Overview

overview

10

Static

static

1

RNSM00366.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00366.7z

  • Size

    9.4MB

  • MD5

    46837db77a1738914d3e706e47dd063e

  • SHA1

    8dc5b42cb708a3cd73a0af71742be7ea39389c5e

  • SHA256

    38d06336598e9109435116705fcbc60f0d30eb697805bf6c5a09d414e51dca0b

  • SHA512

    358176dfb1035ee7c8fce38119a6723be33b1ac5328a7e654ec1b2000b7e729bebc09493bc709ef0753d7ca72ae617d8d486322fa3683d182f34f8c4de0499be

  • SSDEEP

    196608:CDGWPdy6PA9f98chi0spA9RAx2CjDFlOQC7ChOr1L/5aYBnj5RnT7neXj2S:KGWVRAoFCPCj5l67zBaYBj5Rn/neXx

Score
10/10
azorultcryptolockerdharmaformbookgandcrabglobeimposterwarzoneratbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\RESTORE-SIGRUN.html

Ransom Note
<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>SIGRUN</title> <style type="text/css"> .btn { background: #101000; border-radius: 0px; font-family: tahoma; font-weight:bold; color: #FFFFFF; font-size: 8px; padding: 4px 14px 4px 14px; text-decoration: none; } .btn:hover { background: #3cbffd; text-decoration: none; } .col { background: #001020; /* ЦBeT фoHa */ width: 60%; /* ШиpиHa блoкa */ padding: 15px; /* Пoля */ font-size: 0.5em; /* PaзMep шpифTa */ word-wrap: break-word; /* ПepeHoc cлoB */ text-align: center } body { min-width: 100px;}#container{background:#101000;}#container .column{position:relative; float:center;}#center{padding:10px 10px;width:100%;}#footer{clear:both;}* html #left {left:150px;}* html body{overflow:hidden;}* html #footer-wrapper{float:left;position: relative;width: 100%;padding-bottom:10010px;margin-bottom:-10000px;background:#1E90FF;}body {margin: 0;padding: 0;font-family:tahoma;font-weight:bold;}#header {font-family:tahoma;font-weight:bold;padding: 1.0em;background: #E6E6FA;}#footer {font-size: large;font-family:impact;line-height: 0.1px;padding: 1.0em;background: #E6E6FA;}#center {background: #101000;}</style></head><body style="background-color:#E6E6FA;"> <header id="header"> <font size="6" color="#101000"><p align="center">SIGRUN <font color="EE0000">1.0</font> RANSOMWARE</p> </font> </header> <div id="container"> <main id="center" class="column"> <article> <p align="center"> <font color="EE0000" size ="6"> <script> document.write("All your important files are encrypted"); </script></font></p><font color="#E6E6FA" size="4" weight="lighter"><p align="center"> <script> var hex = ` 94 04 00 00 e9 31 ce 13 8c 5d 96 9b 7d fe b7 50 97 9d c1 47 6b 95 32 56 41 df 80 8e 30 32 5b d4 18 fd e7 c5 d5 21 14 77 c6 11 cb 81 1a 88 e6 68 33 ac 1a be 80 d4 20 29 11 e6 c1 78 47 dd 5d 98 fa 97 20 70 81 0e 69 6c 5d fb 1d 8d 17 38 dc 42 1c 22 97 ac 60 1d b1 88 44 5d b8 72 ce de 52 20 ea a4 4c 60 f3 54 53 33 41 6d 12 e5 26 f7 38 df 80 55 58 bc 07 33 da 38 4b 9a fb 22 7b 1b b2 97 c6 5e e3 68 0f 3c e3 f9 1c 58 df ea 2b e6 c7 fe 8d aa 7d b7 7b 1e f3 cc 8d 4f a7 07 95 bb 9d dc dd b5 c5 75 e4 f0 c6 9b 02 65 4c 31 a4 62 12 7f 7a 10 9d 3b 21 6d 71 38 4b 14 d4 5b 38 17 8c 48 00 91 e8 5f 16 26 93 60 cb 1f a0 a5 2a 8b 2a ad 14 d6 21 67 be 00 95 57 08 3b e4 4c 7b 58 41 9f 46 ee e7 c9 9f 11 1f a8 62 e9 ce 9f ab 77 23 13 f2 b2 30 52 ae dd da b5 cc e7 4b fb dd 21 6a b3 a8 0e 0d 7f dd 44 11 6e 93 cb 09 2d cb be 2e dd 31 18 3f 2a 25 74 83 60 d9 6a af be 61 b0 b1 41 48 0d 53 a5 33 14 14 a4 36 c8 6d db a8 d1 b5 07 2f 42 4d 16 93 a4 2e 02 84 63 57 4a 76 5a f7 1c de 2a 65 2a f5 e2 9f 8b 9d 70 5a 97 ee 36 86 17 cb 37 42 69 e0 9c fc 70 be e4 60 ad da cb 0f 60 2d 97 e8 8e 76 9e 74 e4 d9 a3 49 bc 5b 6a 4b 76 ae fc 2c 06 db f8 a7 f4 d5 59 9b b7 4d 2a 1b e5 69 8a 36 35 b1 f6 d2 e0 96 38 31 c6 e2 71 ba 24 26 a0 28 7c a9 9e f3 64 2e 44 20 60 76 e1 58 35 c7 2f 24 4b 48 ff 48 d0 ee cc 6d 00 53 eb 7f 43 3c 26 6a e5 54 f2 38 7f 4e 5f 98 a2 bc f7 d0 0d 33 5e b0 65 56 31 9c 8b 13 fb 91 85 8e c0 d0 22 87 51 78 d2 9f b4 f2 78 0e 0c 39 7c f4 2f f3 c5 7d 7b 2f c3 60 a2 c4 81 a3 a6 29 4f db ac 28 c2 55 35 d9 89 ea 96 6e 31 e5 91 50 d9 f3 e5 57 56 62 28 3d 44 61 23 e7 98 76 34 f8 2e 5d 7e 15 ed 98 e3 47 97 af da 5d 34 23 07 90 17 30 4e 9c 9e 62 24 45 59 c2 e7 6c 2d aa a8 f5 4a 22 b9 a4 fa 9e de b5 fb e6 d3 8d 2f ab 91 8b 65 cf d9 3b 32 22 7d 6a c8 d7 ef f1 29 e6 49 da c6 3d df 11 fb 94 52 e9 0c f1 33 e6 58 f5 f0 34 84 a3 a7 85 54 c3 e8 c4 a0 30 e6 bc d8 ad 37 34 dd b4 0c 98 f3 49 f1 51 a7 49 4e 7b b0 fc 41 06 47 8f b9 61 cf 3d 23 7e 0f 06 8f b5 84 7b 7f 23 b9 c1 e9 ae 91 08 bc 49 53 b4 5d 94 67 30 37 a9 90 1a db 0b bf 31 3c 83 7c 23 01 96 f3 54 b3 77 e2 76 bb 3d a8 88 d0 54 53 31 d1 59 73 8e a6 c0 ed 8f ce 21 48 ab 93 1d b6 3c f1 87 9a 3e bb 35 f6 b7 49 80 cf 21 e6 f3 85 e8 00 95 c8 6e 4a ff e2 6d 60 da 5e a0 81 b5 5a 9d 3c 41 c3 e9 3f bb 19 5d 61 a2 9f 6a 19 d1 2b 89 47 7c b7 5a 0a b9 cf bc c2 19 5f 99 65 38 82 e4 13 fb e2 a3 bb ab 68 c8 4f 0a 38 d3 f9 b4 ba 66 39 af d2 12 3d 14 21 2f 5a 6a 6b 4d 70 d4 db 3e 3e f2 0b e8 b9 48 3b 3c 5e 59 c1 17 70 a0 e7 fa f3 03 52 d2 a3 f7 70 75 d5 93 12 d0 a2 ec aa 9f a5 b6 f7 7f 26 32 25 f7 a9 81 f9 fc b0 8a c8 19 b4 35 1f 64 5a 87 e7 43 a8 54 84 22 41 ed db f6 12 a5 f3 48 5f a9 32 54 85 8a f3 f0 c1 b7 79 9d ea 5d eb 5f 57 5c 24 f0 84 f8 14 2a a5 35 03 4c 3f 44 2e cf 5a 49 d1 25 f6 5f 64 55 03 80 8f 11 56 81 4e 31 f7 be dc 88 e3 9c 04 83 e6 f2 bb 94 f1 1f 1a a5 99 a4 94 97 66 62 fb af 9a 7a 05 f9 9b 29 f7 ea 98 ca b8 5b cd c3 90 5f 4b de 25 20 1d 70 3c 16 d9 36 54 1f fc c8 38 48 07 c6 0b 3f 6f da 6c 1e c7 fb 93 fb 9f 63 86 51 4e a9 cb e1 d2 ba d9 f6 e8 ba 43 52 b3 9f fc 40 d3 96 6b f7 ac b7 13 b0 f4 52 6a ab 22 1d d3 a5 a9 16 ab e1 65 c0 2d 14 d0 4d 52 9b 50 8a ac fd 72 e4 7f 91 e6 82 30 6d e3 e3 e3 6d dd 10 b6 62 08 c9 e0 89 16 61 a5 c3 9b 66 b7 b1 c2 46 4b 68 5a 1d 13 da 7a c7 8c 3d 61 7f 42 c5 28 6c 76 e1 c7 ce b6 5c 6a 51 6c 78 7a 86 27 c7 57 f7 8a 87 bb 0e c2 73 32 f6 a8 ed 8a 52 4e e1 d4 75 0f ac a3 a9 d3 91 47 09 81 0e d4 ed b4 72 22 dc 3a 18 65 3c 3f 9e 78 40 7c 71 07 26 c8 9d 5e 65 23 14 4e 47 d3 b3 94 cb de 9a b9 44 db 0f b9 d1 7b bc d9 a1 8e d0 99 fd 47 46 aa ef 07 b0 41 28 47 ee 40 06 7b 7d 31 38 2d 16 cf bb 6e bb 49 ec cb 4d c5 e4 e4 cf 54 2e 57 37 c0 5d 92 be 11 e3 79 c1 d0 0a 6a da 3b 33 42 0e 25 4a bc 73 8b 89 82 d5 d8 b5 90 b7 48 7e 65 01 34 c1 28 1c 84 f1 f0 10 ed 8a 0d 17 ad c1 8d 25 d4 34 a2 c8 89 12 ce c9 80 22 e0 c9 0e ed a9 2c 59 86 b9 10 d3 cc 99 6f 3f e0 71 82 87 ab 68 de d8 a6 77 10 1c b4 23 98 58 69 13 5e 89 fc ba 61 df 98 35 ef 6e e0 9a b3 2d 1e 2c e4 2c 98 95 0e 90 ab bb e8 91 29 38 c2 84 2c a8 46 26 70 7f eb a9 b8 aa ee 9d 8c 2f 0d 95 f5 1c 49 26 e4 51 03 b0 f3 b3 f1 06 4c 03 a3 5d 3c 1e e2 59 29 84 d8 37 94 54 06 b3 a5 9a 57 6b 2e 58 e6 ef b7 c7 c3 e4 63 38 b2 32 5e e0 81 08 71 22 d5 cc 79 b7 8c a5 2c 90 4f c0 4e f8 5d 13 48 9b 48 46 d3 a2 41 75 5c 4e 78 fa e5 79 ec fb b7 bb 6e 1c fc 77 30 14 62 4f ed 26 74 aa 4a 9d 51 f8 25 99 01 3f fd 84 5e 3d 43 e6 18 78 50 6b 60 05 de 98 73 25 8d d2 44 58 9a 58 b6 dd 24 32 11 16 ac e2 c1 03 29 33 18 66 56 97 94 25 87 79 09 e9 88 81 4a dd fd 7d 7d bf a4 cd a6 55 de 5e b1 43 e8 5f 51 b2 02 6d 54 0f fb 9e 14 da 9a 55 52 bd 17 ad b5 08 d2 2a e1 ff 6b 08 23 b1 6f 48 49 56 fd 33 c7 32 e9 ed 77 a4 d3 c9 00 db 19 eb 6c 03 4f 7d 27 ab de c9 f8 2e 6f d5 b6 29 20 57 34 25 bf c2 0b c7 83 a4 44 ad 0e 82 34 d7 bf 1f 15 15 ce c1 ea 64 b7 15 3c da f4 ab f2 2e ef 38 e1 dd 86 20 76 60 2a aa 26 17 08 92 8a 86 0e fa 74 02 5d 08 f2 cc e0 cb c4 97 7c ea f0 3e 55 c2 95 b1 7d 55 4b 9c e3 20 88 e1 e6 7b f7 e7 61 be df 72 be 51 26 9f 4d 99 c8 6d 50 df 93 6a ad 56 8c 89 13 ca 4e df 67 18 ec 29 be 5c 1b 98 d3 f6 7f 1b db f5 e2 60 `; var cUrl = document.URL; var key = "<div align=\'center\'><font color=\"#E8FF8F\">IDKEY:</font><font color=\'#00FF00\' size=\'2'\><div class=\'col'\>>>>"+hex+"<<<</div></font></div><font color=\'#00FF00\'>"; var a1 = "<p align=\"center\">"; var link = "<a href>https://www.bitcoin.com/buy-bitcoin</a> and <a href>https://www.dash.org/exchanges/</a>" document.write("Your files has been encrypted by sigrun ransomware with unique decryption key.</p>"+a1+"There is&nbsp;&nbsp;only one way&nbsp;&nbsp; to get your files back:&nbsp;&nbsp;contact with us,&nbsp;&nbsp;pay,&nbsp;&nbsp;and get &nbsp;<font color=\"#00FF00\">decryptor software.</font>&nbsp;"+a1+"We accept Bitcoin and Dash, &nbsp;you can find exchangers on "+link+"&nbsp;&nbsp;and others.</p>"+a1+"You have unique idkey (in a dark blue frame), write it in letter when contact with us.</p>"+a1+"Also you can decrypt 3 files for test, its guarantee what we can decrypt your files.</p>"+key+a1+"Contact information:</p>"); </script> <p align="center">email: [email protected]&nbsp<//p><p align="center"><//p><//font><//article><//main><//div> <div id = "footer - wrapper"><footer id="footer"><header id="header"><font size="1" color="#1E90FF"><//font><//header><//footer><//div><audio autoplay preload="auto" style=" width:1px; "><source src="https://files.freemusicarchive.org/music%2FOddio_Overplay%2FJohn_Harrison_with_the_Wichita_State_University_Chamber_Players%2FThe_Four_Seasons_Vivaldi%2FJohn_Harrison_with_the_Wichita_State_University_Chamber_Players_-_01_-_Spring_Mvt_1_Allegro.mp3" type="audio//mpeg"><//audio><//br><//body><//html>
Emails

[email protected]&nbsp<//p><p

URLs

http-equiv="Content-Type"

Extracted

Path

C:\$Recycle.Bin\RESTORE-SIGRUN.txt

Ransom Note
~~~~~~SIGRUN RANSOMWARE~~~~~~~~~ Attention! All your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. But don't worry! You still can restore it! In order to restore it you need to contact with us via e-mail. ----------------------------------------------- | Our e-mail is: [email protected] | ----------------------------------------------- As a proof we can decrypt 3 files for free! Please, attach this to your message: 94 04 00 00 e9 31 ce 13 8c 5d 96 9b 7d fe b7 50 97 9d c1 47 6b 95 32 56 41 df 80 8e 30 32 5b d4 18 fd e7 c5 d5 21 14 77 c6 11 cb 81 1a 88 e6 68 33 ac 1a be 80 d4 20 29 11 e6 c1 78 47 dd 5d 98 fa 97 20 70 81 0e 69 6c 5d fb 1d 8d 17 38 dc 42 1c 22 97 ac 60 1d b1 88 44 5d b8 72 ce de 52 20 ea a4 4c 60 f3 54 53 33 41 6d 12 e5 26 f7 38 df 80 55 58 bc 07 33 da 38 4b 9a fb 22 7b 1b b2 97 c6 5e e3 68 0f 3c e3 f9 1c 58 df ea 2b e6 c7 fe 8d aa 7d b7 7b 1e f3 cc 8d 4f a7 07 95 bb 9d dc dd b5 c5 75 e4 f0 c6 9b 02 65 4c 31 a4 62 12 7f 7a 10 9d 3b 21 6d 71 38 4b 14 d4 5b 38 17 8c 48 00 91 e8 5f 16 26 93 60 cb 1f a0 a5 2a 8b 2a ad 14 d6 21 67 be 00 95 57 08 3b e4 4c 7b 58 41 9f 46 ee e7 c9 9f 11 1f a8 62 e9 ce 9f ab 77 23 13 f2 b2 30 52 ae dd da b5 cc e7 4b fb dd 21 6a b3 a8 0e 0d 7f dd 44 11 6e 93 cb 09 2d cb be 2e dd 31 18 3f 2a 25 74 83 60 d9 6a af be 61 b0 b1 41 48 0d 53 a5 33 14 14 a4 36 c8 6d db a8 d1 b5 07 2f 42 4d 16 93 a4 2e 02 84 63 57 4a 76 5a f7 1c de 2a 65 2a f5 e2 9f 8b 9d 70 5a 97 ee 36 86 17 cb 37 42 69 e0 9c fc 70 be e4 60 ad da cb 0f 60 2d 97 e8 8e 76 9e 74 e4 d9 a3 49 bc 5b 6a 4b 76 ae fc 2c 06 db f8 a7 f4 d5 59 9b b7 4d 2a 1b e5 69 8a 36 35 b1 f6 d2 e0 96 38 31 c6 e2 71 ba 24 26 a0 28 7c a9 9e f3 64 2e 44 20 60 76 e1 58 35 c7 2f 24 4b 48 ff 48 d0 ee cc 6d 00 53 eb 7f 43 3c 26 6a e5 54 f2 38 7f 4e 5f 98 a2 bc f7 d0 0d 33 5e b0 65 56 31 9c 8b 13 fb 91 85 8e c0 d0 22 87 51 78 d2 9f b4 f2 78 0e 0c 39 7c f4 2f f3 c5 7d 7b 2f c3 60 a2 c4 81 a3 a6 29 4f db ac 28 c2 55 35 d9 89 ea 96 6e 31 e5 91 50 d9 f3 e5 57 56 62 28 3d 44 61 23 e7 98 76 34 f8 2e 5d 7e 15 ed 98 e3 47 97 af da 5d 34 23 07 90 17 30 4e 9c 9e 62 24 45 59 c2 e7 6c 2d aa a8 f5 4a 22 b9 a4 fa 9e de b5 fb e6 d3 8d 2f ab 91 8b 65 cf d9 3b 32 22 7d 6a c8 d7 ef f1 29 e6 49 da c6 3d df 11 fb 94 52 e9 0c f1 33 e6 58 f5 f0 34 84 a3 a7 85 54 c3 e8 c4 a0 30 e6 bc d8 ad 37 34 dd b4 0c 98 f3 49 f1 51 a7 49 4e 7b b0 fc 41 06 47 8f b9 61 cf 3d 23 7e 0f 06 8f b5 84 7b 7f 23 b9 c1 e9 ae 91 08 bc 49 53 b4 5d 94 67 30 37 a9 90 1a db 0b bf 31 3c 83 7c 23 01 96 f3 54 b3 77 e2 76 bb 3d a8 88 d0 54 53 31 d1 59 73 8e a6 c0 ed 8f ce 21 48 ab 93 1d b6 3c f1 87 9a 3e bb 35 f6 b7 49 80 cf 21 e6 f3 85 e8 00 95 c8 6e 4a ff e2 6d 60 da 5e a0 81 b5 5a 9d 3c 41 c3 e9 3f bb 19 5d 61 a2 9f 6a 19 d1 2b 89 47 7c b7 5a 0a b9 cf bc c2 19 5f 99 65 38 82 e4 13 fb e2 a3 bb ab 68 c8 4f 0a 38 d3 f9 b4 ba 66 39 af d2 12 3d 14 21 2f 5a 6a 6b 4d 70 d4 db 3e 3e f2 0b e8 b9 48 3b 3c 5e 59 c1 17 70 a0 e7 fa f3 03 52 d2 a3 f7 70 75 d5 93 12 d0 a2 ec aa 9f a5 b6 f7 7f 26 32 25 f7 a9 81 f9 fc b0 8a c8 19 b4 35 1f 64 5a 87 e7 43 a8 54 84 22 41 ed db f6 12 a5 f3 48 5f a9 32 54 85 8a f3 f0 c1 b7 79 9d ea 5d eb 5f 57 5c 24 f0 84 f8 14 2a a5 35 03 4c 3f 44 2e cf 5a 49 d1 25 f6 5f 64 55 03 80 8f 11 56 81 4e 31 f7 be dc 88 e3 9c 04 83 e6 f2 bb 94 f1 1f 1a a5 99 a4 94 97 66 62 fb af 9a 7a 05 f9 9b 29 f7 ea 98 ca b8 5b cd c3 90 5f 4b de 25 20 1d 70 3c 16 d9 36 54 1f fc c8 38 48 07 c6 0b 3f 6f da 6c 1e c7 fb 93 fb 9f 63 86 51 4e a9 cb e1 d2 ba d9 f6 e8 ba 43 52 b3 9f fc 40 d3 96 6b f7 ac b7 13 b0 f4 52 6a ab 22 1d d3 a5 a9 16 ab e1 65 c0 2d 14 d0 4d 52 9b 50 8a ac fd 72 e4 7f 91 e6 82 30 6d e3 e3 e3 6d dd 10 b6 62 08 c9 e0 89 16 61 a5 c3 9b 66 b7 b1 c2 46 4b 68 5a 1d 13 da 7a c7 8c 3d 61 7f 42 c5 28 6c 76 e1 c7 ce b6 5c 6a 51 6c 78 7a 86 27 c7 57 f7 8a 87 bb 0e c2 73 32 f6 a8 ed 8a 52 4e e1 d4 75 0f ac a3 a9 d3 91 47 09 81 0e d4 ed b4 72 22 dc 3a 18 65 3c 3f 9e 78 40 7c 71 07 26 c8 9d 5e 65 23 14 4e 47 d3 b3 94 cb de 9a b9 44 db 0f b9 d1 7b bc d9 a1 8e d0 99 fd 47 46 aa ef 07 b0 41 28 47 ee 40 06 7b 7d 31 38 2d 16 cf bb 6e bb 49 ec cb 4d c5 e4 e4 cf 54 2e 57 37 c0 5d 92 be 11 e3 79 c1 d0 0a 6a da 3b 33 42 0e 25 4a bc 73 8b 89 82 d5 d8 b5 90 b7 48 7e 65 01 34 c1 28 1c 84 f1 f0 10 ed 8a 0d 17 ad c1 8d 25 d4 34 a2 c8 89 12 ce c9 80 22 e0 c9 0e ed a9 2c 59 86 b9 10 d3 cc 99 6f 3f e0 71 82 87 ab 68 de d8 a6 77 10 1c b4 23 98 58 69 13 5e 89 fc ba 61 df 98 35 ef 6e e0 9a b3 2d 1e 2c e4 2c 98 95 0e 90 ab bb e8 91 29 38 c2 84 2c a8 46 26 70 7f eb a9 b8 aa ee 9d 8c 2f 0d 95 f5 1c 49 26 e4 51 03 b0 f3 b3 f1 06 4c 03 a3 5d 3c 1e e2 59 29 84 d8 37 94 54 06 b3 a5 9a 57 6b 2e 58 e6 ef b7 c7 c3 e4 63 38 b2 32 5e e0 81 08 71 22 d5 cc 79 b7 8c a5 2c 90 4f c0 4e f8 5d 13 48 9b 48 46 d3 a2 41 75 5c 4e 78 fa e5 79 ec fb b7 bb 6e 1c fc 77 30 14 62 4f ed 26 74 aa 4a 9d 51 f8 25 99 01 3f fd 84 5e 3d 43 e6 18 78 50 6b 60 05 de 98 73 25 8d d2 44 58 9a 58 b6 dd 24 32 11 16 ac e2 c1 03 29 33 18 66 56 97 94 25 87 79 09 e9 88 81 4a dd fd 7d 7d bf a4 cd a6 55 de 5e b1 43 e8 5f 51 b2 02 6d 54 0f fb 9e 14 da 9a 55 52 bd 17 ad b5 08 d2 2a e1 ff 6b 08 23 b1 6f 48 49 56 fd 33 c7 32 e9 ed 77 a4 d3 c9 00 db 19 eb 6c 03 4f 7d 27 ab de c9 f8 2e 6f d5 b6 29 20 57 34 25 bf c2 0b c7 83 a4 44 ad 0e 82 34 d7 bf 1f 15 15 ce c1 ea 64 b7 15 3c da f4 ab f2 2e ef 38 e1 dd 86 20 76 60 2a aa 26 17 08 92 8a 86 0e fa 74 02 5d 08 f2 cc e0 cb c4 97 7c ea f0 3e 55 c2 95 b1 7d 55 4b 9c e3 20 88 e1 e6 7b f7 e7 61 be df 72 be 51 26 9f 4d 99 c8 6d 50 df 93 6a ad 56 8c 89 13 ca 4e df 67 18 ec 29 be 5c 1b 98 d3 f6 7f 1b db f5 e2 60

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\ENLZAS-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ENLZAS The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/963b7a421bb39b21 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADi8J2H+56xrBkiw/cNtFbFDMdKYpBDIjWtvyEYpgmw+A/QRdrKntIYN7R59JwUcOpooxFL+/uGNbpCRZFNpmzkB4dNjxff2Hx8QIVtmVjVOyF+FcZJCpuFf575G2kCa1SARrOwTfIfLU8IQt7ARnyBekaFeZ7Hw9HkDzav+QozQo+6ofYsLP/C+xrmq5eVx9QrsGafzw/beAEvqvUCDHktsMcBSLP7TZlLZpFP9g2m4SGi1WJAiYEVJFzbeX8hO4f6JgyUvV3gxrNAc7uszPfnGrktzx+JN5Vuxvwo+/3T+iPf45bJzIoabhy0GxqAWsxGVmA5TGHN5i0NSdDYcmYPeiSJZ7HNItnpvFPgcg2WZH9zI8T25NkaqASKgXPlwcipI/UGzt9zM3XUCoz1AtbD3pSHnkQkNivxRVA1agkG/nTS+mpV9f0Ny+gwnWQdsGPbSjVsHkiHD+GazlFq2hETDzOr9NMaEOTIU/D0c++AgVN7f/VR+6tYIuJcy0PC09wCucUYHxIWCbZb2+aEQTKu0+i2MvZJ/ht+noXy+hSmjsYVfT657NlJNJqa2z5HI1wx1qVVrbph49GK+uAM8AC80Rv+sVeMiyyOLWozbpdiww2hoJXox95L/XWT39ILGZuG/v3hWjLDAzmx/jWRmfzYmyLGjd1ZxkkhGqUYV848pVLZgdwo64MkgYAjMGWeIFsaE9HJeFaUoVrDZUIpJx7mUXMTs1Z0mVQOnQTHW2tdZW/NFtGSkDLSBxxIl2Qj/f5Q0HA6vG2mheju8DJtdVfl8dqCqfllViCG1rJGVQseeBmtPxUm5HFf/SHqyr3eB4CkdC8KqDsDQqBNksjH2TgsCQKGSVWcLc074TyCzT1nooBsKurS9ZK1bMWXbytEfHl2LmhXAxW58jOWfoyAiRHkROyy2CVMKscmZJt2b1JNWm0z0fs8fDr3p55+khlkZMGjl86tlBD/ELB1yN0dPgbJEodyhwX/OaP03CMk2gdtGsxJhch6ySOazViRhmgXRkRREJbykGbOgWbEB9olt2SMmmh3/EAz52HERGU7B8C1CSi/2eZ9XVaO6dvrwa9DxcpyTVkywDUOWJ3vRGMtiKH/iHk9b5OXKoeGvRjNFfwP+thfpKeonb+6N+DeiLU7QUHPy22HxTnWqdrs8R95UI139q4cjfmDFTlJ8bPDfpvspTKd4Z/fbp2Edj2WxeyJl+VuNBaOECaVVIT0XSQBwtYCDoJUD7n/xgRwAQQsj/Z0rFClwiHf//u51jh51OluKikb+BLamHYJRwuRDFi9UkEb6pwIpgUbLqowIUGX9Sq2LL8T1wTkfI398i8lUXEsPEmfeBRt3+eKUnFNXne9lEy14hLZiqWHLX0GYHVfFo2DaamUoaPJhq5ysiwTYPqY90zC2VJsAxnc/35TQQSkWCWBxDcssiZN2+zk2D6nuaM6ggJh3Mc71U72/pcyEwPNNlO31TU7gIRqR/S4IPzmyO114ZzmgWw5t9gFasmSu6OLTlyyCcz4mYPj+2MFnKG3fh7q2vRXRMpO/zzroqyYNSFkBiB0BTmV0xuQvIHFyCnA+3a0KNxj1t1LZHluyqEoMtB7ugAiOeff15/LTFGqOH3hgdmggXf/wFPX09XGIzUVSV/yo+VmXTOujG21VAhywRC84Vcz4Qx4ZJihBCid7s8EElNHpPq2QlpYcbN7fvDENGlVSwCV0kZRU9385gAk8EIQLOQ4yldYHHsRhR8/bmv+8D6azntrsXr6IwBI+Qa3D8aRkN9UKeUfg1BmD46rCmXpMjV3EwTOiUbCxLOTgueG2R3nt1G9uRxJ51Zqk8pIx74oH2pIhol1SqBlCvIKEJbs2tDEIBHTogXet17PUnpKkzmsVtnlf3nNYIMKJLcDJba/o4w74lf9rInRBA320nAnzuFGcBWA1JazdI/bd8vkgzoBAHjfhlQgIqUvdZp7FuL+tUqvCloJHtwrgQjIqaglPMlvlsguLqf05LbvmtVNNu54slr1Nt3BndliOCrmqPoe7YM6rrVUdWyx6jeWSnBm3J9F+LkrEze0qyU6WbPaEwQ1uctE8cIVzFk2N/qg33YYCJPMoML1/qbcQL5NJnSuIzmwfYWxNpPNzW20mTb8LTIrILuVkdUXhMoQrDufol42I0DLLs0tf3OVGIWDoc/cv8w2iO90cBqbAb48iy/wwu+KPzMmZzX28tg/KYWWPfodsIpvWWx1mHgCS4NONB/1KHAA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZOTptRuHYQ7n9WrLfaTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eKi/2U2Q+shGopYaFqBBibt/xGEEdobqCdA4tu4Oqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pCRFJ3vXLNuau1wIZMHQSRlGKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhX9WQ3bC0qZHEuHtKkisBZ9MNJGhHpcOdb/HRc8P54k7V/HuibORzJL9NXYCh8gz7+xeRbttC/+YbnzW5+JOXs5ePtQu9FxhOlLD2rpghGmLLQQz3Qtdfjj5QGFTiWwEn7JfT+zb ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/963b7a421bb39b21

Extracted

Path

C:\Users\YOU_FILES_HERE.txt

Ransom Note
Your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. Open this link In the "Tor Browser" http://huhighwfn4jihtlz.onion/sdlsgdewwbhr Note! This link is available via "Tor Browser" only. ------------------------------------------------------------- If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser: https://huhighwfn4jihtlz.onion.top/sdlsgdewwbhr https://huhighwfn4jihtlz.onion.link/sdlsgdewwbhr ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 2 file for free decryption. ------------------------------------------------------------ You unique ID ���69 85 E2 3A 5C 67 57 D4 8F D7 FA 76 63 2B D9 1E 25 72 54 73 78 A8 94 20 53 A2 2F 8C B1 3E 91 46 79 8C 2F 6C 69 0D 53 B2 D7 5E 21 B3 19 B5 7A DF C9 52 5B 8E 0B 0A A7 09 96 5D 1C CF 08 E2 EC 6E 8B 8C 9B EB 8C 62 A4 E1 0A 93 91 08 46 24 5A D5 49 40 38 80 8B A3 4B 44 2B 62 BF 56 EC 87 F8 CB D3 A3 E2 42 2C E1 A4 7F F8 BB 75 66 8A 3E 23 FA 69 CF 5F D8 F0 8D DE AE 1B C1 66 01 DE EE CE DE 50 B7 EE C0 9B E0 85 D8 F1 75 67 11 88 8E 10 55 15 B7 D1 35 15 31 E6 71 84 26 29 D7 A9 91 50 0D 0D C4 57 6F 9D 4B 7B DF 95 D3 66 17 7E 54 33 42 D4 08 4E 1F 35 FF ED C5 2B 4C B4 30 A5 E7 A9 7B 6B F9 59 3F 85 43 08 E4 3C 3B 2A 46 9D 10 1C 88 09 B6 9A 16 E1 F6 ED 58 CB 26 C7 D0 2D 0B 1A 53 5D 5D 8C 37 43 3C 10 BC 60 EB 6D FE 92 E8 C7 EE DD 68 6B C8 77 9E 74 E8 09 34 40 ED 28 E7 8F 0C
URLs

http://huhighwfn4jihtlz.onion/sdlsgdewwbhr

https://huhighwfn4jihtlz.onion.top/sdlsgdewwbhr

https://huhighwfn4jihtlz.onion.link/sdlsgdewwbhr

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\SRXTBM-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SRXTBM The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/963b7a421bb39b21 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGEzciooczIPvUZS/WRjp4uhgQwhZpkpVeSudnqgXlv/pW/s6tRrZ9fOamMMxiQNoIpq1CgVcftbzG67elz11oxw3ZJSv2Z26XaPPovf/FFKJGgJtQreMF6R2Zy05v+H/CK/w2LmBedSpRe1bcez1ZpE7OTHikCR/l8U69WJu4LFtm2A7h8+ENgS/Vy5jSpYTntL952q0vH2u8Sd5PuJ2VtQuotXeTO0VvB+cdNbLeHH7fBwn+pyPUwtShNtKFiu0eEiyszfHACsJ3GO4slbfwbTF4dPybT+aYNua98c1yZSbtTdrmn1KCu8/kLs10o5rd8SnS88/ZwggpBpGGX99zkXmVAPFLKseTbIGGMjVYVqcBq20P/YSwLapITvN7NoKhje+ZXjAoV1E3Zppq9orGns4EXdacnQhStfijyMECLHuv0C6/l6X8JFF7hbKIlhzJT5IHHQ0BcifWJOaem2DHNJHhL6+qADfeaH9uSsuK5I1ySlfc7WJXG+rHySegmOKWImi5r82FmT2RmeU8f46iyWh1IOJ7BdPBtRmB5R/tlUe2lP1O/PQn9HPbpYFGh9GyXL2YWm1rX7q6wnlUec5oD1/p2LOKfKpXLyV8lNmwgDaCIE2Ipim77/teWAP7eQw3TEe+BTW+aVePCCGPqMAdYN2u7topBLPeUL4DcZSzVEH89syGpk0AwVNXnDYc6Ygx8tdcFcs0fGyB/+JZ2yst1ZZcKgbnEtnRSuj6wK/IRc00A1yWesE911GBP6IN/MXUHocW1xp6iEiJFSwQ5bkFLRX1wHJRCklEHOdMHP3OcdOER43NOa84Aqz/LaNNS8P6g5gg0SYyQa1rxG60HIS6F4oO7S5k0ySMKO+RfRPhl+nEErBUFA5wAkXzgDGlWne31SJ/jeXbTztji4vPewechveoH7B7UN+FDOEdxahzY6WjeTe6KeSqILuRXwn/MUAGN/R+1YUKTrp0vtVcljWPFkDDMkcI2ZgP2ieHcSv7CDIYLtJp9jCPnjCFu/6wAMxAxZaZLNbfo7E7YJ+XR7BJqk9XfoBo3GLblCBPwbmt7npSexcLkiPCQcuYsZoOBNGaej0WbjutMlUPK/OuIxpkMabJcNiagVUFl+jW88oIb1DNqbGaBlG/ETkTNUjJvbhBvv5sIdl5g92iCYQOP/5lPGYxvX43JzZhpmraEzl0xmnqtFk3A3iO7rBj6nh3mTPW7/fV+arVTy0yCFxorLdaaqPs2LgBrj7C1AaS/PtZtHLFV9xPIBlnV/6fJp/7sCFBQXtzzT3Wo0h7SwHbsc7XcIVvKIWeCjyUbsVfZ5559/APUo26HyMfKsfwzWw4oYCqHH+rq5tc4C+CsXwH69Wg2v2wh3sVnc+f1qb7UuOML5p7dOnAG8QERpqQ1HcEf7ODRbyFx3xtEa5DhgkVg7SnRUgb5ax6yfO+S/VFm7LPvsa3nSEJL4FZH2VzCfiqmzYO3HvXI14QFJzGvdSn6ASgvFwqiObTkVPq6pI6pC7c3D3ogKKI4lLKr92wix6Vak2yGCiEXCO+14NUbEqe2td0BtLkrflNN+8D+Aw45Qlp+mQm+t72qTSLH1yCZ+rEfLU4G1c11todVC0PNJPV1m2hqCy8pf5u45tu1rddPUnLlkDHgNxW9aTW9XXXdrjSbw/brLfY4G7Lnqd+F7T0MAj1MkAPc5TezDCZg+Y39l56EAug3gC7kog3pgyQnfGF214/fTPLIUi/n9jnew2gwlhQISogFFExvAU1SWV21YxbD4N3xvdw5ojv+tiXBSkdNRDRPC8mjXEorqljyjmaCE64lrH3DGKd5Ms1IDyaDvL4KOHwyBZdVo6oA7+Nk/4i9La9N5OV7ytP4lPRo+S3a4UvGUNXWFhyt/e+SDo/bTIPMd/UdETfs7ycJDTZDwiElk7FHdHx92bQYyFW/J7QoC+u8JDXC5qfvC/raEh0K5ZdQTwVuRSRBy9qhq/5+nfNWO/61cUDMq50CFmqifkadUDIJ9ILdCHB8gEVms5fJYKjViS0MNdLWotbJjjtTtBDbYFGLDcrbCU3jic4V3JwTba3QBUAnfSLV2GUd2PogO1hGQ8wuV8KKganhuCcUq4Jw7//cYrXjhNk9v4zqbCBKjtewQdVPBNNWnX2+DTZYIeDzznRMF1CWI9rNQ4/lWciIY/kyZ3mO5DFo4B1z7tDg8G4H0ij+7wkc77xXSQQzV85+ym1Vo9uQPAvUieKkW+2Z2hOYGe0k= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDn9NDJOpDVAuOVrODPRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNALBidq/MY5R7G3NbHOmdWR3kfSP9ry9fM3LLbjWKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoyoC8D1fqlVzmS7qt4Duw5gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsiM5ANLhw9QVIEb1UEGbyf6MN51c1gY/+eQae2sEznTbCqfrOdcnPBOVfcolLq8b9AmRcCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/963b7a421bb39b21

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\ENLZAS-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.1 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ENLZAS The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/963b7a421bb39b21 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADi8J2H+56xrBkiw/cNtFbFDMdKYpBDIjWtvyEYpgmw+A/QRdrKntIYN7R59JwUcOpooxFL+/uGNbpCRZFNpmzkB4dNjxff2Hx8QIVtmVjVOyF+FcZJCpuFf575G2kCa1SARrOwTfIfLU8IQt7ARnyBekaFeZ7Hw9HkDzav+QozQo+6ofYsLP/C+xrmq5eVx9QrsGafzw/beAEvqvUCDHktsMcBSLP7TZlLZpFP9g2m4SGi1WJAiYEVJFzbeX8hO4f6JgyUvV3gxrNAc7uszPfnGrktzx+JN5Vuxvwo+/3T+iPf45bJzIoabhy0GxqAWsxGVmA5TGHN5i0NSdDYcmYPeiSJZ7HNItnpvFPgcg2WZH9zI8T25NkaqASKgXPlwcipI/UGzt9zM3XUCoz1AtbD3pSHnkQkNivxRVA1agkG/nTS+mpV9f0Ny+gwnWQdsGPbSjVsHkiHD+GazlFq2hETDzOr9NMaEOTIU/D0c++AgVN7f/VR+6tYIuJcy0PC09wCucUYHxIWCbZb2+aEQTKu0+i2MvZJ/ht+noXy+hSmjsYVfT657NlJNJqa2z5HI1wx1qVVrbph49GK+uAM8AC80Rv+sVeMiyyOLWozbpdiww2hoJXox95L/XWT39ILGZuG/v3hWjLDAzmx/jWRmfzYmyLGjd1ZxkkhGqUYV848pVLZgdwo64MkgYAjMGWeIFsaE9HJeFaUoVrDZUIpJx7mUXMTs1Z0mVQOnQTHW2tdZW/NFtGSkDLSBxxIl2Qj/f5Q0HA6vG2mheju8DJtdVfl8dqCqfllViCG1rJGVQseeBmtPxUm5HFf/SHqyr3eB4CkdC8KqDsDQqBNksjH2TgsCQKGSVWcLc074TyCzT1nooBsKurS9ZK1bMWXbytEfHl2LmhXAxW58jOWfoyAiRHkROyy2CVMKscmZJt2b1JNWm0z0fs8fDr3p55+khlkZMGjl86tlBD/ELB1yN0dPgbJEodyhwX/OaP03CMk2gdtGsxJhch6ySOazViRhmgXRkRREJbykGbOgWbEB9olt2SMmmh3/EAz52HERGU7B8C1CSi/2eZ9XVaO6dvrwa9DxcpyTVkywDUOWJ3vRGMtiKH/iHk9b5OXKoeGvRjNFfwP+thfpKeonb+6N+DeiLU7QUHPy22HxTnWqdrs8R95UI139q4cjfmDFTlJ8bPDfpvspTKd4Z/fbp2Edj2WxeyJl+VuNBaOECaVVIT0XSQBwtYCDoJUD7n/xgRwAQQsj/Z0rFClwiHf//u51jh51OluKikb+BLamHYJRwuRDFi9UkEb6pwIpgUbLqowIUGX9Sq2LL8T1wTkfI398i8lUXEsPEmfeBRt3+eKUnFNXne9lEy14hLZiqWHLX0GYHVfFo2DaamUoaPJhq5ysiwTYPqY90zC2VJsAxnc/35TQQSkWCWBxDcssiZN2+zk2D6nuaM6ggJh3Mc71U72/pcyEwPNNlO31TU7gIRqR/S4IPzmyO114ZzmgWw5t9gFasmSu6OLTlyyCcz4mYPj+2MFnKG3fh7q2vRXRMpO/zzroqyYNSFkBiB0BTmV0xuQvIHFyCnA+3a0KNxj1t1LZHluyqEoMtB7ugAiOeff15/LTFGqOH3hgdmggXf/wFPX09XGIzUVSV/yo+VmXTOujG21VAhywRC84Vcz4Qx4ZJihBCid7s8EElNHpPq2QlpYcbN7fvDENGlVSwCV0kZRU9385gAk8EIQLOQ4yldYHHsRhR8/bmv+8D6azntrsXr6IwBI+Qa3D8aRkN9UKeUfg1BmD46rCmXpMjV3EwTOiUbCxLOTgueG2R3nt1G9uRxJ51Zqk8pIx74oH2pIhol1SqBlCvIKEJbs2tDEIBHTogXet17PUnpKkzmsVtnlf3nNYIMKJLcDJba/o4w74lf9rInRBA320nAnzuFGcBWA1JazdI/bd8vkgzoBAHjfhlQgIqUvdZp7FuL+tUqvCloJHtwrgQjIqaglPMlvlsguLqf05LbvmtVNNu54slr1Nt3BndliOCrmqPoe7YM6rrVUdWyx6jeWSnBm3J9F+LkrEze0qyU6WbPaEwQ1uctE8cIVzFk2N/qg33YYCJPMoML1/qbcQL5NJnSuIzmwfYWxNpPNzW20mTb8LTIrILuVkdUXhMoQrDufol42I0DLLs0tf3OVGIWDoc/cv8w2iO90cBqbAb48iy/wwu+KPzMmZzX28tg/KYWWPfodsIpvWWx1mHgCS4NONB/1KHAA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDn9NDJOpDVAuOVrODPRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNALBidq/MY5R7G3NbHOmdWR3kfSP9ry9fM3LLbjWKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoyoC8D1f+lWjmY7qd4Auw+gT2wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsiM5ANPhxNQRIE71VEGTyf6MN51c1gY/+eQae2sEznTbCqfrOdcnPBOVfcolLq8b9AmRcCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2jSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/963b7a421bb39b21

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Cryptolocker family
    cryptolocker
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • GandCrab payload 2 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (253) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (509) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (563) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (807) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (9438) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 25 IoCs
  • Executes dropped EXE 43 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 5 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 46 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    PID:2568
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2600
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2916
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        PID:3592
        • C:\Program Files\7-Zip\7zFM.exe
          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00366.7z"
          2⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3936
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          2⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:212
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /1
            3⤵
            • Drops startup file
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3140
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:396
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            3⤵
              PID:2240
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe
                HEUR-Trojan-Ransom.MSIL.Blocker.gen-5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2960
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe" "C:\Users\Admin\AppData\Local\winint.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:10536
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    6⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:9036
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:5184
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    6⤵
                      PID:10300
                • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe
                  HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  PID:2824
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C type nul > "HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe:Zone.Identifier"
                    5⤵
                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                    • System Location Discovery: System Language Discovery
                    • NTFS ADS
                    PID:8008
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      6⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:8908
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C type nul > "HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe:Zone.Identifier"
                    5⤵
                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                    • System Location Discovery: System Language Discovery
                    • NTFS ADS
                    PID:12860
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      6⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetWindowsHookEx
                      PID:6400
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe
                    "HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe"
                    5⤵
                    • Drops startup file
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    PID:12240
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
                      6⤵
                        PID:8196
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Blocker.gen-c0cbba7160e90c8bb3e12e7593cbabfa00e039199bd311eeba77f5d22916cd8a.exe
                    HEUR-Trojan-Ransom.Win32.Blocker.gen-c0cbba7160e90c8bb3e12e7593cbabfa00e039199bd311eeba77f5d22916cd8a.exe
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:5092
                    • C:\Windows\50994950050730374\winsvcs.exe
                      C:\Windows\50994950050730374\winsvcs.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4428
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 524
                        6⤵
                        • Program crash
                        PID:7420
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 604
                      5⤵
                      • Program crash
                      PID:5152
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Encoder.gen-8ec546589b80fa160f6244036b341d5703bc7fc1a7f31b658f11fe7bc6efe917.exe
                    HEUR-Trojan-Ransom.Win32.Encoder.gen-8ec546589b80fa160f6244036b341d5703bc7fc1a7f31b658f11fe7bc6efe917.exe
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:5044
                    • C:\Users\Admin\AppData\Local\Temp\y_installer.exe
                      C:\Users\Admin\AppData\Local\Temp\y_installer.exe --partner 351634 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
                      5⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies system certificate store
                      PID:5564
                      • C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
                        "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y YABM=y VID=666"
                        6⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:11576
                      • C:\Users\Admin\AppData\Local\Temp\y_installer.exe
                        C:\Users\Admin\AppData\Local\Temp\y_installer.exe --stat dwnldr/p=351634/cnt=0/dt=6/ct=11/rt=0 --dh 2344 --st 1730996650
                        6⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:8076
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f75b2382beb74b6aa1ed6c09a36d5e66364f441583613e4e608a03f49e353a5.exe
                    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f75b2382beb74b6aa1ed6c09a36d5e66364f441583613e4e608a03f49e353a5.exe
                    4⤵
                    • Checks computer location settings
                    • Drops startup file
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • System Location Discovery: System Language Discovery
                    PID:3344
                    • C:\Windows\SysWOW64\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:8684
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        6⤵
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious use of SetWindowsHookEx
                        PID:7636
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\00366\RESTORE-SIGRUN.html
                      5⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:5216
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd86d346f8,0x7ffd86d34708,0x7ffd86d34718
                        6⤵
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:7672
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f75b2382beb74b6aa1ed6c09a36d5e66364f441583613e4e608a03f49e353a5.exe" /f /q
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:7128
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        6⤵
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious use of SetWindowsHookEx
                        PID:9892
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout -c 5
                        6⤵
                        • System Location Discovery: System Language Discovery
                        • Delays execution with timeout.exe
                        PID:13260
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Generic-7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5.exe
                    HEUR-Trojan-Ransom.Win32.Generic-7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5.exe
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2436
                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Generic-7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5.exe
                      HEUR-Trojan-Ransom.Win32.Generic-7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2316
                      • C:\Users\Admin\AppData\Roaming\Mofyzy\fusyh.exe
                        "C:\Users\Admin\AppData\Roaming\Mofyzy\fusyh.exe"
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious use of WriteProcessMemory
                        PID:2712
                        • C:\Users\Admin\AppData\Roaming\Mofyzy\fusyh.exe
                          "C:\Users\Admin\AppData\Roaming\Mofyzy\fusyh.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious use of WriteProcessMemory
                          PID:5032
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_55319db5.bat"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:516
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          7⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:1876
                  • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b9c35965425f591e37613ece53e0b253517c006ab9a200ab0e87334e5be21cf5.exe
                    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b9c35965425f591e37613ece53e0b253517c006ab9a200ab0e87334e5be21cf5.exe
                    4⤵
                    • Modifies WinLogon for persistence
                    • Drops startup file
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • Drops autorun.inf file
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:4648
                  • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Agent.aupg-08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c.exe
                    Trojan-Ransom.Win32.Agent.aupg-08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c.exe
                    4⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops desktop.ini file(s)
                    • Drops autorun.inf file
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: RenamesItself
                    PID:4156
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Agent.aupg-08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c.exe > nul
                      5⤵
                        PID:5496
                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Bitman.acta-9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122.exe
                      Trojan-Ransom.Win32.Bitman.acta-9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122.exe
                      4⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3428
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Bitman.acta-9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122.exe
                        Trojan-Ransom.Win32.Bitman.acta-9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122.exe
                        5⤵
                          PID:2800
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.cfwh-4c4836b640c5c0b9150cd19747ebc1ae94793788721df2f4392544ac281bc91a.exe
                        Trojan-Ransom.Win32.Blocker.cfwh-4c4836b640c5c0b9150cd19747ebc1ae94793788721df2f4392544ac281bc91a.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2000
                        • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                          "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.cfwh-4c4836b640c5c0b9150cd19747ebc1ae94793788721df2f4392544ac281bc91a.exe"
                          5⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:4936
                          • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
                            "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
                            6⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5060
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.dvjn-026e0b9cff7d16371262cb17e5c1b58976328a26adb54bc0fbcd2052ad3a6717.exe
                        Trojan-Ransom.Win32.Blocker.dvjn-026e0b9cff7d16371262cb17e5c1b58976328a26adb54bc0fbcd2052ad3a6717.exe
                        4⤵
                        • Executes dropped EXE
                        • Drops desktop.ini file(s)
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1796
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe"
                          5⤵
                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                          • System Location Discovery: System Language Discovery
                          • NTFS ADS
                          PID:4576
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            6⤵
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            PID:1664
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:6008
                        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: MapViewOfSection
                          PID:14028
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.lcmc-edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473.exe
                        Trojan-Ransom.Win32.Blocker.lcmc-edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473.exe
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:4668
                        • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.lcmc-edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473.exe
                          Trojan-Ransom.Win32.Blocker.lcmc-edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473.exe
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:316
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.ldrz-7811c9852c84ebbc2441b0f35a73ac2d7ec81da4946169b49b24d5e20887f977.exe
                        Trojan-Ransom.Win32.Blocker.ldrz-7811c9852c84ebbc2441b0f35a73ac2d7ec81da4946169b49b24d5e20887f977.exe
                        4⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:4532
                        • C:\ProgramData\updater.exe
                          "C:\ProgramData\updater.exe"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:3276
                      • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.ljpf-757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be.exe
                        Trojan-Ransom.Win32.Blocker.ljpf-757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:228
                        • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.ljpf-757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be.exe
                          rojan-Ransom.Win32.Blocker.ljpf-757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be.exe
                          5⤵
                            PID:9456
                            • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                              "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
                              6⤵
                                PID:13804
                                • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                                  C:\Users\Admin\AppData\Roaming\Windows Update.exe"
                                  7⤵
                                    PID:3792
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
                                      8⤵
                                        PID:8536
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
                                        8⤵
                                          PID:1100
                                • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.lmin-46e1aaf4209f18e920daf95c7576f99835334a1268d1c02a9ca004386349b390.exe
                                  Trojan-Ransom.Win32.Blocker.lmin-46e1aaf4209f18e920daf95c7576f99835334a1268d1c02a9ca004386349b390.exe
                                  4⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  • Checks SCSI registry key(s)
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1044
                                  • C:\Windows\90708085068004\winsvcs.exe
                                    C:\Windows\90708085068004\winsvcs.exe
                                    5⤵
                                    • Modifies Windows Defender Real-time Protection settings
                                    • Windows security bypass
                                    • Executes dropped EXE
                                    • Windows security modification
                                    • System Location Discovery: System Language Discovery
                                    • Checks SCSI registry key(s)
                                    PID:7284
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 572
                                    5⤵
                                    • Program crash
                                    PID:8444
                                • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.mann-084f394536347ae4ec06dcd0d0c6902d421dbe7fde259fd32ba876829a053c10.exe
                                  Trojan-Ransom.Win32.Blocker.mann-084f394536347ae4ec06dcd0d0c6902d421dbe7fde259fd32ba876829a053c10.exe
                                  4⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:2612
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell Add-MpPreference -ExclusionPath C:\
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    PID:6260
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      6⤵
                                        PID:12032
                                    • C:\ProgramData\images.exe
                                      "C:\ProgramData\images.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:5992
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell Add-MpPreference -ExclusionPath C:\
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:7568
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe"
                                        6⤵
                                          PID:7116
                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Crusis.to-825c185a64bea21c640b491c19e31de7376c0dd482b19df7d57b12e816f47078.exe
                                      Trojan-Ransom.Win32.Crusis.to-825c185a64bea21c640b491c19e31de7376c0dd482b19df7d57b12e816f47078.exe
                                      4⤵
                                      • Checks computer location settings
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops desktop.ini file(s)
                                      • Drops file in System32 directory
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: RenamesItself
                                      PID:1832
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe"
                                        5⤵
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:4448
                                        • C:\Windows\System32\Conhost.exe
                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          6⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:2596
                                        • C:\Windows\system32\mode.com
                                          mode con cp select=1251
                                          6⤵
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:8208
                                        • C:\Windows\system32\vssadmin.exe
                                          vssadmin delete shadows /all /quiet
                                          6⤵
                                          • Interacts with shadow copies
                                          PID:5608
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe"
                                        5⤵
                                          PID:5228
                                          • C:\Windows\System32\Conhost.exe
                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            6⤵
                                              PID:9420
                                            • C:\Windows\system32\mode.com
                                              mode con cp select=1251
                                              6⤵
                                                PID:2820
                                              • C:\Windows\system32\vssadmin.exe
                                                vssadmin delete shadows /all /quiet
                                                6⤵
                                                • Interacts with shadow copies
                                                PID:7024
                                            • C:\Windows\System32\mshta.exe
                                              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                              5⤵
                                                PID:12280
                                              • C:\Windows\System32\mshta.exe
                                                "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                5⤵
                                                  PID:6320
                                              • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Crypmod.abdq-e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc.exe
                                                Trojan-Ransom.Win32.Crypmod.abdq-e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc.exe
                                                4⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:644
                                                • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Crypmod.abdq-e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc.exe
                                                  rojan-Ransom.Win32.Crypmod.abdq-e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:6072
                                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                                    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                                                    6⤵
                                                      PID:14168
                                                • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Foreign.oggf-bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47.exe
                                                  Trojan-Ransom.Win32.Foreign.oggf-bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  • Drops desktop.ini file(s)
                                                  • Enumerates connected drives
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4924
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell Add-MpPreference -ExclusionPath C:\
                                                    5⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • System Location Discovery: System Language Discovery
                                                    PID:8576
                                                    • C:\Windows\System32\Conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      6⤵
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:6976
                                                  • C:\ProgramData\mswrz.exe
                                                    "C:\ProgramData\mswrz.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Enumerates connected drives
                                                    • System Location Discovery: System Language Discovery
                                                    PID:9772
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell Add-MpPreference -ExclusionPath C:\
                                                      6⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • System Location Discovery: System Language Discovery
                                                      PID:14304
                                                      • C:\Windows\System32\Conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        7⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:10244
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe"
                                                      6⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:10432
                                                      • C:\Windows\System32\Conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        7⤵
                                                          PID:7632
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1408
                                                        6⤵
                                                        • Program crash
                                                        PID:8500
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1420
                                                        6⤵
                                                        • Program crash
                                                        PID:5660
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1476
                                                        6⤵
                                                        • Program crash
                                                        PID:5708
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1484
                                                        6⤵
                                                        • Program crash
                                                        PID:4380
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1492
                                                        6⤵
                                                        • Program crash
                                                        PID:10356
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 1444
                                                        6⤵
                                                        • Program crash
                                                        PID:12152
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 152
                                                      5⤵
                                                      • Program crash
                                                      PID:10928
                                                  • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.aro-8e41083ed856c03bdbca8c2a65b2b090a71dca629757905689f612fa7b135839.exe
                                                    Trojan-Ransom.Win32.GandCrypt.aro-8e41083ed856c03bdbca8c2a65b2b090a71dca629757905689f612fa7b135839.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:7396
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 508
                                                      5⤵
                                                      • Program crash
                                                      PID:7312
                                                  • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.fbd-007988b1ffdce1e161071f92a130b64650735a5eed6445806c2c967d0902c286.exe
                                                    Trojan-Ransom.Win32.GandCrypt.fbd-007988b1ffdce1e161071f92a130b64650735a5eed6445806c2c967d0902c286.exe
                                                    4⤵
                                                    • Checks computer location settings
                                                    • Drops startup file
                                                    • Executes dropped EXE
                                                    • Enumerates connected drives
                                                    • Sets desktop wallpaper using registry
                                                    • System Location Discovery: System Language Discovery
                                                    • Checks processor information in registry
                                                    PID:9680
                                                    • C:\Windows\SysWOW64\wbem\wmic.exe
                                                      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                                                      5⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:7696
                                                      • C:\Windows\System32\Conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        6⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:5840
                                                  • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.fxk-2d79b1e98156ef1e5e9da7c3bc2c34a1debc081be7f5b3342e2e5a606a77bcd9.exe
                                                    Trojan-Ransom.Win32.GandCrypt.fxk-2d79b1e98156ef1e5e9da7c3bc2c34a1debc081be7f5b3342e2e5a606a77bcd9.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:9904
                                                    • C:\Windows\SysWOW64\wermgr.exe
                                                      "C:\Windows\System32\wermgr.exe"
                                                      5⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:11064
                                                  • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.gov-41f37e5db2e2e37ee077a0ba7fa55a2ca46dbcbc1c73b65bfa98c60919a23c4e.exe
                                                    Trojan-Ransom.Win32.GandCrypt.gov-41f37e5db2e2e37ee077a0ba7fa55a2ca46dbcbc1c73b65bfa98c60919a23c4e.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:11100
                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.gov-41f37e5db2e2e37ee077a0ba7fa55a2ca46dbcbc1c73b65bfa98c60919a23c4e.exe
                                                      rojan-Ransom.Win32.GandCrypt.gov-41f37e5db2e2e37ee077a0ba7fa55a2ca46dbcbc1c73b65bfa98c60919a23c4e.exe
                                                      5⤵
                                                        PID:14160
                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.gvv-fd904d7fb090b288c538cb77bbf998ab7324acc26e82dabc7aaaf5dbfaa95a5a.exe
                                                      Trojan-Ransom.Win32.GandCrypt.gvv-fd904d7fb090b288c538cb77bbf998ab7324acc26e82dabc7aaaf5dbfaa95a5a.exe
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:11888
                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.hnl-72ff90e1b5f9e83607f005481dd67ddf9f93b5a96ffdbf45d32369f97a74c295.exe
                                                      Trojan-Ransom.Win32.GandCrypt.hnl-72ff90e1b5f9e83607f005481dd67ddf9f93b5a96ffdbf45d32369f97a74c295.exe
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:9984
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 9984 -s 368
                                                        5⤵
                                                        • Program crash
                                                        PID:868
                                                • C:\Windows\System32\vssadmin.exe
                                                  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                                                  2⤵
                                                  • Interacts with shadow copies
                                                  PID:1780
                                                • C:\Windows\system32\NOTEPAD.EXE
                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE-SIGRUN.txt
                                                  2⤵
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  PID:8252
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  "C:\Windows\SysWOW64\svchost.exe"
                                                  2⤵
                                                  • Adds policy Run key to start application
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious behavior: MapViewOfSection
                                                  PID:7728
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /c del "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:9176
                                                    • C:\Windows\System32\Conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      4⤵
                                                        PID:5260
                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RESTORE-SIGRUN.txt
                                                    2⤵
                                                      PID:12364
                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\ENLZAS-DECRYPT.txt
                                                      2⤵
                                                        PID:5912
                                                      • C:\Program Files (x86)\Zqrgpjlax\h0hpcvabw.exe
                                                        "C:\Program Files (x86)\Zqrgpjlax\h0hpcvabw.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:13476
                                                        • C:\Windows\System32\Conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          3⤵
                                                            PID:5088
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                        1⤵
                                                          PID:3684
                                                        • C:\Windows\system32\DllHost.exe
                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                          1⤵
                                                            PID:3872
                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                            1⤵
                                                              PID:3968
                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                              1⤵
                                                              • Modifies registry class
                                                              PID:4044
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:688
                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                1⤵
                                                                • Suspicious use of UnmapMainImage
                                                                PID:4028
                                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                                                1⤵
                                                                  PID:756
                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                  1⤵
                                                                    PID:1632
                                                                  • C:\Windows\system32\backgroundTaskHost.exe
                                                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
                                                                    1⤵
                                                                      PID:3416
                                                                    • C:\Windows\system32\backgroundTaskHost.exe
                                                                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                      1⤵
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      PID:3240
                                                                    • C:\Windows\system32\vssvc.exe
                                                                      C:\Windows\system32\vssvc.exe
                                                                      1⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1332
                                                                    • C:\Windows\system32\DllHost.exe
                                                                      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                      1⤵
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      PID:3216
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5092 -ip 5092
                                                                      1⤵
                                                                        PID:1412
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4428 -ip 4428
                                                                        1⤵
                                                                          PID:6920
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7396 -ip 7396
                                                                          1⤵
                                                                            PID:8004
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
                                                                            1⤵
                                                                              PID:4544
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 4924
                                                                              1⤵
                                                                                PID:6632
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 9984 -ip 9984
                                                                                1⤵
                                                                                  PID:11664
                                                                                • C:\Windows\system32\msiexec.exe
                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                  1⤵
                                                                                    PID:12480
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 9772 -ip 9772
                                                                                    1⤵
                                                                                      PID:3980
                                                                                    • C:\Windows\system32\werfault.exe
                                                                                      werfault.exe /h /shared Global\7b1fa7e823a34347908d72db4cd096dd /t 12348 /p 6320
                                                                                      1⤵
                                                                                        PID:7428
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 9772 -ip 9772
                                                                                        1⤵
                                                                                          PID:12880
                                                                                        • C:\Windows\system32\werfault.exe
                                                                                          werfault.exe /h /shared Global\44172d0304ad40349038f16b3bca4ec4 /t 12252 /p 12280
                                                                                          1⤵
                                                                                            PID:6040
                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                            1⤵
                                                                                              PID:9316
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 9772 -ip 9772
                                                                                              1⤵
                                                                                                PID:9652
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 9772 -ip 9772
                                                                                                1⤵
                                                                                                  PID:6988
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 9772 -ip 9772
                                                                                                  1⤵
                                                                                                    PID:8004
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 9772 -ip 9772
                                                                                                    1⤵
                                                                                                      PID:9544

                                                                                                    Network

                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                    Reconnaissance

                                                                                                    Resource Development

                                                                                                    Initial Access

                                                                                                    Replication Through Removable Media

                                                                                                    1
                                                                                                    T1091

                                                                                                    Execution

                                                                                                    Command and Scripting Interpreter

                                                                                                    2
                                                                                                    T1059

                                                                                                    PowerShell

                                                                                                    1
                                                                                                    T1059.001

                                                                                                    Windows Management Instrumentation

                                                                                                    1
                                                                                                    T1047

                                                                                                    Persistence

                                                                                                    Boot or Logon Autostart Execution

                                                                                                    3
                                                                                                    T1547

                                                                                                    Registry Run Keys / Startup Folder

                                                                                                    2
                                                                                                    T1547.001

                                                                                                    Winlogon Helper DLL

                                                                                                    1
                                                                                                    T1547.004

                                                                                                    Create or Modify System Process

                                                                                                    1
                                                                                                    T1543

                                                                                                    Windows Service

                                                                                                    1
                                                                                                    T1543.003

                                                                                                    Privilege Escalation

                                                                                                    Boot or Logon Autostart Execution

                                                                                                    3
                                                                                                    T1547

                                                                                                    Registry Run Keys / Startup Folder

                                                                                                    2
                                                                                                    T1547.001

                                                                                                    Winlogon Helper DLL

                                                                                                    1
                                                                                                    T1547.004

                                                                                                    Create or Modify System Process

                                                                                                    1
                                                                                                    T1543

                                                                                                    Windows Service

                                                                                                    1
                                                                                                    T1543.003

                                                                                                    Defense Evasion

                                                                                                    Direct Volume Access

                                                                                                    1
                                                                                                    T1006

                                                                                                    Impair Defenses

                                                                                                    3
                                                                                                    T1562

                                                                                                    Disable or Modify Tools

                                                                                                    3
                                                                                                    T1562.001

                                                                                                    Indicator Removal

                                                                                                    3
                                                                                                    T1070

                                                                                                    File Deletion

                                                                                                    3
                                                                                                    T1070.004

                                                                                                    Modify Registry

                                                                                                    9
                                                                                                    T1112

                                                                                                    Subvert Trust Controls

                                                                                                    2
                                                                                                    T1553

                                                                                                    Install Root Certificate

                                                                                                    1
                                                                                                    T1553.004

                                                                                                    SIP and Trust Provider Hijacking

                                                                                                    1
                                                                                                    T1553.003

                                                                                                    Credential Access

                                                                                                    Credentials from Password Stores

                                                                                                    2
                                                                                                    T1555

                                                                                                    Credentials from Web Browsers

                                                                                                    1
                                                                                                    T1555.003

                                                                                                    Windows Credential Manager

                                                                                                    1
                                                                                                    T1555.004

                                                                                                    Unsecured Credentials

                                                                                                    1
                                                                                                    T1552

                                                                                                    Credentials In Files

                                                                                                    1
                                                                                                    T1552.001

                                                                                                    Discovery

                                                                                                    Browser Information Discovery

                                                                                                    1
                                                                                                    T1217

                                                                                                    Peripheral Device Discovery

                                                                                                    2
                                                                                                    T1120

                                                                                                    Query Registry

                                                                                                    4
                                                                                                    T1012

                                                                                                    System Information Discovery

                                                                                                    5
                                                                                                    T1082

                                                                                                    System Location Discovery

                                                                                                    1
                                                                                                    T1614

                                                                                                    System Language Discovery

                                                                                                    1
                                                                                                    T1614.001

                                                                                                    Lateral Movement

                                                                                                    Replication Through Removable Media

                                                                                                    1
                                                                                                    T1091

                                                                                                    Collection

                                                                                                    Data from Local System

                                                                                                    1
                                                                                                    T1005

                                                                                                    Command and Control

                                                                                                    Exfiltration

                                                                                                    Impact

                                                                                                    Defacement

                                                                                                    1
                                                                                                    T1491

                                                                                                    Inhibit System Recovery

                                                                                                    2
                                                                                                    T1490

                                                                                                    Replay Monitor

                                                                                                    Loading Replay Monitor...

                                                                                                    Downloads

                                                                                                    • C:\$Recycle.Bin\RESTORE-SIGRUN.html
                                                                                                      Filesize

                                                                                                      26KB

                                                                                                      MD5

                                                                                                      f8fee7bfabe83a950fd1da928eae1e59

                                                                                                      SHA1

                                                                                                      b284cc3362b24a00b66cd519fc0c9d48c8b38262

                                                                                                      SHA256

                                                                                                      892edec25e82cd32c0f2d05e446f9c25fbad3961256de98a3945b0df3a15bbd4

                                                                                                      SHA512

                                                                                                      403cc8f28dd886fa4760d8f760a21db187b973e73b4c71fb338a35a68c6f8f82d5bcab55e4fd6c13f22d6fd21245e7e87a277692268c6ecca4f042cf169d7bac

                                                                                                      Download Submit

                                                                                                    • C:\$Recycle.Bin\RESTORE-SIGRUN.txt
                                                                                                      Filesize

                                                                                                      11KB

                                                                                                      MD5

                                                                                                      704028697f4c7ce114f1a9d5adc429ef

                                                                                                      SHA1

                                                                                                      2f50e8715e8446246bfedbf92e07096b55a9b16c

                                                                                                      SHA256

                                                                                                      a3c66e78b4dfd9b1c2c21160b009fa5c8efb25e7a5644a09ed038f985bda62f1

                                                                                                      SHA512

                                                                                                      804355bc3445caaf56e7bea875a9bf75bebeec768fe2e8b6a0a3657a32b49f5dd7f4cec0e88a712fa77e802f38bdcd512386bf2c0e309bfb07004405c67f99a3

                                                                                                      Download Submit

                                                                                                    • C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\SRXTBM-MANUAL.txt
                                                                                                      Filesize

                                                                                                      8KB

                                                                                                      MD5

                                                                                                      11e061e10ef992fb9a7bf260a8270341

                                                                                                      SHA1

                                                                                                      555da3779d50c1aec193a53213cf293957b2356f

                                                                                                      SHA256

                                                                                                      44518a2afbe13ef7ce8403c730339e131380c67510327151c57316b9fb38d428

                                                                                                      SHA512

                                                                                                      de8bc7591759e255a54682fa03cc6a1b5c1c1e9f538a50d1bd2f124a6a28d754dbd7ede995bbd118bb6485eea9e6b26dfc2a761eac52a0df06a3c884c2f2f946

                                                                                                      Download Submit

                                                                                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-1BB39B21.[[email protected]].bip
                                                                                                      Filesize

                                                                                                      2.7MB

                                                                                                      MD5

                                                                                                      dc08ade89f7faf3b8bd854793ecfc36f

                                                                                                      SHA1

                                                                                                      4b9f302857d1721eddbeb88aeb3c322e8041176a

                                                                                                      SHA256

                                                                                                      6238510030e376f2219359af9966a95ff1146e5c02a60f38e3ab0b391321f9f0

                                                                                                      SHA512

                                                                                                      65b0a3d5c441d23d86c212e902739902a185d52c3ed1dfc8cc9dd3316732f0653658fcdd14e1fde862ca529622e7975ec134a84302949a6500b96b6e714bb53c

                                                                                                      Download Submit

                                                                                                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-825c185a64bea21c640b491c19e31de7376c0dd482b19df7d57b12e816f47078.exe
                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      MD5

                                                                                                      a8f5466a239ddbce8492db2a116646c0

                                                                                                      SHA1

                                                                                                      a47a39020bd61955a3a449da7ffe1e6f97690bee

                                                                                                      SHA256

                                                                                                      825c185a64bea21c640b491c19e31de7376c0dd482b19df7d57b12e816f47078

                                                                                                      SHA512

                                                                                                      8eb05b95d220e4f574d13accd77fbb9a08552eb92547aa65184008fc0a4c10b5c27506c3cf338a2e78c48f12ce64bf0e91f1df8e5cfc8ff95d9e2e5d16e32150

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                      Filesize

                                                                                                      64KB

                                                                                                      MD5

                                                                                                      d2fb266b97caff2086bf0fa74eddb6b2

                                                                                                      SHA1

                                                                                                      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                                                                      SHA256

                                                                                                      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                                                                      SHA512

                                                                                                      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                      Filesize

                                                                                                      4B

                                                                                                      MD5

                                                                                                      f49655f856acb8884cc0ace29216f511

                                                                                                      SHA1

                                                                                                      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                      SHA256

                                                                                                      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                      SHA512

                                                                                                      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                      Filesize

                                                                                                      944B

                                                                                                      MD5

                                                                                                      6bd369f7c74a28194c991ed1404da30f

                                                                                                      SHA1

                                                                                                      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                                                                      SHA256

                                                                                                      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                                                                      SHA512

                                                                                                      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e834376e-711a-4991-aa0a-03901be76a64.dmp
                                                                                                      Filesize

                                                                                                      3.7MB

                                                                                                      MD5

                                                                                                      c151adee53b45140230f6855b7104c16

                                                                                                      SHA1

                                                                                                      bc5f7982edde1f0239e6ab1977e11cc72524043a

                                                                                                      SHA256

                                                                                                      97f226d6c1034190ea1ac01c1686052049bf9f307c18a56ce987eccf7914a7f9

                                                                                                      SHA512

                                                                                                      c0025ce23c0c4df343584f925f39b783bd8c26ca60a6e9dcb4453f1204b34ce8a9c13d5d7ee5987601f8aa1697f61210cac11a1e4b9cb99c3c4fe40ed729c215

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
                                                                                                      Filesize

                                                                                                      1024KB

                                                                                                      MD5

                                                                                                      ec12e1051ea6b3e05bbbb9e52eb465aa

                                                                                                      SHA1

                                                                                                      80ded3704f78b702b424d37d7c8e2a922d572c8c

                                                                                                      SHA256

                                                                                                      0c019c175d8c6186daf7851d82280d46cd08efc4c81159a306a127baf7a2b4e2

                                                                                                      SHA512

                                                                                                      fa0aca6873450af98fb45d6e4da2cc3d86180f2e0aa57d64b26763f922205a122daf42bfcbdce5c750622dc094abc433f73041e320363499c8bb113d3bdc1856

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
                                                                                                      Filesize

                                                                                                      8KB

                                                                                                      MD5

                                                                                                      c9b2d8d5e4aed48de2b854e056e6e094

                                                                                                      SHA1

                                                                                                      a8c398b33ffd82b030a4f30ea5a43fe6d7137533

                                                                                                      SHA256

                                                                                                      3a25e5f623504e477287ede6b0c0828e48b79bcffeb3d0822b42917bf2c09432

                                                                                                      SHA512

                                                                                                      ec8e73c66d99054f12596affe31657825ccb0021b7e7f22b4ade436b9c459f2f9ae0bdd6e0e70217cb13b0d573bfa5a0309714a85dfcdabe9e74c997e62faeef

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
                                                                                                      Filesize

                                                                                                      8KB

                                                                                                      MD5

                                                                                                      59fbce1e6740a4772ac9d70f26a56f7b

                                                                                                      SHA1

                                                                                                      a31aeaa10514b03fffd8d79a66fe1632c44a7e55

                                                                                                      SHA256

                                                                                                      c7cda58e146ce3c2e30db168904deee568bafb3854677fa667194c1becd403b7

                                                                                                      SHA512

                                                                                                      ea9ca6bbdc53873c653cd3324bec492f0cc2f0179267be48f42bee3f03f79c253541496f48332a8298d395be2aa5012bc8a489433172357dd1c08d83b3d3e539

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133754703634941135.txt
                                                                                                      Filesize

                                                                                                      54KB

                                                                                                      MD5

                                                                                                      cdd4a3acba62c26ba776f32feca2d24f

                                                                                                      SHA1

                                                                                                      a7247a42a36c335416499b6934c0d08617a9a0f9

                                                                                                      SHA256

                                                                                                      888fda4c913bce122b9309c03efbe9b1a4d5b3e8993f5eb852ad0e2d80cd16b5

                                                                                                      SHA512

                                                                                                      a8c5832ba70b5e403c6b4882219774e57f9536f7be994758f2c380fb26bc64b26d6681cfad36c1bf4ccb1e001b9cf7f0e70ece677bf485a59c231e17ed4012d8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
                                                                                                      Filesize

                                                                                                      670KB

                                                                                                      MD5

                                                                                                      9eb5f69e443e7d835e78519e5f3b3ef4

                                                                                                      SHA1

                                                                                                      5ba40cd4a127359dbd006eb3b0f800809c138659

                                                                                                      SHA256

                                                                                                      4aa1fa29fd0a2d15b9204426cfee2e348dcf65f5b444b53fc5425a0418a3fdcd

                                                                                                      SHA512

                                                                                                      b14fd14a1ac0aa59e0b648b64af0fa4848a4601124fe8b37d0c3f7e4066908237eb1c9d01a43aa45444db104c68380a60e1e1625d1f4eda5d501a3c33206cf4f

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
                                                                                                      Filesize

                                                                                                      10.1MB

                                                                                                      MD5

                                                                                                      e6d10b61b551b826819f52ac1dd1ea14

                                                                                                      SHA1

                                                                                                      be2cdcba51f080764858ca7d8567710f2a692473

                                                                                                      SHA256

                                                                                                      50d208224541ab66617323d8d791c06970a828eeb15b214965a5d88f6a093d41

                                                                                                      SHA512

                                                                                                      0d5d98424bab24ccced9b73d5ed58851d320e0540963a3ccc14da6d6231b2413136fa11458dc2155bb5844af9e28f3a053f8b7f709a806a4070c5ff737fb0ac8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Zqrgpjlax\h0hpcvabw.exe
                                                                                                      Filesize

                                                                                                      1.6MB

                                                                                                      MD5

                                                                                                      1c9ff7df71493896054a91bee0322ebf

                                                                                                      SHA1

                                                                                                      38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

                                                                                                      SHA256

                                                                                                      e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

                                                                                                      SHA512

                                                                                                      aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qy0p0bd4.0al.ps1
                                                                                                      Filesize

                                                                                                      60B

                                                                                                      MD5

                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                      SHA1

                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                      SHA256

                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                      SHA512

                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsr2F3A.tmp\INetC.dll
                                                                                                      Filesize

                                                                                                      24KB

                                                                                                      MD5

                                                                                                      640bff73a5f8e37b202d911e4749b2e9

                                                                                                      SHA1

                                                                                                      9588dd7561ab7de3bca392b084bec91f3521c879

                                                                                                      SHA256

                                                                                                      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                                                                                                      SHA512

                                                                                                      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp_55319db5.bat
                                                                                                      Filesize

                                                                                                      364B

                                                                                                      MD5

                                                                                                      bc31d49df9ecd01870fbfa3882ea12ca

                                                                                                      SHA1

                                                                                                      5640d39629863911de0cdd494d4514d884ad50ba

                                                                                                      SHA256

                                                                                                      299e4923f9074984dca0f022327923070931faa7c7fcffb8f91ee7426cce88e1

                                                                                                      SHA512

                                                                                                      ef94e71c57eddacc30d65a6e1c83c7714c03b2f84194f5d1edb0a945675dd1152d5b0c265d5d38b745e1af2aa09ee6b5c7bbfff15cdd63483e9beae4dd003e53

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
                                                                                                      Filesize

                                                                                                      3KB

                                                                                                      MD5

                                                                                                      20d05cb667d19a84d0706d673de09a40

                                                                                                      SHA1

                                                                                                      957b3e0f5b5569f4d260765dfe4e44a95328a0c5

                                                                                                      SHA256

                                                                                                      3d60841b03640253d109dbffee816abefef4755e699be71e1e87e1fca93c7c2b

                                                                                                      SHA512

                                                                                                      833bb6fd98b927799cd189ae02580dde62be2378f058dd77ef4bd08f46318fcf57ce6c61aaa163bd58e615a59849e5d7a3c107961101be584b38713c06f948a8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
                                                                                                      Filesize

                                                                                                      204KB

                                                                                                      MD5

                                                                                                      edc7aa830fc8204ee6ae8bb173fc553c

                                                                                                      SHA1

                                                                                                      f68bf8c7ddf92e30cfb4d02ca45054f93fb6afd1

                                                                                                      SHA256

                                                                                                      6c8f64cd787aedf59d41dd4f449e1f7b374052caa8bc932025e0082c39c5dd89

                                                                                                      SHA512

                                                                                                      646e0f527b9481768fb40c8717a3ebbcdcabbc1fae8c0baf7c576e994ec15e3c22c394b8560e63aef24040bf6d412084b4156c48c5cc13ae6608fd8268e07bcb

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
                                                                                                      Filesize

                                                                                                      203KB

                                                                                                      MD5

                                                                                                      b1cfd50181c8b7cd4fc8413f2cbc5cff

                                                                                                      SHA1

                                                                                                      3cf8d9259e0d4a87c8ef70d5eb085f7ff1d6bec5

                                                                                                      SHA256

                                                                                                      b92482f54524dd8f232253ba76e1be234c8ec4be5bcfbae48c7dc735046936e5

                                                                                                      SHA512

                                                                                                      058dd87ca1ae44d0957a586d2db6c7d73faf7231ca9f3d795e36124164c6fc6abf19df21eb67702c48302ab68e3256477e0174bc1684eb57dfb27a56f797dfae

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\AppData\Roaming\Mofyzy\fusyh.exe
                                                                                                      Filesize

                                                                                                      67KB

                                                                                                      MD5

                                                                                                      e25d7326901a0f378123d6d059c12d84

                                                                                                      SHA1

                                                                                                      714db020273ad562ae32b8fd4725ba2cc9fbaa6c

                                                                                                      SHA256

                                                                                                      4788ac46c48009e2a2119ab3872d8246f79e02d8c1861e37d056faccd349c32a

                                                                                                      SHA512

                                                                                                      cef6de5a71eef81e9db6b601accf13902af341b8a46e329576dc2f8b810bf03c4402a49f2ab452d54daf756e7a398dddb5a6ab504d675891e4a2ba43a94080c8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe
                                                                                                      Filesize

                                                                                                      1.4MB

                                                                                                      MD5

                                                                                                      00026f4df326d91be6e5af6ad63dd440

                                                                                                      SHA1

                                                                                                      169e64b787d11edc1a0198304c3594c715b36c15

                                                                                                      SHA256

                                                                                                      5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903

                                                                                                      SHA512

                                                                                                      f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc.exe
                                                                                                      Filesize

                                                                                                      457KB

                                                                                                      MD5

                                                                                                      93adbc54ce26f226fb8c1ad1a1ab6e63

                                                                                                      SHA1

                                                                                                      f43e6ed9eb6be7ad296841efac3211a2269b72f1

                                                                                                      SHA256

                                                                                                      5df075d702f3a3156f34c614964059c765e46eccf66a32e7523c2a259ec265bc

                                                                                                      SHA512

                                                                                                      ca02b6085797cf2f39148aa926a1e7ba462a9a68f229d19b58362c522d06da74c64719a0ab2fc169bfa476737e990689814e9e4ff2119c50c6a3c28e292468d0

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Blocker.gen-c0cbba7160e90c8bb3e12e7593cbabfa00e039199bd311eeba77f5d22916cd8a.exe
                                                                                                      Filesize

                                                                                                      293KB

                                                                                                      MD5

                                                                                                      0679fc0b5e68953de485094ceb066698

                                                                                                      SHA1

                                                                                                      a4eb01e793f1e42cfed70fdea636a93745e2a060

                                                                                                      SHA256

                                                                                                      c0cbba7160e90c8bb3e12e7593cbabfa00e039199bd311eeba77f5d22916cd8a

                                                                                                      SHA512

                                                                                                      ec4842853bbb7fac6bf78b6c54695e2dbd7559b870eef52286ca94f7b0df290623a2b83f8bb170003f2b9585f1c35abb96149ed8d64fad594d5e7710ed65c9f7

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Encoder.gen-8ec546589b80fa160f6244036b341d5703bc7fc1a7f31b658f11fe7bc6efe917.exe
                                                                                                      Filesize

                                                                                                      201KB

                                                                                                      MD5

                                                                                                      3dd935b108e359605a4d4827464abee1

                                                                                                      SHA1

                                                                                                      2504c79b086c643a9055a1294ed48ae8a7d5e117

                                                                                                      SHA256

                                                                                                      8ec546589b80fa160f6244036b341d5703bc7fc1a7f31b658f11fe7bc6efe917

                                                                                                      SHA512

                                                                                                      c1238d5399ae5c833bce261643e895b7a9ee1ff1ccdd0336eb0d6bc05a84e4fadd33b583ecf8188ccc4b0a8a8f8d0f3cc6ed2308df7e9d6e3324e7a92fc0efee

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-8f75b2382beb74b6aa1ed6c09a36d5e66364f441583613e4e608a03f49e353a5.exe
                                                                                                      Filesize

                                                                                                      158KB

                                                                                                      MD5

                                                                                                      5feb2be58e8dfca6d873b064f5e69529

                                                                                                      SHA1

                                                                                                      a58e865d71e852ce343341e6b8dc92d9b937a870

                                                                                                      SHA256

                                                                                                      8f75b2382beb74b6aa1ed6c09a36d5e66364f441583613e4e608a03f49e353a5

                                                                                                      SHA512

                                                                                                      f95f9c4829d5b4556fb1e3f9fdd7950f518da85dba7f699de173f7e0352c530f27789d5fdeff32b0afe49776470e7ce930f01b0ce11b917c91b24e0778fd1061

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.Generic-7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5.exe
                                                                                                      Filesize

                                                                                                      184KB

                                                                                                      MD5

                                                                                                      d52536b61b775938a067b55b2dd32b49

                                                                                                      SHA1

                                                                                                      e42f13fbd59203de2c339901cd56baf1954e7802

                                                                                                      SHA256

                                                                                                      7d4639980128f85fa51e679123e61f355eb06fc95194792b0744d3d50867e6d5

                                                                                                      SHA512

                                                                                                      b481997b848498a1346deb048e378f3ab93a7254f7520ce085caa070f594a1b8afeb49fc5ccacd9f697de58918556f0116035f5720b8fda737d7c7b5bdec890a

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-b9c35965425f591e37613ece53e0b253517c006ab9a200ab0e87334e5be21cf5.exe
                                                                                                      Filesize

                                                                                                      846KB

                                                                                                      MD5

                                                                                                      f04036e85017a672237193565c3ffbe1

                                                                                                      SHA1

                                                                                                      170a1ffefc3c6d2f63cef17589783c056786b1b7

                                                                                                      SHA256

                                                                                                      b9c35965425f591e37613ece53e0b253517c006ab9a200ab0e87334e5be21cf5

                                                                                                      SHA512

                                                                                                      f7bb461627fbae53e941c339a32d5b73fa7fa087b0a386aedeb33b419f617a9d6065ad35b2eeeddae65a4aff465beba7c7b2bd7440de6e59986cf6b02603ae51

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Agent.aupg-08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c.exe
                                                                                                      Filesize

                                                                                                      504KB

                                                                                                      MD5

                                                                                                      b1071426aa88f31339f1b369cf13cef3

                                                                                                      SHA1

                                                                                                      69ff5bd81f366fece2d36c98cc3bf4a2d41b8f68

                                                                                                      SHA256

                                                                                                      08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c

                                                                                                      SHA512

                                                                                                      a6e1dd3c13dd952d09ae9cdcf1b94c99ab9b0fe7c58d957eb558353f61084ec6ae9e133f8c449ffc434efaaf3f767e30709547e3efb2106839e2d31574b18ac1

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Bitman.acta-9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122.exe
                                                                                                      Filesize

                                                                                                      257KB

                                                                                                      MD5

                                                                                                      6e080aa085293bb9fbdcc9015337d309

                                                                                                      SHA1

                                                                                                      51b4ef5dc9d26b7a26e214cee90598631e2eaa67

                                                                                                      SHA256

                                                                                                      9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

                                                                                                      SHA512

                                                                                                      4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.cfwh-4c4836b640c5c0b9150cd19747ebc1ae94793788721df2f4392544ac281bc91a.exe
                                                                                                      Filesize

                                                                                                      306KB

                                                                                                      MD5

                                                                                                      c3e44673beef5ea9729f961ae675970a

                                                                                                      SHA1

                                                                                                      9a123902896be80475be8bd360f5449ae800f358

                                                                                                      SHA256

                                                                                                      4c4836b640c5c0b9150cd19747ebc1ae94793788721df2f4392544ac281bc91a

                                                                                                      SHA512

                                                                                                      10fb7d2ea7909b8a062fb1e50b02f3cdd4d7227061ccb0cbc20c05556d121c2814406a836454f094329f33e084c00ceb72c9981e34c334d36c5a16c8ab60de13

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.dvjn-026e0b9cff7d16371262cb17e5c1b58976328a26adb54bc0fbcd2052ad3a6717.exe
                                                                                                      Filesize

                                                                                                      358KB

                                                                                                      MD5

                                                                                                      7ff91e1793fdfbccb6d0df9a6f0e6020

                                                                                                      SHA1

                                                                                                      afb98287ed54c9aa1ee4f685a26be240bac6c6cc

                                                                                                      SHA256

                                                                                                      026e0b9cff7d16371262cb17e5c1b58976328a26adb54bc0fbcd2052ad3a6717

                                                                                                      SHA512

                                                                                                      d9f3e72c1cf9c168a97b6660c6dcbba21b08a26a9a3dc51b089372d2ce4b5534ea214a86708232a3c41c9c7989fcbade747802748b8d7afadd1d4609542dcfb0

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.lcmc-edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473.exe
                                                                                                      Filesize

                                                                                                      556KB

                                                                                                      MD5

                                                                                                      7b4a08dc023bea6675b4fb2ed4953abe

                                                                                                      SHA1

                                                                                                      3d9efad027a67e24f3823eb99efa2d16bdc6e347

                                                                                                      SHA256

                                                                                                      edb3c0027d7af7d98c79725009e72f8118410044783e8857f60bac16d2709473

                                                                                                      SHA512

                                                                                                      bffbb48445630cbb7cd7827ad1b626478772c4fb992b70c0f5ea4fe3aef4d2e4a9833eeb9a582261c7f5043b829e58e1ab846e219408b03683c3fe0553264f64

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.ljpf-757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be.exe
                                                                                                      Filesize

                                                                                                      978KB

                                                                                                      MD5

                                                                                                      07ea62d38d56cb786ab621991fd4c9b8

                                                                                                      SHA1

                                                                                                      bb166126eb88fca066ff35c2de846c57a01eae15

                                                                                                      SHA256

                                                                                                      757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be

                                                                                                      SHA512

                                                                                                      5882f1b69bd83a5e1eb6d1947f73bbdc3a20662a6f5bf62e02f5bddfeef7069942b6fc537b66f8f341ebc7ce46dbf235d8beef9b69ff3651519ebd99645de991

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.lmin-46e1aaf4209f18e920daf95c7576f99835334a1268d1c02a9ca004386349b390.exe
                                                                                                      Filesize

                                                                                                      197KB

                                                                                                      MD5

                                                                                                      ea1c9ca1d2b9f56bbc89e0b827bf6674

                                                                                                      SHA1

                                                                                                      fa17a5b4ef0a45d87689e57288208530cec3df25

                                                                                                      SHA256

                                                                                                      46e1aaf4209f18e920daf95c7576f99835334a1268d1c02a9ca004386349b390

                                                                                                      SHA512

                                                                                                      b8c2833d939e04a8cdb1afb43f56b11c8628a638736da087bbd53ae055448be6bfe4fc01008119499f82230ffe6092b577996b7e695009946f7930761f07cda5

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Blocker.mann-084f394536347ae4ec06dcd0d0c6902d421dbe7fde259fd32ba876829a053c10.exe
                                                                                                      Filesize

                                                                                                      1.0MB

                                                                                                      MD5

                                                                                                      69119bcdf0f6c719fa7b2e692d7ed777

                                                                                                      SHA1

                                                                                                      2c6b94a4438369dbe9dc0e9c08c7ee5d6ef43f10

                                                                                                      SHA256

                                                                                                      084f394536347ae4ec06dcd0d0c6902d421dbe7fde259fd32ba876829a053c10

                                                                                                      SHA512

                                                                                                      389525a9b6f4a63da771bd9b02bb6c6c2d063acc889b3e51729c490ae983534a92b92b8750e3c237597d2ecfa73348e2e8b9c0205283aaaac8d48e7ec46e7edc

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Crypmod.abdq-e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc.exe
                                                                                                      Filesize

                                                                                                      541KB

                                                                                                      MD5

                                                                                                      832ad7fdcb28a68e778d2078136bde95

                                                                                                      SHA1

                                                                                                      e47f4d11d4e7ac7d605bcc22fedc094b2009a257

                                                                                                      SHA256

                                                                                                      e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc

                                                                                                      SHA512

                                                                                                      c8bfde7a0e6af8591c7932a1e65adb7106c0ff0e5b6be289793a28e5506cbc9336c28954cdb951b9d62aee7f1e7088cc6ff68cccacc1c595d01062b19c0a0183

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.Foreign.oggf-bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47.exe
                                                                                                      Filesize

                                                                                                      468KB

                                                                                                      MD5

                                                                                                      1ffe827beb75335731cb6f052a8ec3a6

                                                                                                      SHA1

                                                                                                      381ff47af182f52185fe2ff8d01453c5f611b04a

                                                                                                      SHA256

                                                                                                      bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47

                                                                                                      SHA512

                                                                                                      fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8

                                                                                                      Download Submit

                                                                                                    • C:\Users\Admin\Desktop\00366\Trojan-Ransom.Win32.GandCrypt.iyy-41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe
                                                                                                      Filesize

                                                                                                      686KB

                                                                                                      MD5

                                                                                                      efa2a4323f392f4200b1955e61c8faa9

                                                                                                      SHA1

                                                                                                      1c2ff80ad2942b508c9e410a1403ee8ec05bf6b7

                                                                                                      SHA256

                                                                                                      41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629

                                                                                                      SHA512

                                                                                                      9c4253d4062dc43c4dfc18c0a49bafb9fc74bab4ced012404f7d9996204784bf684e2810abfa81fcc48ccea780f08600d67ab3b0a41ce867d09399e5c162e788

                                                                                                      Download Submit

                                                                                                    • C:\Users\YOU_FILES_HERE.txt
                                                                                                      Filesize

                                                                                                      1KB

                                                                                                      MD5

                                                                                                      c2c1410f4cd9997eaae7a29175a3d8ef

                                                                                                      SHA1

                                                                                                      6cb60bb5967564d90fcd1668aaac3ba3128fef34

                                                                                                      SHA256

                                                                                                      f5d42203d3db5bc06e8ce0c725c94f195dc93f223c94c515c31ab7cec9d139f9

                                                                                                      SHA512

                                                                                                      a9ac46fdc8b125c814605136dae5fee1f57bdc61a68710f6a9f37628fab0e452dd43ac7ce3d6896e80f2b5177539a7126f59021adb8ac2bbc2d2179136a3a35c

                                                                                                      Download Submit

                                                                                                    • C:\Windows\win.ini
                                                                                                      Filesize

                                                                                                      30KB

                                                                                                      MD5

                                                                                                      6a298535735ea2086e81f3f94ca5c87a

                                                                                                      SHA1

                                                                                                      2887d46ffac860b6741f77b1261522e2504ec11b

                                                                                                      SHA256

                                                                                                      8475b1196084ace8cefd42f65a42b9a813641e89015472cb81eacd6fe61b9849

                                                                                                      SHA512

                                                                                                      2dd19964c4994bd75370cd01af42460a971aa205f28df2bb5404ccbfffbffdc5479159ee7c6eed20bac1b5eec5891e041afdc8f4531fc1899fb649918e6d7bd7

                                                                                                      Download Submit

                                                                                                    • F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\ENLZAS-DECRYPT.txt
                                                                                                      Filesize

                                                                                                      8KB

                                                                                                      MD5

                                                                                                      03c8a313ce60839688a8a0e42ded94cd

                                                                                                      SHA1

                                                                                                      09bc6be452a9cd7131444b425e2c55cb691f8444

                                                                                                      SHA256

                                                                                                      2130a760fa75ba5525c53de0c98a6bd3d799d5f88bd6761b0ba1349107966c53

                                                                                                      SHA512

                                                                                                      a6c02f398135622b83ad7a48404e7141df0376a0405531cf98748a3440ba96fe6319540df3bcf4b86a69c8e02e8de2e0f7316df323a6794953898cbdab347d87

                                                                                                      Download Submit

                                                                                                    • F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\ENLZAS-DECRYPT.txt
                                                                                                      Filesize

                                                                                                      8KB

                                                                                                      MD5

                                                                                                      da281f8e26e93b69d2d37532dec3b5ac

                                                                                                      SHA1

                                                                                                      347fa9fb2a6fe0377bfbf095893a556e0091c74f

                                                                                                      SHA256

                                                                                                      ac04d70f2c22d182240fb7da55ba1346e18f0c77c640865929b42f212bf0e220

                                                                                                      SHA512

                                                                                                      537cd6358986cdc7a8f3193fe171077b13cefe05acbba6b5d1edf9fa4e60df96260c1138087489110f528ccf90527acc1ea87db8bf5df4f9b23c5ad16824aa46

                                                                                                      Download Submit

                                                                                                    • F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini
                                                                                                      Filesize

                                                                                                      129B

                                                                                                      MD5

                                                                                                      a526b9e7c716b3489d8cc062fbce4005

                                                                                                      SHA1

                                                                                                      2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                      SHA256

                                                                                                      e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                      SHA512

                                                                                                      d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                      Download Submit

                                                                                                    • F:\AUTORUN.INF
                                                                                                      Filesize

                                                                                                      145B

                                                                                                      MD5

                                                                                                      ca13857b2fd3895a39f09d9dde3cca97

                                                                                                      SHA1

                                                                                                      8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

                                                                                                      SHA256

                                                                                                      cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

                                                                                                      SHA512

                                                                                                      55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

                                                                                                      Download Submit

                                                                                                    • \??\c:\users\admin\desktop\00366\trojan-ransom.win32.blocker.ldrz-7811c9852c84ebbc2441b0f35a73ac2d7ec81da4946169b49b24d5e20887f977.exe
                                                                                                      Filesize

                                                                                                      846KB

                                                                                                      MD5

                                                                                                      9a7026c5c2006d3b467d5cf987da9bf5

                                                                                                      SHA1

                                                                                                      7cf81fc1b3f14a6ee823eaed26036843967be131

                                                                                                      SHA256

                                                                                                      7811c9852c84ebbc2441b0f35a73ac2d7ec81da4946169b49b24d5e20887f977

                                                                                                      SHA512

                                                                                                      b573d7892582e976e9c7ec08f787d42bb327c522c5ab91a106a39e7593f4ecf68b592090a26e8720a2382954263d1a0009a494f126da628945c7b4d6ead33b9c

                                                                                                      Download Submit

                                                                                                    • memory/212-94-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-103-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-102-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-104-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-101-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-98-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-92-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-93-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-100-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/212-99-0x0000017CDF2F0000-0x0000017CDF2F1000-memory.dmp

                                                                                                      Filesize

                                                                                                      4KB

                                                                                                      Download

                                                                                                    • memory/396-121-0x0000027DB4200000-0x0000027DB4222000-memory.dmp

                                                                                                      Filesize

                                                                                                      136KB

                                                                                                      Download

                                                                                                    • memory/396-131-0x0000027DB46C0000-0x0000027DB4704000-memory.dmp

                                                                                                      Filesize

                                                                                                      272KB

                                                                                                      Download

                                                                                                    • memory/396-196-0x0000027DB4690000-0x0000027DB46A7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/396-134-0x0000027DB4750000-0x0000027DB476E000-memory.dmp

                                                                                                      Filesize

                                                                                                      120KB

                                                                                                      Download

                                                                                                    • memory/396-132-0x0000027DB4790000-0x0000027DB4806000-memory.dmp

                                                                                                      Filesize

                                                                                                      472KB

                                                                                                      Download

                                                                                                    • memory/688-190-0x0000023960CD0000-0x0000023960CE7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/756-211-0x00000217CF7A0000-0x00000217CF7B7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/756-192-0x00000217CF7A0000-0x00000217CF7B7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/1632-212-0x00000250BDBA0000-0x00000250BDBB7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/1632-193-0x00000250BDBA0000-0x00000250BDBB7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/1876-199-0x000001F2A4AF0000-0x000001F2A4B07000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2000-353-0x0000000000E60000-0x0000000000EBD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/2000-360-0x0000000000E60000-0x0000000000EBD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/2240-200-0x000002079A540000-0x000002079A557000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2240-197-0x000002079A540000-0x000002079A557000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2316-174-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                      Filesize

                                                                                                      72KB

                                                                                                      Download

                                                                                                    • memory/2316-167-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                      Filesize

                                                                                                      72KB

                                                                                                      Download

                                                                                                    • memory/2316-169-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                                                      Filesize

                                                                                                      72KB

                                                                                                      Download

                                                                                                    • memory/2568-182-0x000002DE89100000-0x000002DE89117000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2568-201-0x000002DE89100000-0x000002DE89117000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2600-183-0x000001D378390000-0x000001D3783A7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2600-202-0x000001D378390000-0x000001D3783A7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2712-213-0x0000000000410000-0x00000000004CE000-memory.dmp

                                                                                                      Filesize

                                                                                                      760KB

                                                                                                      Download

                                                                                                    • memory/2712-216-0x00000000009D0000-0x0000000000B71000-memory.dmp

                                                                                                      Filesize

                                                                                                      1.6MB

                                                                                                      Download

                                                                                                    • memory/2712-217-0x0000000000B80000-0x0000000000C2C000-memory.dmp

                                                                                                      Filesize

                                                                                                      688KB

                                                                                                      Download

                                                                                                    • memory/2712-214-0x0000000000700000-0x00000000009C9000-memory.dmp

                                                                                                      Filesize

                                                                                                      2.8MB

                                                                                                      Download

                                                                                                    • memory/2712-215-0x0000000000170000-0x0000000000200000-memory.dmp

                                                                                                      Filesize

                                                                                                      576KB

                                                                                                      Download

                                                                                                    • memory/2824-4591-0x0000000005560000-0x0000000005582000-memory.dmp

                                                                                                      Filesize

                                                                                                      136KB

                                                                                                      Download

                                                                                                    • memory/2824-158-0x0000000005600000-0x0000000005BA4000-memory.dmp

                                                                                                      Filesize

                                                                                                      5.6MB

                                                                                                      Download

                                                                                                    • memory/2824-44777-0x0000000000F20000-0x0000000000FBC000-memory.dmp

                                                                                                      Filesize

                                                                                                      624KB

                                                                                                      Download

                                                                                                    • memory/2824-44754-0x0000000000C60000-0x0000000000C6C000-memory.dmp

                                                                                                      Filesize

                                                                                                      48KB

                                                                                                      Download

                                                                                                    • memory/2824-4321-0x0000000005490000-0x00000000054BA000-memory.dmp

                                                                                                      Filesize

                                                                                                      168KB

                                                                                                      Download

                                                                                                    • memory/2824-154-0x0000000000750000-0x00000000007C8000-memory.dmp

                                                                                                      Filesize

                                                                                                      480KB

                                                                                                      Download

                                                                                                    • memory/2824-4587-0x0000000005BB0000-0x0000000005C16000-memory.dmp

                                                                                                      Filesize

                                                                                                      408KB

                                                                                                      Download

                                                                                                    • memory/2824-15722-0x00000000062B0000-0x0000000006472000-memory.dmp

                                                                                                      Filesize

                                                                                                      1.8MB

                                                                                                      Download

                                                                                                    • memory/2824-15723-0x00000000060D0000-0x00000000060D8000-memory.dmp

                                                                                                      Filesize

                                                                                                      32KB

                                                                                                      Download

                                                                                                    • memory/2824-22589-0x00000000060F0000-0x00000000060FC000-memory.dmp

                                                                                                      Filesize

                                                                                                      48KB

                                                                                                      Download

                                                                                                    • memory/2916-207-0x000002AAE1F00000-0x000002AAE1F17000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2916-184-0x000002AAE1F00000-0x000002AAE1F17000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2940-198-0x0000023804B20000-0x0000023804B37000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/2960-156-0x0000000000A40000-0x0000000000BAC000-memory.dmp

                                                                                                      Filesize

                                                                                                      1.4MB

                                                                                                      Download

                                                                                                    • memory/2960-178-0x0000000005580000-0x000000000558A000-memory.dmp

                                                                                                      Filesize

                                                                                                      40KB

                                                                                                      Download

                                                                                                    • memory/2960-166-0x0000000002F50000-0x0000000002F70000-memory.dmp

                                                                                                      Filesize

                                                                                                      128KB

                                                                                                      Download

                                                                                                    • memory/2960-165-0x00000000054B0000-0x0000000005542000-memory.dmp

                                                                                                      Filesize

                                                                                                      584KB

                                                                                                      Download

                                                                                                    • memory/3140-195-0x000002CE3B850000-0x000002CE3B867000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3344-152-0x0000000002E10000-0x0000000002E21000-memory.dmp

                                                                                                      Filesize

                                                                                                      68KB

                                                                                                      Download

                                                                                                    • memory/3416-194-0x0000019C42860000-0x0000019C42877000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-203-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-204-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-185-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-205-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-206-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3592-208-0x0000000002A60000-0x0000000002A77000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3684-186-0x000002BFD1320000-0x000002BFD1337000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3872-187-0x000001F4EEC80000-0x000001F4EEC97000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3968-209-0x000001AD90BA0000-0x000001AD90BB7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/3968-188-0x000001AD90BA0000-0x000001AD90BB7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/4028-210-0x000001C14F460000-0x000001C14F477000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/4028-191-0x000001C14F460000-0x000001C14F477000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/4044-189-0x000001F3BC4C0000-0x000001F3BC4D7000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/4648-338-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                      Filesize

                                                                                                      476KB

                                                                                                      Download

                                                                                                    • memory/4648-4917-0x0000000000400000-0x0000000000477000-memory.dmp

                                                                                                      Filesize

                                                                                                      476KB

                                                                                                      Download

                                                                                                    • memory/4936-361-0x0000000000360000-0x00000000003BD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/4936-6444-0x0000000000360000-0x00000000003BD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/5032-179-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/5032-181-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                                      Filesize

                                                                                                      92KB

                                                                                                      Download

                                                                                                    • memory/5060-363-0x0000000000360000-0x00000000003BD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/5060-6973-0x0000000000360000-0x00000000003BD000-memory.dmp

                                                                                                      Filesize

                                                                                                      372KB

                                                                                                      Download

                                                                                                    • memory/7568-51169-0x0000000005DD0000-0x0000000006124000-memory.dmp

                                                                                                      Filesize

                                                                                                      3.3MB

                                                                                                      Download

                                                                                                    • memory/7568-51179-0x00000000069B0000-0x00000000069FC000-memory.dmp

                                                                                                      Filesize

                                                                                                      304KB

                                                                                                      Download

                                                                                                    • memory/8576-23682-0x0000000006840000-0x000000000688C000-memory.dmp

                                                                                                      Filesize

                                                                                                      304KB

                                                                                                      Download

                                                                                                    • memory/8576-27948-0x0000000007E10000-0x000000000848A000-memory.dmp

                                                                                                      Filesize

                                                                                                      6.5MB

                                                                                                      Download

                                                                                                    • memory/8576-29029-0x00000000079D0000-0x00000000079E1000-memory.dmp

                                                                                                      Filesize

                                                                                                      68KB

                                                                                                      Download

                                                                                                    • memory/8576-16291-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

                                                                                                      Filesize

                                                                                                      216KB

                                                                                                      Download

                                                                                                    • memory/8576-30971-0x0000000007A00000-0x0000000007A0E000-memory.dmp

                                                                                                      Filesize

                                                                                                      56KB

                                                                                                      Download

                                                                                                    • memory/8576-31173-0x0000000007A10000-0x0000000007A24000-memory.dmp

                                                                                                      Filesize

                                                                                                      80KB

                                                                                                      Download

                                                                                                    • memory/8576-31666-0x0000000007A50000-0x0000000007A6A000-memory.dmp

                                                                                                      Filesize

                                                                                                      104KB

                                                                                                      Download

                                                                                                    • memory/8576-31810-0x0000000007A40000-0x0000000007A48000-memory.dmp

                                                                                                      Filesize

                                                                                                      32KB

                                                                                                      Download

                                                                                                    • memory/8576-28394-0x00000000064B0000-0x00000000064BA000-memory.dmp

                                                                                                      Filesize

                                                                                                      40KB

                                                                                                      Download

                                                                                                    • memory/8576-18133-0x0000000005640000-0x0000000005C68000-memory.dmp

                                                                                                      Filesize

                                                                                                      6.2MB

                                                                                                      Download

                                                                                                    • memory/8576-27949-0x00000000077D0000-0x00000000077EA000-memory.dmp

                                                                                                      Filesize

                                                                                                      104KB

                                                                                                      Download

                                                                                                    • memory/8576-28704-0x0000000007A70000-0x0000000007B06000-memory.dmp

                                                                                                      Filesize

                                                                                                      600KB

                                                                                                      Download

                                                                                                    • memory/8576-27930-0x0000000006A40000-0x0000000006A72000-memory.dmp

                                                                                                      Filesize

                                                                                                      200KB

                                                                                                      Download

                                                                                                    • memory/8576-27931-0x000000006F990000-0x000000006F9DC000-memory.dmp

                                                                                                      Filesize

                                                                                                      304KB

                                                                                                      Download

                                                                                                    • memory/8576-27941-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

                                                                                                      Filesize

                                                                                                      120KB

                                                                                                      Download

                                                                                                    • memory/8576-27942-0x0000000007670000-0x0000000007713000-memory.dmp

                                                                                                      Filesize

                                                                                                      652KB

                                                                                                      Download

                                                                                                    • memory/8576-20796-0x0000000005EB0000-0x0000000005F16000-memory.dmp

                                                                                                      Filesize

                                                                                                      408KB

                                                                                                      Download

                                                                                                    • memory/8576-23676-0x0000000006400000-0x000000000641E000-memory.dmp

                                                                                                      Filesize

                                                                                                      120KB

                                                                                                      Download

                                                                                                    • memory/8576-20795-0x0000000005E10000-0x0000000005E32000-memory.dmp

                                                                                                      Filesize

                                                                                                      136KB

                                                                                                      Download

                                                                                                    • memory/8576-20860-0x0000000005F90000-0x00000000062E4000-memory.dmp

                                                                                                      Filesize

                                                                                                      3.3MB

                                                                                                      Download

                                                                                                    • memory/9984-26624-0x000000000F5D0000-0x000000000F5E69F8-memory.dmp

                                                                                                      Filesize

                                                                                                      90KB

                                                                                                      Download

                                                                                                    • memory/9984-27963-0x000000000F5D0000-0x000000000F5E69F8-memory.dmp

                                                                                                      Filesize

                                                                                                      90KB

                                                                                                      Download

                                                                                                    • memory/14304-30913-0x000000006F990000-0x000000006F9DC000-memory.dmp

                                                                                                      Filesize

                                                                                                      304KB

                                                                                                      Download