60b7cf6bbdbdbf771e869c6e22f27149db3629eae7 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3604 DisableNetwork 1
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:3656
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3136 -childID 2 -isForBrowser -prefsHandle 3144 -prefMapHandle 3148 -prefsLen 22587 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1a995d19-aaf4-4b81-a243-9ea33af93495} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:1032
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3444 -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 22663 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {de6758ff-3452-4954-a682-6f9292793775} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:5912
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1996 -parentBuildID 20241016164500 -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 24166 -prefMapSize 251695 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {91d760be-b8a9-4ab4-bcfc-35282fe7f6de} 3604 rdd
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:1636
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3580 -parentBuildID 20241016164500 -sandboxingKind 0 -prefsHandle 2284 -prefMapHandle 2200 -prefsLen 25409 -prefMapSize 251695 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a4c610f5-2ed9-431c-95d0-eb8c27e8c0b1} 3604 utility
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Checks processor information in registry
                                                                PID:5820
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=2276 -childID 4 -isForBrowser -prefsHandle 4256 -prefMapHandle 4260 -prefsLen 24349 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {02166357-947b-48fb-bc65-5cb37385b734} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:3880
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4332 -childID 5 -isForBrowser -prefsHandle 1832 -prefMapHandle 3200 -prefsLen 24349 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {92a69322-5b1d-4832-81ec-227f21c28d7a} 3604 tab
                                                                6⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:6100
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4436 -childID 6 -isForBrowser -prefsHandle 4444 -prefMapHandle 4448 -prefsLen 24349 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {09793748-7cd8-4af4-89e0-b54fd113b755} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:1016
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Modifies system certificate store
                                                                PID:4952
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=3616 -childID 7 -isForBrowser -prefsHandle 4828 -prefMapHandle 1964 -prefsLen 24856 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fb1e04fa-6c9a-40ee-a498-f87d2d07d957} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:1604
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4268 -childID 8 -isForBrowser -prefsHandle 3124 -prefMapHandle 1852 -prefsLen 24935 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {eb096b0c-29c3-426b-b672-c634bd92013f} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:3352
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=5076 -childID 9 -isForBrowser -prefsHandle 5312 -prefMapHandle 5260 -prefsLen 26336 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7a35d3bd-c8a9-4017-a0f5-c1c3ea691104} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:960
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=1348 -childID 10 -isForBrowser -prefsHandle 4712 -prefMapHandle 4884 -prefsLen 24935 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {0dad85e5-7378-4730-8c4d-83a7635c0fd8} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:6340
                                                              • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel=4536 -childID 11 -isForBrowser -prefsHandle 5220 -prefMapHandle 5392 -prefsLen 24935 -prefMapSize 251695 -jsInitHandle 1244 -jsInitLen 234780 -parentBuildID 20241016164500 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {98774030-a42e-42dd-953f-ea5aaa6eb5fa} 3604 tab
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:7068
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
                                                          3⤵
                                                            PID:212
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                                                            3⤵
                                                              PID:3812
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6584 /prefetch:8
                                                              3⤵
                                                                PID:1980
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
                                                                3⤵
                                                                  PID:4360
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
                                                                  3⤵
                                                                    PID:1044
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15580706743651477017,18411183894645385781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1
                                                                    3⤵
                                                                      PID:308
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:3312
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                  • Modifies registry class
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:5096
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:4104
                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                    1⤵
                                                                      PID:5940
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:5008
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:5920

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Reconnaissance

                                                                        Resource Development

                                                                        Initial Access

                                                                        Execution

                                                                        Persistence

                                                                        Boot or Logon Autostart Execution

                                                                        3
                                                                        T1547

                                                                        Active Setup

                                                                        1
                                                                        T1547.014

                                                                        Registry Run Keys / Startup Folder

                                                                        1
                                                                        T1547.001

                                                                        Winlogon Helper DLL

                                                                        1
                                                                        T1547.004

                                                                        Create or Modify System Process

                                                                        2
                                                                        T1543

                                                                        Windows Service

                                                                        2
                                                                        T1543.003

                                                                        Privilege Escalation

                                                                        Boot or Logon Autostart Execution

                                                                        3
                                                                        T1547

                                                                        Active Setup

                                                                        1
                                                                        T1547.014

                                                                        Registry Run Keys / Startup Folder

                                                                        1
                                                                        T1547.001

                                                                        Winlogon Helper DLL

                                                                        1
                                                                        T1547.004

                                                                        Create or Modify System Process

                                                                        2
                                                                        T1543

                                                                        Windows Service

                                                                        2
                                                                        T1543.003

                                                                        Defense Evasion

                                                                        Hide Artifacts

                                                                        2
                                                                        T1564

                                                                        Hidden Files and Directories

                                                                        2
                                                                        T1564.001

                                                                        Impair Defenses

                                                                        3
                                                                        T1562

                                                                        Disable or Modify System Firewall

                                                                        1
                                                                        T1562.004

                                                                        Disable or Modify Tools

                                                                        2
                                                                        T1562.001

                                                                        Modify Registry

                                                                        10
                                                                        T1112

                                                                        Subvert Trust Controls

                                                                        1
                                                                        T1553

                                                                        Install Root Certificate

                                                                        1
                                                                        T1553.004

                                                                        Virtualization/Sandbox Evasion

                                                                        2
                                                                        T1497

                                                                        Credential Access

                                                                        Credentials from Password Stores

                                                                        2
                                                                        T1555

                                                                        Credentials from Web Browsers

                                                                        1
                                                                        T1555.003

                                                                        Windows Credential Manager

                                                                        1
                                                                        T1555.004

                                                                        Unsecured Credentials

                                                                        5
                                                                        T1552

                                                                        Credentials In Files

                                                                        4
                                                                        T1552.001

                                                                        Credentials in Registry

                                                                        1
                                                                        T1552.002

                                                                        Discovery

                                                                        Browser Information Discovery

                                                                        1
                                                                        T1217

                                                                        Peripheral Device Discovery

                                                                        2
                                                                        T1120

                                                                        Query Registry

                                                                        9
                                                                        T1012

                                                                        System Information Discovery

                                                                        8
                                                                        T1082

                                                                        System Location Discovery

                                                                        1
                                                                        T1614

                                                                        System Language Discovery

                                                                        1
                                                                        T1614.001

                                                                        Virtualization/Sandbox Evasion

                                                                        2
                                                                        T1497

                                                                        Lateral Movement

                                                                        Collection

                                                                        Data from Local System

                                                                        4
                                                                        T1005

                                                                        Email Collection

                                                                        1
                                                                        T1114

                                                                        Command and Control

                                                                        Web Service

                                                                        1
                                                                        T1102

                                                                        Exfiltration

                                                                        Impact

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini
                                                                          Filesize

                                                                          650B

                                                                          MD5

                                                                          d045bc19f30fe8c48a529f48d480e491

                                                                          SHA1

                                                                          7c03804122850269d7d6267315c10a7ac9717440

                                                                          SHA256

                                                                          db25db35070840caeb10724b7fc580aa5bcb4eaf5380dc722a731122fb4b8c5d

                                                                          SHA512

                                                                          7f1cc70b3f597e98b239093fb3aec5a80a5834b6e65496aaad1f582f9c81171f9e7da0f72cc842280d3818f2b90338474dfb91ba9d303551e903175ea1bea561

                                                                          Download Submit

                                                                        • C:\PerfLogs\INFECTION-HELP.txt
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          104a4f8cb68234e77c8ab5b6f1078c48

                                                                          SHA1

                                                                          d33b58dcf89473309ab6a35ee066a8354f3a0993

                                                                          SHA256

                                                                          c16a32812e8dcaa18760dffd997d59b603d8624f56c5d5f959f19a55e262001a

                                                                          SHA512

                                                                          2dfa4e6a0bf99129d8ea9ef77ad1c062a9b1cda1b44b4ba51be2145dd43ee2aad049126bcf04fd1b00b3e4f47d2f91ec95237a317c4bab00d1f597fa3162f351

                                                                          Download Submit

                                                                        • C:\Program Files (x86)\411a82d8\jusched.exe
                                                                          Filesize

                                                                          209KB

                                                                          MD5

                                                                          cd9b59c8bf06232052bc871d219ca88d

                                                                          SHA1

                                                                          b7684b442cff844865ff51f3ab8f84b190192b4d

                                                                          SHA256

                                                                          f6401411dfa24b4bf9c3af9d0040435e6240eaec9c9f1b397d6ae4f702ceb87d

                                                                          SHA512

                                                                          0528ee60e02c4155dd7ff03b41b4beb7530c5e4dff6c78463134162358aa414031aa2dd38caa0871891707b67c0be255bd24557fe3e88e57d72683d716dc7143

                                                                          Download Submit

                                                                        • C:\ProgramData\Microsoft\AppV\Setup\YOUR_FILES_ARE_ENCRYPTED.HTML
                                                                          Filesize

                                                                          15KB

                                                                          MD5

                                                                          a7399c28a49b723780edd82de862171a

                                                                          SHA1

                                                                          f047f0f71579e04a242d35cebb885f65864913bf

                                                                          SHA256

                                                                          95844858be75594d92a0bfac364f51fd2c05b4eb24dc861828e33af5b146dc0a

                                                                          SHA512

                                                                          6116eb44ccfca5270a25497e8af79c8fe46f2b39456f2a7e69c91bfe4858437c9687dfc6fe0515a920cb69a7752d2a39dec32010bd32d4c4a9fab54042a3bac0

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          d2fb266b97caff2086bf0fa74eddb6b2

                                                                          SHA1

                                                                          2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                          SHA256

                                                                          b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                          SHA512

                                                                          c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                          Filesize

                                                                          4B

                                                                          MD5

                                                                          f49655f856acb8884cc0ace29216f511

                                                                          SHA1

                                                                          cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                          SHA256

                                                                          7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                          SHA512

                                                                          599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                          Filesize

                                                                          944B

                                                                          MD5

                                                                          6bd369f7c74a28194c991ed1404da30f

                                                                          SHA1

                                                                          0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                          SHA256

                                                                          878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                          SHA512

                                                                          8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          e443ee4336fcf13c698b8ab5f3c173d0

                                                                          SHA1

                                                                          9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                                                          SHA256

                                                                          79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                                                          SHA512

                                                                          cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                          Filesize

                                                                          192B

                                                                          MD5

                                                                          94184405b2a5c22d8cdb3c56d243166e

                                                                          SHA1

                                                                          33085f16f413e877cd5ea1b9d3a152e0b474ea92

                                                                          SHA256

                                                                          fc47e56b6352232cc4a9c8ad37445f9758217a4f2667717714b4ebc63f4d742e

                                                                          SHA512

                                                                          164b7af2c77df5951e684e703878ee6b8e20a4d649c5951ce9e091034e6d21dc70cab365fe4556dc71ed25c06304df52ab962c110820725f5a85efff24ca5c24

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5bd6a6.TMP
                                                                          Filesize

                                                                          48B

                                                                          MD5

                                                                          3fd736ee1e5df82551f7eb57d671700e

                                                                          SHA1

                                                                          6a28c8c0dbef7a3d0c0b25eb89235a471abb79f4

                                                                          SHA256

                                                                          458393fff87afe5166b16ed20a114571815d3b1968bf483791aeb171066d7310

                                                                          SHA512

                                                                          fd0870acbd4539883145f46c65ad0faf3e4b812092ef257d2c59ebf1ee46eb3b5a1dffbf21db171d5d6e337e70957ba450a0632098f5536b1947ae8034c13780

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          9f3c46ac2f27af8674d56f257c25c232

                                                                          SHA1

                                                                          a01ddda9e088e12e61c70d7ff3e282d3cb321e28

                                                                          SHA256

                                                                          a866d3a97eeaeda3067ca093757b54eb80872efcd8db52370b312bd35e0330ad

                                                                          SHA512

                                                                          ac6e125c672cd7c843accf891105a9049018578064593c407ef52a68d912c3149551c5fd581600b8955873156f4b3a79b4517199642c2a98f32edfab4b306247

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          78a2819a15156dcd3d0e65b8e6ae7b44

                                                                          SHA1

                                                                          29eb66fdced3ccfb6d9f757ff8c592890cbef6f6

                                                                          SHA256

                                                                          d8fb77872715f89881d678d766820b65fd322ede4f62f641086570c27f2103d9

                                                                          SHA512

                                                                          acdc9dfe77a0231f15c76649c6a90ac426371da1e1251a68076ade0ef276541ea1317ae217eca65737805a30c45131d8d9c3a5c89af1e74ec6143032b0ea65a9

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          a1229fdf924ce61a12fde5e89cf31ee0

                                                                          SHA1

                                                                          1ccaa376ec0f22101d9d7176e1805956da5bb1fc

                                                                          SHA256

                                                                          f9ac64ae8c62320d51ed558c1c0c2e7f6092402d6c7660f4a30b7d77c332a930

                                                                          SHA512

                                                                          37110477270ffcb370ac8328416425d31edc3d5e459c2244d8641bd796ae8acec7be4126b13f1bc25c5e8c3694b70280d6bcedff5454adec57b7666857a3146d

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          32df6df2e40d6b17bd08c83d981d8634

                                                                          SHA1

                                                                          7c71b82e17404c7c520e226deb281a9073494824

                                                                          SHA256

                                                                          24da3c93f498d0695e1d8a27edc0c6a7d79f4c99d65f4c2bf2603a69b208bb59

                                                                          SHA512

                                                                          5034b122387ab6a3cb576d39dc34632554b95566e33eaed055e749a36a686b6e0840d2a8f66a6086107a13f83a3f6c68182d0feb5b1f5cee498275c61fc703e1

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          ff3855beed0dd79f1b1c9fdd3d2bd6bc

                                                                          SHA1

                                                                          2a9791d3f20bbd08c4d4f65299b77d9e1b3d4e6c

                                                                          SHA256

                                                                          71a6edf08ff2b204edf90ad6b2bc7293ec8b48dd96b6f4da15e28f4048cde2f4

                                                                          SHA512

                                                                          25d8ebaf9f7a843a7688b633fc6923bafc16333c7cbb52189440a878b57d1e25da698f90f71369f0afbe299d714cf322d3d0e83067025b7a52fa3ab5ff5e5e40

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          aa04b3558e6746b9e2e52c404d744bb1

                                                                          SHA1

                                                                          8f051ef41dfd7855bce855697ff6023a4af5e42c

                                                                          SHA256

                                                                          1cf0787f61c6e5ba843c9a86d60d4f8e1b0917c474f1472f04a3a2d7ae889a14

                                                                          SHA512

                                                                          fc79af9885dfcd5cf48e686ebd70698e8c98f9aad889980a229032718ead950bcb5eab4fc232bdb7938278d093be2ee217684d2934bb61c216be051b4c77447e

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                          Filesize

                                                                          540B

                                                                          MD5

                                                                          8470d18ab6ce0184d17e7b34d2580270

                                                                          SHA1

                                                                          a90f71544a4059e2bcd897b056d4ca2487ceb80b

                                                                          SHA256

                                                                          71671ca0dcc20112ff48e98e88d5ec51336bd01dca5022b174591a537b16e182

                                                                          SHA512

                                                                          34c0e75f2fb34049437069a0494ca2a8f960b8d5b1bf0d4c82af5f0155fe0b3e8f925539bf5a551e6b63ecbf73d0523a480dc3dc90649ed61c64d84b8ebe39ab

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bc9a5.TMP
                                                                          Filesize

                                                                          372B

                                                                          MD5

                                                                          0e2ef23552466586918e87390a032cba

                                                                          SHA1

                                                                          cc3c2b16aca593e26588b764e3045519a71ebb65

                                                                          SHA256

                                                                          866708af1b9596311cdd7972490c13dde7b368064cfebaef47d0e31dee6fc692

                                                                          SHA512

                                                                          8c1b7ec8e39a30916b9a144ba43995ab878d4a8755d6e462cb05f34a8be6b8ec513d1215d71c40934edb94993ad76f0620d63e29a90be6fdbb23c01d4bb0f467

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                          SHA1

                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                          SHA256

                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                          SHA512

                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          bcb7a29638892275207092ee3dc9b5af

                                                                          SHA1

                                                                          604399a95b1c9a302285e173fc70531a6784d697

                                                                          SHA256

                                                                          321209bbe8ccbb00692c4f2306ac6cb35ad7b755071eeb46c1b62f7ef5cf24b2

                                                                          SHA512

                                                                          41573ce922df12c90d3673224518d25148787a34e260ca9e6c57ed8ecb63ff8c7ab47bb109ac2771bfc2078175a4e0dd79acddf0ca17fa82af1f12311d55e22f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          c35c232e1993b580a55dc99368c35e99

                                                                          SHA1

                                                                          515348d3dfde044face7a8b2da82ac3a78b39bd8

                                                                          SHA256

                                                                          3a90a31aac0a49a0fe03213cf6a580cb6d443e73ec5054b06d63880d8e359a83

                                                                          SHA512

                                                                          3bf5b96104b45f6553559d706bf8749db222baa5a6111be1f7c4e00492e74f76213505855d8042febef2a7112fa95400d4a913f0f9d2a88750ed9951e3fbf4c9

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          e60f1362de401297156b69742b8af012

                                                                          SHA1

                                                                          ca36dad8090f6c23ce9e98de62195998d1703630

                                                                          SHA256

                                                                          f00df282bc72dac51c5236f59e2d7f85874ac16205c8889510259ef50c2a9122

                                                                          SHA512

                                                                          512934c5e3ea3619f7fe9bb3b72df4add7b8b2c21a77e70d953c2951f7ddd9e9164b7d9dd6d59383ce89e436695f639a16cb2b36685caca78d5f4fd84e6642d0

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          12KB

                                                                          MD5

                                                                          484424ea0430ba17f146ee1c68fbe90a

                                                                          SHA1

                                                                          e9ebecadabc1a4356b1c6de48bd5458e819b309b

                                                                          SHA256

                                                                          e16900aa42b18ae2a407ee3762de470a9728b66f7a93625c12101ee7ff31814a

                                                                          SHA512

                                                                          a91f8585a0a8bb807e6edaadce2a386c97deb40de31a4a99681a5c64ebe37538ad579a5972f70d219f064c2973dc47090f515250245f853cf3fc220254affca1

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
                                                                          Filesize

                                                                          17KB

                                                                          MD5

                                                                          5a34cb996293fde2cb7a4ac89587393a

                                                                          SHA1

                                                                          3c96c993500690d1a77873cd62bc639b3a10653f

                                                                          SHA256

                                                                          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                          SHA512

                                                                          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LLDJA3WI\microsoft.windows[1].xml
                                                                          Filesize

                                                                          97B

                                                                          MD5

                                                                          372706547a804b876522fe741dbfc040

                                                                          SHA1

                                                                          9bca733d6804f24c6841ef02b52e8ade1b45d7e4

                                                                          SHA256

                                                                          09fe1eb66c953d75dc66ff6df9237cde5f419fb25fab6327de9cde6676219651

                                                                          SHA512

                                                                          cc8057de048bf5646e41bed6f01111328bceae9abb4282a4ee1be635d086b6b3647cb5cc17cc3564980e5e31342a767dc639e536edbd3720df6b35ac7ebce34a

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_
                                                                          Filesize

                                                                          36KB

                                                                          MD5

                                                                          8aaad0f4eb7d3c65f81c6e6b496ba889

                                                                          SHA1

                                                                          231237a501b9433c292991e4ec200b25c1589050

                                                                          SHA256

                                                                          813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                                          SHA512

                                                                          1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                                                                          Filesize

                                                                          36KB

                                                                          MD5

                                                                          406347732c383e23c3b1af590a47bccd

                                                                          SHA1

                                                                          fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

                                                                          SHA256

                                                                          e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

                                                                          SHA512

                                                                          18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133746184095952241.txt
                                                                          Filesize

                                                                          75KB

                                                                          MD5

                                                                          96c94a7627f4f58d88d4e36700494c51

                                                                          SHA1

                                                                          d90e9627098d125cbcf2a90384edf1613e3cbc0d

                                                                          SHA256

                                                                          fde5d4e364971a6012484001962282970e6407bde6779fe880c512c2613b9818

                                                                          SHA512

                                                                          028ef37aeb1942fcf4ef28c786a52095068232bc59bd071772cb8118cefd6523bf04eb975826a855815e9d7898d56278f5f4ad4c145cc1ad9783412a77630ecb

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
                                                                          Filesize

                                                                          10KB

                                                                          MD5

                                                                          5b1ad0aa0e99df7804f302fe1fc56519

                                                                          SHA1

                                                                          bce26024ac836b9a8605052c246856a882b440ff

                                                                          SHA256

                                                                          409b9b30b77df1408f85aef3ec53cb452a84cded1d70a4c8f2dbd5d0756d0329

                                                                          SHA512

                                                                          4a0816fa9234433a2b3a18326264c5b6ace1ced6f840f82a732cb2a82abbeedd8e1d2a9f3bfb6424293e4fdc25b1682ee16be9b5a229c6894030d4341648b8ea

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                                                          Filesize

                                                                          13KB

                                                                          MD5

                                                                          cf7d2d2a0d101bbb4cd88075d121b3af

                                                                          SHA1

                                                                          adc21da1907b8ed489044995250866b56c95f0a7

                                                                          SHA256

                                                                          53df3d9e3aeb03fd53ec311c6af1ffde0eef0b975f17816cb6486f91f821bdce

                                                                          SHA512

                                                                          adc3c5d3ab70d3eb2f96e5b6668e61b91c07af2ecef1f1c579046108505f52ca6b017113d499f341bc93edc30a71afba0e275772384ef6cbe52aee3561bc5bd7

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\7318.tmp\7328.tmp\7329.bat
                                                                          Filesize

                                                                          472B

                                                                          MD5

                                                                          e3656940bb543358b59cb27ff6d5a177

                                                                          SHA1

                                                                          11aeeaee1b09d234039975df7d2bb1401587ea5f

                                                                          SHA256

                                                                          8c65f51c79963f75f7058c889d603fb9350a9235a09a683cd2d75462ecde1d05

                                                                          SHA512

                                                                          0533c85a6c92bc1370f43b730319743a6bb1dade85f05b3b040b29465796be77bce7895ac614b63018ed0abfe7273fc19dc27698faf8fefec5372aded5e190bd

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\File1.exe
                                                                          Filesize

                                                                          839KB

                                                                          MD5

                                                                          71e866b44b2ff6fb9b5009fb9c0259df

                                                                          SHA1

                                                                          3b7e247574aeefb8592c643d4583ace11f92879a

                                                                          SHA256

                                                                          efd271f51c473f231535d749753e7d6b6c9b3adc0da325bcd5bc66b4341d505e

                                                                          SHA512

                                                                          6ab92660dfaa05f87442ab8ae92f22353266b991bee6a876a32b921f144c68b2e94421bea6b0564daf6ff39a82de48166533c3d79b22c50be47962442e29d790

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          340b294efc691d1b20c64175d565ebc7

                                                                          SHA1

                                                                          81cb9649bd1c9a62ae79e781818fc24d15c29ce7

                                                                          SHA256

                                                                          72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

                                                                          SHA512

                                                                          1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
                                                                          Filesize

                                                                          13KB

                                                                          MD5

                                                                          3e7ecaeb51c2812d13b07ec852d74aaf

                                                                          SHA1

                                                                          e9bdab93596ffb0f7f8c65243c579180939acb26

                                                                          SHA256

                                                                          e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

                                                                          SHA512

                                                                          635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
                                                                          Filesize

                                                                          6.1MB

                                                                          MD5

                                                                          424bf196deaeb4ddcafb78e137fa560a

                                                                          SHA1

                                                                          007738e9486c904a3115daa6e8ba2ee692af58c8

                                                                          SHA256

                                                                          0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

                                                                          SHA512

                                                                          a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
                                                                          Filesize

                                                                          436KB

                                                                          MD5

                                                                          81e8d04825b072c58cabc23668e89dd9

                                                                          SHA1

                                                                          148e65ba5c5f7552ddf64d2e62988ea10353aa9c

                                                                          SHA256

                                                                          22b0a392709dfce316a22823d360b319c3e980dbb2423d2d75dd3e8c2f983cc9

                                                                          SHA512

                                                                          5e6ace88da069659c158f0afd60551ce0ea4dfcfac8466ce4dc79aad278c081b8096c3fd954da65c960207cf05d334f7682baa63f670a890462616576bebd681

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
                                                                          Filesize

                                                                          436KB

                                                                          MD5

                                                                          64685a8b7f2950d2f3ccd43a42882718

                                                                          SHA1

                                                                          e3e940e3d2f3d1e257ee79f1b36d5a9d81fe5d4b

                                                                          SHA256

                                                                          2ee4e13b9dead39f87ae8cfa12cfd17ae546eb1856db6e41dfea2d088218dab6

                                                                          SHA512

                                                                          39fa4375bc59edd8535fa5d6316bc2ebe8afe0b07332a49dd2674256bff13b6a0db6d8f50ad5306983c7dca944652a9e6347922a1ece68a261ae45cc21a8f2fe

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
                                                                          Filesize

                                                                          5B

                                                                          MD5

                                                                          68934a3e9455fa72420237eb05902327

                                                                          SHA1

                                                                          7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

                                                                          SHA256

                                                                          fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

                                                                          SHA512

                                                                          719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
                                                                          Filesize

                                                                          322KB

                                                                          MD5

                                                                          c3256800dce47c14acc83ccca4c3e2ac

                                                                          SHA1

                                                                          9d126818c66991dbc3813a65eddb88bbcf77f30a

                                                                          SHA256

                                                                          f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

                                                                          SHA512

                                                                          6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File3.bat
                                                                          Filesize

                                                                          55B

                                                                          MD5

                                                                          0ef412e91c72943328940dab74e26c42

                                                                          SHA1

                                                                          1ea9601a19301fb655cede420c6e91a48a9c94a6

                                                                          SHA256

                                                                          08492ece760f7ae3d4f3f86c178a6764adb757a3134db67b12309ece392b131b

                                                                          SHA512

                                                                          26dfa727f9bc4f7df678d39d49b0315e0afa8a1cd6397687ee1695b092eca1efe152097b3f3174a78630041e4bc343ba16740a94d958ef2bd92bf3e921c4e215

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kartinka.sfx.exe
                                                                          Filesize

                                                                          1.3MB

                                                                          MD5

                                                                          5d96b91d39d3ec3e816f80fbbabfc436

                                                                          SHA1

                                                                          952dc8967acc6487b636b2ed10b6b46cc358483f

                                                                          SHA256

                                                                          9ac3fa5134b70582275c08dac96ba0beafef684da452752c269adcf9f72dff3d

                                                                          SHA512

                                                                          b076749a40a8500aea07b6f2dcd700eab6b43e751cab6f92163d6d80d470152e43eb25f728bd9ce5f1a32305a3f28ad73cc915685b7aacaada775b9b8814baf7

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Kartinka.exe
                                                                          Filesize

                                                                          1.6MB

                                                                          MD5

                                                                          d24bad55ee9c5fefc8dfef09e32bcc0a

                                                                          SHA1

                                                                          b1ba7aeb57673f6ea10ccffe2b3d3af3a73b7084

                                                                          SHA256

                                                                          73038b22ae7eaef535a7e77edc7f64ce2bc785d324735c8df9671c28cfff3a17

                                                                          SHA512

                                                                          299f7a40a4e9b2ca766806baba149398bc7d5afb334e6830d23ba44a7e30510888693058fc3465d04076100f1c45ba32f7bd8bf249066c42aaa8c464ac55c2c3

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eu0ad2e1.rfv.ps1
                                                                          Filesize

                                                                          60B

                                                                          MD5

                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                          SHA1

                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                          SHA256

                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                          SHA512

                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\batch.bat
                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          3ccc706b6d7aad667aab36847864d347

                                                                          SHA1

                                                                          9a332ccc7817a49c9239c71555e4e90b42177080

                                                                          SHA256

                                                                          0e9fea8f66abad52ea4e9faee8bd33adde51f8c78c12d0aa9321dd287a11c359

                                                                          SHA512

                                                                          01886aa31ee50b95938e98163965c27c6219e04e699bb3d8a0afc813b92f623852f301c12102f3a440b930d3ad7065bf6aa116898d476fb403c8d4e9fee02dd4

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\nsj827.tmp\LangDLL.dll
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          9888fb6b91a680305b2a3e7b71d6561d

                                                                          SHA1

                                                                          4a7935da38f88e9f74f425078ee39eb6269c4e63

                                                                          SHA256

                                                                          81726604d47b192620bcf90d6e42ba8ee8b4c54935b0081655e08247d6b6c675

                                                                          SHA512

                                                                          f50755e5624bfc3a60a23a7dda012509c1e31d9772d6a0ccaca88e32ae8d4602e10e38003d78b1626464502db7ea7c47d772efb7b3ea7c3e2238bf3b9809f833

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\nsj827.tmp\System.dll
                                                                          Filesize

                                                                          24KB

                                                                          MD5

                                                                          d997606c77e880be2744c44128843d60

                                                                          SHA1

                                                                          92bb9003dc14ae03963f503e82a668877ca4295f

                                                                          SHA256

                                                                          abb2613ff851b2cbfb61bf97e4eef9d4912abcb46e04774ad84812ab75d4dde9

                                                                          SHA512

                                                                          714d7ce786e9fbb6f0d0e537a146a3a24aa79089669dd168b7c110dfba667fa7afb794b3dd2b93fa76e1d1771af3347a0f568cbb0fbcc8d9755de9e6e54382b3

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\nsj827.tmp\nsDialogs.dll
                                                                          Filesize

                                                                          13KB

                                                                          MD5

                                                                          bd0d7a73d0fc619e280372587e9e3115

                                                                          SHA1

                                                                          0cde473dda5d4fda8190e6460f3229cae2571af5

                                                                          SHA256

                                                                          c7f2afe3a2424e71563e69d862dc027d299d84fba4ac1ba11e593361daec0a80

                                                                          SHA512

                                                                          914983bfa336f9ea019bf5dc9ee403af56a6c7c1d88b8092609e4026a3377daa6ef9a8e51a93537f6769ae165c264763645a363fb6a89f8689f59caf985c18b2

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp-8lf.xpi
                                                                          Filesize

                                                                          935KB

                                                                          MD5

                                                                          6ad76c39784b6c9a8b10d4b409fed6da

                                                                          SHA1

                                                                          062af32a1abb32e21730a158b76d5420a549b39c

                                                                          SHA256

                                                                          999244c7be75e58fe16cb2880711013ca079822da1dab65e7eb375c1faf5baad

                                                                          SHA512

                                                                          d2589827323d7b4ca09025553a248a78dfbb376e03d7e38ff522d98c9d26d6262c385296fac440fdc89bb62d9236d5698db614d655a9b1907ef5224a8b0bfd6e

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\Îòêðûòêà.gif
                                                                          Filesize

                                                                          643KB

                                                                          MD5

                                                                          1185fd00bed0e72cf839fc3b9e485811

                                                                          SHA1

                                                                          653ac6e8c0aeeef8b1158ab637ee97b61ab92445

                                                                          SHA256

                                                                          fc4c960f749616006706211c7e19935140fb8a14ee79753493c438dd7dace520

                                                                          SHA512

                                                                          c458718965a6a5bbae022c64c6d71dd69eec07183fa0d29932c2581d66f5fd23e04e7802c03193fc820bb4d4883e08eb77a4a60ad68fde6d979c0624ac3736c5

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Roaming\cat.jpg
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          675622258b256d20e88fa07a37e77eea

                                                                          SHA1

                                                                          13bed8e26bda2ed61751acca3222174495e48f17

                                                                          SHA256

                                                                          31f1790f9f2c8714c0c274836b71577916541d8ca45fb398a9fc9fdb765b5d23

                                                                          SHA512

                                                                          6763f52afad8740298a767db7c80ddf3242e96732b3e1bd92eea6ce50a1ff7fd0210dcad5cb6040b11917d66f2a1dfc86f8424031f52815d21525f2ed54d281b

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Blocker.gen-54e8b5e94998f65f38265104450daf8565391ecc487eed0ef0ed1201656aa8c6.exe
                                                                          Filesize

                                                                          6.1MB

                                                                          MD5

                                                                          897e682e74f06b75d31092219581d5cf

                                                                          SHA1

                                                                          6300dbd5474208d4f883365169ab5acae6bbe714

                                                                          SHA256

                                                                          54e8b5e94998f65f38265104450daf8565391ecc487eed0ef0ed1201656aa8c6

                                                                          SHA512

                                                                          7a581ca84cbff4bc1f48e85b41f2b27b9c9752844be7a64c7df2fa8570135d592e132436e8b4b68778ca27dabfacf0702736dc9a0aa356d937f40fbbb831085c

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.MSIL.Makop.gen-3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da.exe
                                                                          Filesize

                                                                          1.4MB

                                                                          MD5

                                                                          1242cee90febf334ea5ca6d5fdb8e674

                                                                          SHA1

                                                                          eb15b2498f6511ac0943c998a45e20576a465cfe

                                                                          SHA256

                                                                          3bb0cdbdeecde31726bbc0ea5fb4b9dfadb8874d78719975377ac6498baf74da

                                                                          SHA512

                                                                          51c02eef3fb0d8ed526823c25a11f4200fc135d25c09ad36ede8227a43901af758571db877984dbba635185899ce6ccb654183dfc33ffa5d86e9d88026b2a3c0

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Blocker.gen-957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c.exe
                                                                          Filesize

                                                                          1.4MB

                                                                          MD5

                                                                          4047a1a03be9df604f06fdb28647891d

                                                                          SHA1

                                                                          1b40243a8e6a025eef866f09b7b4361b70777494

                                                                          SHA256

                                                                          957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c

                                                                          SHA512

                                                                          4bae1b68abcfa4a91c27a9f01f1a9b06336dd0e28b8fa7d6dbbc50a2d5120e7467fec564966991945ac9b6dd91321bf49e9ba92794dbff55ea094177952b06fa

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Encoder.gen-01adfd916d94200342161f5dd0f585859921ac2a4c9f7196d765271b49699d6b.exe
                                                                          Filesize

                                                                          1.0MB

                                                                          MD5

                                                                          44b1491cdfc5e297e5f0fe26f6fe3c73

                                                                          SHA1

                                                                          92f6f6af7c3ba1ca93f9c620873eb223616ffd25

                                                                          SHA256

                                                                          01adfd916d94200342161f5dd0f585859921ac2a4c9f7196d765271b49699d6b

                                                                          SHA512

                                                                          0b4b0487516f63224714e77782b958c7fb9512bee337fa303a470c7f2e069c7b22bed15c9e3ff91db8779e94214d81b54327c88b19af0a71092fb9252067892a

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Encoder.gen-d641070218aece6e82d4e0c532e0eed71b23a912bf97379f3ab71c1e97cbe7e9.exe
                                                                          Filesize

                                                                          1.6MB

                                                                          MD5

                                                                          6c367fc8675ecd5fc6ff7b8c46caa2a4

                                                                          SHA1

                                                                          079580cf77c9fe00d928e15918745f1f0931ce66

                                                                          SHA256

                                                                          d641070218aece6e82d4e0c532e0eed71b23a912bf97379f3ab71c1e97cbe7e9

                                                                          SHA512

                                                                          f0d52d52cc7b4b61cfee6aba21a399b7a1f2783808c7501f766166e90bfea7348c5e63823927a7fc429241bf60c5daa285d7d6c32548dd97593c31d6e4e7a5e5

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-26f050108095378962e1a61d59fc7faeb804fdd93f87618c2f3e5dbdda137b8a.exe
                                                                          Filesize

                                                                          321KB

                                                                          MD5

                                                                          04f4838a3e5b9aede7f209f2cd4dc092

                                                                          SHA1

                                                                          1891d22c5b1baadc3a97094c7c775099a530e332

                                                                          SHA256

                                                                          26f050108095378962e1a61d59fc7faeb804fdd93f87618c2f3e5dbdda137b8a

                                                                          SHA512

                                                                          6f851e01c35bd099018a334be4afd3b080552a7f82a0c03981c035dec5ef2cf70c7dab8dc6b143f23539b8b0ed76de0d5e4206d6e0691ce39fce4baaeb60e32d

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.Gen.gen-50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f.exe
                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          54a5643d84bfd5ac8bfd297a5a063368

                                                                          SHA1

                                                                          83936f4e27a1b5610d0438efb40ff31e62d8e3c4

                                                                          SHA256

                                                                          50589127250c689565adf1dd57ab0bb19be202246514fe8b63eeed6de681336f

                                                                          SHA512

                                                                          225c5adadf6a7623290c29101f27da9612dfbb81d5d8fceb7ea5f2042dfe6a62f48a7fb088ee351d162825beec6c065a851e7a8073f01f6a271368fa5673c921

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\HEUR-Trojan-Ransom.Win32.SuspFile.vho-c81c2c539ccba4c38add72e271fe63a2e389f2f645050289257fc6af4f47a82e.exe
                                                                          Filesize

                                                                          3.0MB

                                                                          MD5

                                                                          1441e78b9e6ce78dd02e7491b25e7f9e

                                                                          SHA1

                                                                          8c355fd0e062152a403cb0c42412850b60524aac

                                                                          SHA256

                                                                          c81c2c539ccba4c38add72e271fe63a2e389f2f645050289257fc6af4f47a82e

                                                                          SHA512

                                                                          52e34a8ea136783e2009700b330e7db32e817ab0420c77e6cf47ab79c385635036ac4b547d6d1ee7542eb1e2e0b88f741289b96bf66dde18f1fdd03cb554d023

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Blocker.mstb-33fdf4f6aabfc32fea72ca804da80422410cffa743ae00466bb4eb728c758365.exe
                                                                          Filesize

                                                                          4.7MB

                                                                          MD5

                                                                          c95df8036bbb8e85ed96f538c47a8ff5

                                                                          SHA1

                                                                          702d137ec3e59ee7683b4af1deee1d252926ca22

                                                                          SHA256

                                                                          33fdf4f6aabfc32fea72ca804da80422410cffa743ae00466bb4eb728c758365

                                                                          SHA512

                                                                          fe23d5a4c046205f5f06974faacc99063e65232250079d8c866aba5ef83c7649d9ae73db8d19d42fe92b8e415fc990edad159a5f30a2e92ace59b3d21faf77cb

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Encoder.kpq-ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c.exe
                                                                          Filesize

                                                                          112KB

                                                                          MD5

                                                                          5c281ddacaddf036d2b836b656cc3a8f

                                                                          SHA1

                                                                          93c5595c540181395fac196acd3329fde0c1b1fd

                                                                          SHA256

                                                                          ee453b4bb7c1037fcd146a9c61540ee567953a6a24f7fbe72fa5fb7f700d022c

                                                                          SHA512

                                                                          fb5c92180b2713d92b26a220abd13ff529a2366327c76c84379b2742bb55e456440ce87fd142323e06969c23f973ba011836a29c1c660461b2a4eeb19c508974

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.PolyRansom.btzw-5548b06eba1fa8a4fb462453a0a33b1722b01ac3752b6e87c04101af2fc1086d.exe
                                                                          Filesize

                                                                          2.3MB

                                                                          MD5

                                                                          c13d0ed4192acbe02389b1f8a03b86ff

                                                                          SHA1

                                                                          56903c2c0d61f67a0670e85b12cab953a4c0c9b1

                                                                          SHA256

                                                                          5548b06eba1fa8a4fb462453a0a33b1722b01ac3752b6e87c04101af2fc1086d

                                                                          SHA512

                                                                          cfaa596aab72fdcf51ab0126dcef23df5f22501ce8c683558ef1e73eefe0ed47a09623fe1415741a903b603c87de29cedeae24f8e97ff49138c3a64a162dec3e

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\Trojan-Ransom.Win32.Suncrypt.a-3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
                                                                          Filesize

                                                                          425KB

                                                                          MD5

                                                                          8e2ccd9284e09ccc4e9eef325a83b435

                                                                          SHA1

                                                                          7710f609e7623a08f0dd7cb8fae1ff38d0c729ef

                                                                          SHA256

                                                                          3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824

                                                                          SHA512

                                                                          9827bdb32c04127ee0ccc41be9c84df40e7d2aa30c68dc9f9e5bfabcd920478884bbec0f3f8ddcbe5fba2eafafa3437b37af161d59fc39daa92202e2f884247f

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\00409\UDS-Trojan-Ransom.Win32.Blocker-ba959985ab5014a21067af034c23bb3d966bee4bb39b58b0de2c6df2c3709976.exe
                                                                          Filesize

                                                                          3.5MB

                                                                          MD5

                                                                          63ebdf13d4468bd1aa4c1f461f6b342a

                                                                          SHA1

                                                                          c6d7d373637b95828cef644ec3950cc846c46148

                                                                          SHA256

                                                                          ba959985ab5014a21067af034c23bb3d966bee4bb39b58b0de2c6df2c3709976

                                                                          SHA512

                                                                          f5f41a55ae1e513d6cad226ff5f6508253c33904658d48d5a12a5404294cd368cd76fb0c6c857655dca4463457a6a94e834aa38355317b1e707a48472bfcd999

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
                                                                          Filesize

                                                                          182B

                                                                          MD5

                                                                          63b1bb87284efe954e1c3ae390e7ee44

                                                                          SHA1

                                                                          75b297779e1e2a8009276dd8df4507eb57e4e179

                                                                          SHA256

                                                                          b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

                                                                          SHA512

                                                                          f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extension-store-menus\data.safe.tmp
                                                                          Filesize

                                                                          245B

                                                                          MD5

                                                                          8d760775f3d310bc3a76e80614de59a8

                                                                          SHA1

                                                                          6c5284a6c3f6d9c96f02b0fa281193bf4aa26656

                                                                          SHA256

                                                                          e679c4aefc4c606245e039b297e6b0313c550231b5914b2dee57c16b23bcc50f

                                                                          SHA512

                                                                          1eece96a958a273fed24bdb10cf4534aac214d060645db7a7e00c272696a6a886b8f914a7487c688e3b3cd4265177edda9a940db17c67ea2e8e03552fcdb7d61

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json
                                                                          Filesize

                                                                          16KB

                                                                          MD5

                                                                          eed221cf4e6b170e88b23bbb5cd1e179

                                                                          SHA1

                                                                          81c3c10b3f7d9244b739626f7aab81907160735f

                                                                          SHA256

                                                                          d69d8af4f57b45b18e07737c6fe453fdffce14c2886ec21e5bf9a5e2c8e311f6

                                                                          SHA512

                                                                          2ae3735cd9a977fc32cfb571871ab28b060627787a9ddce1a9aebc6398de6086247cf7314b017f95c3249d4adb0b02a5496f39b5700b0227133b8342167116b9

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          f01b3bb8b61eb2984ae213ac1cf02b32

                                                                          SHA1

                                                                          db225d7826242333dd47bda915827105293c3001

                                                                          SHA256

                                                                          cc70ba6be4191d1d5500638b732627897976ebd14b479ce5bd35473dd6999751

                                                                          SHA512

                                                                          83d0f69917e07a072eacbfebaa7eac1bbdda1b73917d54ed23b1d59495930e7c2a3af39a9b8a89c3abd492a04c4fc510c28810d52086374a24e1b2f9a62d012d

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          0d63ebbf878a8a957a5742a1fb1b02f9

                                                                          SHA1

                                                                          04d222a9de7c17966fb37d5c15f66f0d89730349

                                                                          SHA256

                                                                          4d786aadb58a363257b4b074900f09f50b6eeaf8c59df1b897bfca5d3d596745

                                                                          SHA512

                                                                          acb4da8063dbbbd4ae8cd2d3a2e304269ffdc6e91d8dc3e1b6eb662d70c99c6b65b8ae4ee653be9c5d6c0312344f27e4e5bd3f640ae6ee0a2fcd132f1d4aa58f

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js
                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          251bd5f6a0ab923e3adaead0d0ef15e3

                                                                          SHA1

                                                                          9bfb9cf1bf656a5f978900f95ec520ebda47b9de

                                                                          SHA256

                                                                          0ca1bf6ecacc97f80405e4479049ca2c3837c04c1085cd59cd49fac84ad00b04

                                                                          SHA512

                                                                          c0fed86f10513367fafe59e408cff2b24ad98369486524ca2b4c0e7f1b9e40c302b6bbe8ec3c8d07403ceb50f5702770eca23b11bfb06202bf176397cdbf1eaa

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js
                                                                          Filesize

                                                                          863B

                                                                          MD5

                                                                          8fd4bb65e342871a58fc22a5700a3db7

                                                                          SHA1

                                                                          b08a91ca9f33b2c4b3902a1e8d92051fae7f2eb4

                                                                          SHA256

                                                                          835507ff87394fb6bf96f863d189c382468a40b941b68c999b876d13b8ed0614

                                                                          SHA512

                                                                          2cf2450dbf3cbbd37d2a8358eea661494f0f26e32875ed76967deb14eb30760e0e86c40215bd11bef0de8f408ffa3d41594cb25ea7003b7a5a1124cc8baa914c

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                                          Filesize

                                                                          56KB

                                                                          MD5

                                                                          598e28144dba36cfda0a9a5acfc0fd9d

                                                                          SHA1

                                                                          b6f0d2bb28a1953e8dbe0bde8852c0e31f9be706

                                                                          SHA256

                                                                          2e7857a40b75624edaf12c8d6ddc034d26bad19cd3e506852555fe9d5807daed

                                                                          SHA512

                                                                          92cc1a1fecd49d1f26639c6195544831379c2212aac0e5d282e3b4f706176d862b58ac5bd1d8d5cf779502d9664a9477825f6d018f53e9e8bc2ce3e110fd96ee

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp
                                                                          Filesize

                                                                          2.8MB

                                                                          MD5

                                                                          f1d357ba5604e28cca4320de4eff66ab

                                                                          SHA1

                                                                          65421d6f725237ea182740da57d23d34f5e28478

                                                                          SHA256

                                                                          f31218c34a005bc420490a1ef91d0863938282e3508bf74f6f44117bb91f46bd

                                                                          SHA512

                                                                          afdd23c1598651fdd92697db8daf3c6ba758cddb83044c3217c43d8a18a3b2c6e2ef3d19d3e9fb8b6413b1573b1ad22aa226dd5fbf909225b2ff4caca7c8847e

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new
                                                                          Filesize

                                                                          10.4MB

                                                                          MD5

                                                                          21cfd3681923c6d86d2bb161c997e2ab

                                                                          SHA1

                                                                          46e8a7ce0629d730201ae5f9749c42db4c5127e4

                                                                          SHA256

                                                                          56f84dbbba48d52df5c3433bd1b44585fa11685d1f6792df07134f39321740ac

                                                                          SHA512

                                                                          83be729f4642ad2b751f5532cff91205ff22d8b314dea32540f9a42794383923ab7c346c28516cb8533d9e87a4849988f6dd3147ef0151fc7fdd1a9c2e72e9fd

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
                                                                          Filesize

                                                                          1.7MB

                                                                          MD5

                                                                          fc77f7ad084c52daa4452fbe197bc429

                                                                          SHA1

                                                                          a452346850d052bafce4bf3c42a9d4f57a6f8d96

                                                                          SHA256

                                                                          9808bb370a6463625bac46ed0af68ad7710ce49f550f3cf567a46ad4d1fd77f4

                                                                          SHA512

                                                                          a6b21b5073f396ed3b2334ef474121a67dad847b5fd06a04bf7faa1e810f29d5e3bb748d90de27a056f60d48e16244e2dcad498a0d04da9d123dc5c7a81bb8aa

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk
                                                                          Filesize

                                                                          829B

                                                                          MD5

                                                                          030a1c3c5ed33a454087142c40037c99

                                                                          SHA1

                                                                          5648f73b15adae17c6c8b09c88539c2cf261a832

                                                                          SHA256

                                                                          a47ca26741f2e54c0d61f940358cafde03fe373da9d6fccdb3b9e80f4d67434f

                                                                          SHA512

                                                                          17234c6c0856a5df1f7a1f1cc7d023b5b07f50c5138a3186b3dd74d18a62bf4d43f1cc3e8e518157ec30bf01245480a6b188703c6c01d3b4b4d5e85821130fad

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\cat_10514.jpg
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          599f453cdddc2643761c9d4d27a280b8

                                                                          SHA1

                                                                          8118350119476d6ea42202311b105fa60f6bb19c

                                                                          SHA256

                                                                          d0ed8b6c83bce97e201594d1a24376331baf87b50a9156f708241d01a021e856

                                                                          SHA512

                                                                          5268f05fa8ef823c3fca783fe19163c45e3fc1f679293a5d1d365b4fcee890fa816f8cbce05a2deced000f75115ed6d8c9a3676df76e40f7425d1e617a8141d9

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\cat_10676.jpg
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          ff85d117b0d93f1746a94148fe32ba60

                                                                          SHA1

                                                                          e39251e6027a64f7a24d4abe65e059c1a781fafd

                                                                          SHA256

                                                                          02c8d934fc27f3aa004d409023c726d86aaba2fb629a4e6c7e44508207a44150

                                                                          SHA512

                                                                          0199fe734941c95c2ceafd4d713a8ce1dfac8d354a2278a9c960f96932788c368901e271d398997920ebdfbac99aa7511dfd0862946e838206ed9d1d160f6df0

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\cat_10687.jpg
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          f90a1af92326f3812c00260b6bf6e5fa

                                                                          SHA1

                                                                          1f7bbb8b8b67be106eeb4cc3ac6922400935589a

                                                                          SHA256

                                                                          54465f7cfab43f761c8a4089a360c0997e6e88cfb8a5b748099e10c5fc18d355

                                                                          SHA512

                                                                          2e6bb233845705bacdd6f5b23bd4557681eec79e39e0522dcf4e09f45d18c370f9b3748cfcd883207aa81f4bdea2c288058984dd6c5022d6047ac02eeb0e6ac6

                                                                          Download Submit

                                                                        • C:\Users\Admin\Desktop\cat_10776.jpg
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          c403e5fd26cda4d0b0f8dab25a999cdc

                                                                          SHA1

                                                                          8f4248626b7ac65e4e2a4e528abf46609532265b

                                                                          SHA256

                                                                          4ea23064950c2650524f1926e1b84501a74f36c488f8db2041fbb0ed3e135068

                                                                          SHA512

                                                                          3640b66857f639a0c565979cbaf6f9f708faf68e3eccfdd9d3a2eddebb781a2679e72a1d58309d61fdc8625b54a0845290d43b8956bf46577d0ef0ee1b0f621c

                                                                          Download Submit

                                                                        • \??\c:\users\admin\desktop\00409\trojan-ransom.win32.pornoblocker.ajrm-ed5c8667c0dd2d7747f509a0e68d88fcf6d1338594f9b653790e814aa9b64ba9.exe
                                                                          Filesize

                                                                          209KB

                                                                          MD5

                                                                          04b715760155290fc51094f5d1d81441

                                                                          SHA1

                                                                          c0932b1e553514bf652ab5875635b68c5396de2f

                                                                          SHA256

                                                                          ed5c8667c0dd2d7747f509a0e68d88fcf6d1338594f9b653790e814aa9b64ba9

                                                                          SHA512

                                                                          165fa35add8474efc7cb067d17f521b4886fd0dd1e180a9f630e4683b5c3d1ed9417ddfece36ac08cf84a172b9b8752b183fffb3abfe0fa091c8aab72486597a

                                                                          Download Submit

                                                                        • \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini
                                                                          Filesize

                                                                          129B

                                                                          MD5

                                                                          a526b9e7c716b3489d8cc062fbce4005

                                                                          SHA1

                                                                          2df502a944ff721241be20a9e449d2acd07e0312

                                                                          SHA256

                                                                          e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                          SHA512

                                                                          d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                          Download Submit

                                                                        • memory/964-66-0x00000200A5B50000-0x00000200A5B72000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/964-70-0x00000200A6990000-0x00000200A69AE000-memory.dmp

                                                                          Filesize

                                                                          120KB

                                                                          Download

                                                                        • memory/964-68-0x00000200A69F0000-0x00000200A6A66000-memory.dmp

                                                                          Filesize

                                                                          472KB

                                                                          Download

                                                                        • memory/964-67-0x00000200A6920000-0x00000200A6964000-memory.dmp

                                                                          Filesize

                                                                          272KB

                                                                          Download

                                                                        • memory/1160-34-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-30-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-39-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-38-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-37-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-36-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-28-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-35-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-29-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1160-40-0x000001D6FFB80000-0x000001D6FFB81000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/1776-2316-0x0000000000400000-0x0000000000572000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                          Download

                                                                        • memory/1776-214-0x0000000000400000-0x0000000000572000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                          Download

                                                                        • memory/1776-765-0x0000000002BA0000-0x0000000002BCB000-memory.dmp

                                                                          Filesize

                                                                          172KB

                                                                          Download

                                                                        • memory/1776-766-0x0000000002BA0000-0x0000000002BCB000-memory.dmp

                                                                          Filesize

                                                                          172KB

                                                                          Download

                                                                        • memory/1944-151-0x0000000000610000-0x0000000000864000-memory.dmp

                                                                          Filesize

                                                                          2.3MB

                                                                          Download

                                                                        • memory/1944-7119-0x0000000000610000-0x0000000000864000-memory.dmp

                                                                          Filesize

                                                                          2.3MB

                                                                          Download

                                                                        • memory/1944-697-0x0000000000610000-0x0000000000864000-memory.dmp

                                                                          Filesize

                                                                          2.3MB

                                                                          Download

                                                                        • memory/1952-357-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2852-162-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                          Filesize

                                                                          340KB

                                                                          Download

                                                                        • memory/2852-259-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                          Filesize

                                                                          340KB

                                                                          Download

                                                                        • memory/3884-901-0x0000000000540000-0x00000000005AF000-memory.dmp

                                                                          Filesize

                                                                          444KB

                                                                          Download

                                                                        • memory/3884-7102-0x0000000000540000-0x00000000005AF000-memory.dmp

                                                                          Filesize

                                                                          444KB

                                                                          Download

                                                                        • memory/3884-6682-0x0000000000540000-0x00000000005AF000-memory.dmp

                                                                          Filesize

                                                                          444KB

                                                                          Download

                                                                        • memory/4600-7106-0x0000000000400000-0x00000000004D5000-memory.dmp

                                                                          Filesize

                                                                          852KB

                                                                          Download

                                                                        • memory/4600-5250-0x0000000000400000-0x00000000004D5000-memory.dmp

                                                                          Filesize

                                                                          852KB

                                                                          Download

                                                                        • memory/4600-7115-0x0000000000400000-0x00000000004D5000-memory.dmp

                                                                          Filesize

                                                                          852KB

                                                                          Download

                                                                        • memory/4600-7135-0x0000000000400000-0x00000000004D5000-memory.dmp

                                                                          Filesize

                                                                          852KB

                                                                          Download

                                                                        • memory/4644-362-0x00000000003C0000-0x000000000210F000-memory.dmp

                                                                          Filesize

                                                                          29.3MB

                                                                          Download

                                                                        • memory/4644-7114-0x00000000003C0000-0x000000000210F000-memory.dmp

                                                                          Filesize

                                                                          29.3MB

                                                                          Download

                                                                        • memory/4644-120-0x00000000003C0000-0x000000000210F000-memory.dmp

                                                                          Filesize

                                                                          29.3MB

                                                                          Download

                                                                        • memory/4708-104-0x0000000000710000-0x0000000000727000-memory.dmp

                                                                          Filesize

                                                                          92KB

                                                                          Download

                                                                        • memory/4708-105-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                          Filesize

                                                                          380KB

                                                                          Download

                                                                        • memory/5116-78-0x0000000000400000-0x0000000000A1C000-memory.dmp

                                                                          Filesize

                                                                          6.1MB

                                                                          Download

                                                                        • memory/5116-108-0x000000001CAF0000-0x000000001D182000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                          Download

                                                                        • memory/5636-7182-0x0000000071F90000-0x0000000071FC9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7139-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-9930-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7880-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8010-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-9888-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-9884-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7821-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-9862-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7667-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7663-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7509-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8166-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7322-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8246-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8258-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8265-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7204-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7193-0x0000000071F90000-0x0000000071FC9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7174-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-9447-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7120-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-7154-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7886-0x0000000071F90000-0x0000000071FC9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7138-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7137-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-7136-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-8777-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7134-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7128-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-7133-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-8844-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7126-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-8862-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7121-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-8900-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5636-7123-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-7122-0x0000000000400000-0x00000000007B1000-memory.dmp

                                                                          Filesize

                                                                          3.7MB

                                                                          Download

                                                                        • memory/5636-9415-0x0000000071EB0000-0x0000000071EE9000-memory.dmp

                                                                          Filesize

                                                                          228KB

                                                                          Download

                                                                        • memory/5708-7109-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                          Filesize

                                                                          464KB

                                                                          Download

                                                                        • memory/5708-2327-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                          Filesize

                                                                          464KB

                                                                          Download

                                                                        • memory/5728-261-0x0000000000400000-0x00000000005AA000-memory.dmp

                                                                          Filesize

                                                                          1.7MB

                                                                          Download

                                                                        • memory/6036-7170-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                          Filesize

                                                                          340KB

                                                                          Download

                                                                        • memory/6036-250-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                          Filesize

                                                                          340KB

                                                                          Download

                                                                        • memory/6104-376-0x0000000000400000-0x00000000004D5000-memory.dmp

                                                                          Filesize

                                                                          852KB

                                                                          Download